What is a Medical Records Release Form?
The HIPAA Privacy Rule governs which uses and disclosures of PHI are permitted by an individual or an organization that is subject to the HIPAA Administrative Simplification Regulations (45 CFR Parts 160, 162, and 164). Individuals and organizations subject to these regulations are generally health plans and health care providers (“covered entities”), but they can also be individuals or organizations that provide a service for or on behalf of a covered entity that involves the receipt, collection, storage, or transmission of PHI.
When a covered entity or a “business associate” wants to use or disclose PHI for a purpose not specifically required or permitted by the HIPAA Privacy Rule, they are required to obtain a signed medical records release form from the subject of the PHI (or their personal representative) stipulating what PHI is being used or disclosed, why it is being used or disclosed, and – if PHI is being disclosed to a third party – who the third party is. It is also possible to apply an expiry event or an expiry date to the medical records release form.
Required Uses and Disclosures of PHI
To help covered entities and business associates better understand when a medical records release form is necessary, it is simpler to list which uses and disclosures of PHI are required or permitted by the HIPAA Privacy Rule. If a use or disclosure is not required or permitted, it is necessary to obtain a signed medical records release form. To confuse the issue, some states (and some covered entities) require a signed medical record release form even when a use or disclosure is permitted by the HIPAA Privacy Rule.
State laws (and covered entities’ policies) notwithstanding, there are two circumstances under HIPAA in which a use or disclosure of PHI is required. The first is when access to PHI is requested by the Department of Health and Human Services (HHS) to investigate a complaint, a HIPAA violation, or a data breach, or to conduct a HIPAA compliance audit. The second is when an individual exercises their rights to obtain a copy of their PHI or request an Accounting of Disclosures to see who their PHI has been disclosed to and what for.
In many states, local laws mandate that injuries related to child abuse or neglect are reported, while some also mandate that injuries related to domestic violence or elder abuse are reported. Several states also require injuries attributable to firearms to be reported regardless of whether they were intentional or accidental. The Privacy Rule permits uses and disclosures of this nature under §164.512 – “Uses and disclosures for which a medical records release form or opportunity to agree or object is not required”.
Permitted Uses and Disclosures of PHI
Most permitted uses and disclosures of PHI relate to the treatment of patients and treatment-related transactions (i.e., eligibility checks, treatment approvals, and payment claims). Covered entities are also permitted to use PHI for “health care operations”. These operations include, but are not limited to, quality assessments, competence reviews, medical training programs, and business planning. In these circumstances, there is usually no limit to the amount of PHI that can be used or disclosed.
In most other permitted uses and disclosures of PHI, the “minimum necessary standard” applies. This standard stipulates that, unless a patient a signed a medical records release form, uses and disclosures of PHI must be limited to the minimum necessary to achieve the intended purpose of the use or disclosure. In the context of when a medical records release form is required, there are two Privacy Rule standards to which the minimum necessary standard most often applies:
45 CFR §164.510 – Uses and disclosures requiring an opportunity for the individual to agree or object.
45 CFR §164.512 – Uses and disclosures for which a medical records release form or an opportunity to agree or object is not required.
This standard covers multiple pages of the HIPAA Administrative Simplification Regulations and, because many of the permitted uses and disclosures are incident-specific, it is not practical to cover every one. However, those that arise most often include:
- Uses and disclosures required by law (as discussed previously)
- Uses and disclosures for public health activities
- Disclosures to the FDA to report adverse events
- Disclosures to employers to support OSHA compliance
- Disclosures in response to a court order or subpoena
- Disclosures for certain law enforcement purposes
- Disclosures to coroners, medical examiners, and funeral directors
- Disclosures to avert a serious threat to health or safety
When is a Medical Records Release Form Required?
A medical records release form is required for uses and disclosures of PHI in all circumstances not required or permitted by the Privacy Rule. Examples of these circumstances include when a health care provider wants to use a patient’s psychiatry notes for a purpose other than treatment, training, or litigation (as these uses are permitted), or when a health plan wants to use a plan member’s PHI for marketing. A medical records release form may also be required when a covered entity feels one is necessary.
The minimum necessary elements of what must be included in a medical records release form are stipulated in 45 CFR §164.508(c) of the Privacy Rule. Most release forms include more than the minimum necessary elements to satisfy the requirements of state laws or because a covered entity feels they are necessary. However, whatever elements are included in a medical records release form, it is important that the subject of the PHI being used or disclosed understands the form in order that they can give their informed consent.
We have produced an example medical records release form which covered entities are invited to download, review, and use as necessary. The form includes the minimum necessary elements to comply with HIPAA and additional elements covered entities and business associates may wish to adopt in their own forms. Additionally, the form complies with Californian requirement that medical records release forms are a minimum of 14 point type to help individuals and their personal representatives better understand them.
If you have any questions about the HIPAA medical records release forms requirements, about what additional requirements are required in your state, or about how you can best adopt the elements of our example medical records release form, it is recommended you seek professional compliance advice.