Medical records are the property of those who prepare them (medical professionals) and not the property of those about whom they are concerned (patients). However, patients have a privacy right in the information contained in the records. These two interests may or may not conflict when it comes to releasing medical records to outside or third parties, who may also have another interest at stake. Once these basic and often competing interests are separated and assessed, it becomes easier to understand the issues that may surround the right to request, view, copy, or protect medical records and medical information.
Although medical records belong to the medical professionals/entities who create or prepare them, patients generally have a right to review them, demand copies of them, and to demand their confidentiality, i.e., prohibit release of information contained in them (with limited and specific exceptions). Where does a patient get the authority to control the release of documents that belong to others? The patient's rights are dependent upon who created the documents, who wants to view them, and why their release is warranted.
Common Law Duty of Confidentiality
First and foremost, there is the COMMON LAW concept of "doctor-patient confidentiality" that binds a medical professional from revealing or disclosing what he or she may know about a person's medical condition. The professional duty of confidentiality covers not only what a patient may reveal to the doctor, but also what a doctor may independently conclude or form an opinion about, based on his or her EXAMINATION or ASSESSMENT of the patient. Confidentiality covers all medical records (including x-rays, lab-reports, etc.), as well as communications between patient and doctor, and generally includes communications between the patient and other professional staff working with the doctor. Once a doctor is under a duty of confidentiality, he or she cannot divulge any medical information to third persons without the patient's consent. There are noteworthy exceptions to this, discussed below.
At one time (fairly common through the 1970s), a doctor was considered a mere "custodian" of medical records, which were considered the property of the patient (because the personal information contained in them related only to the patient). It was common practice to release to a patient, upon demand, all original records concerning the patient. However, that practice led to some patients destroying their medical records, denying that they had received certain treatments, misrepresenting their conditions for the purpose of obtaining life or health insurance policies, and (in the case of psychiatric patients) sometimes becoming a threat to the community at large after learning what was contained in their records. MEDICAL MALPRACTICE suits and liability for harm caused to third persons became a paramount issue that drove the impetus for establishing a refinement of the law (mostly through CASE LAW).
This change has resulted in a clarification that the actual original medical records belong to those who create or originate them. However, the release to a patient or to third parties of information contained in the medical records (about a particular patient) is generally controlled by the patient (with specific exceptions).
Medical professionals may be required by the request of a patient (or court order, SUBPOENA, etc.), to produce original documents and records for inspection, copying, or review. Usually, this is done in a supervised fashion within the offices or facilities of the creator/originator of the records (the doctor or medical facility). For all intents and purposes, it is more common for the original documents to be simply photocopied and forwarded to the patient or to the party whom the patient designates. It is general practice to not charge for copying or reproducing if the records are not extensive and are being requested by the patient, for the patient's own use.
Constitutional Right to Privacy
The fundamental right to privacy, guaranteed by the Fifth and Fourteenth Amendments to the U.S. Constitution, protects against unwarranted invasions of privacy by federal or state entities, or arms thereof. As early as Roe v. Wade, 410 U.S. 113 (1973), the U.S. Supreme Court acknowledged that the doctor-patient relationship is one which evokes constitutional rights of privacy. Because the Supreme Court has found that a fundamental right of privacy exists as to medical information about a person, private causes of action (against defendants other than federal or state entities) also exist for alleged violations of privacy rights (e.g., "invasion of privacy"). This right would extend to the privacy of any medical information contained in medical records.
But even that right is not absolute, and must be weighed against the state or federal, or outside interest at stake. For example, in Whalen v. Roe, 429 U.S. 589 (1977), a group of physicians joined patients in a lawsuit challenging the constitutionality of a New York STATUTE that required physicians to report to state authorities the identities of patients receiving Schedule II drugs (controlled substances). The physicians alleged that such information was protected by doctor-patient confidentiality, and their patients alleged that such disclosure was an invasion of their constitutional right to privacy. The Supreme Court did not disagree with the lower court's finding that "the intimate nature of a patient's concern about his bodily ills and the medication he takes... are protected by the constitutional right to privacy." However, the high court concluded (after balancing the state's interests) that "Requiring such disclosures to representatives of the State having responsibility for the health of the community does not automatically amount to an impermissible invasion of privacy."
Statutory Privacy Laws
Despite the above two recognized areas of law that purported to shield medical information about a person from unauthorized release or disclosure, there continued to be substantial "gray areas" susceptible to varying interpretations and applications. For example, do "medical records" include dental records, pre-employment physical examination records, self-generated records (documents created or completed by the patients themselves, such as healthcare questionnaires), birth and death certificates? And what about records generated by quasi-medical personnel, e.g., physical therapists or mental health counselors? Further, there appeared to be a developing area of case law that permitted, in fact demanded, the unauthorized release of medical information (i.e., against the patient's wishes and/or without the patient's knowledge) if, without the release, there was a substantial risk of harm to a third person (e.g. by violence of the patient or by communicable or sexually transmitted disease).
To address these concerns, all fifty states have enacted laws that govern the release of medical records. They encompass the recognition of any legal privilege (privileged communications between the health care provider and the patient), any prerequisites to the release of records (almost all require patient consent), and the circumstances under which records or information may be released in the absence of consent.
The Federal Privacy Rule
In the past, physicians could physically secure and shield personal medical records from disclosure, absent consent from their patients. Electronic data-banks have changed all that (as foretold by the Supreme Court in Whalen, above). With the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (which encouraged electronic transmission of patient data), Congress passed concurrent legislation for uniform protection of medical records and personal information. In December 2000, the Department of Health and Human Services (HHS) published its Privacy Rule ("Standards for Privacy of Individually Identifiable Health Information", 65 Fed. Reg. 82462), which became effective on April 14, 2001. The regulation covers health plans, health care clearinghouses, and health care providers that bill and transfer funds electronically. The regulation mandates a final compliance date of April 14, 2003 (small health plans have until April 14, 2004 to comply.) The Privacy Rule includes provisions for the following:
- Ensuring patient access to medical records, ability to get copies and/or request amendments
- Obtaining patient consent before releasing information. Health care providers are required to obtain consent before sharing information regarding treatment, payment, and health care operations. Separate patient authorizations must be obtained for all non-routine disclosures and non-health related purposes. A history of all non-routine disclosures must be accessible to patients.
- Providing recourse for violations through an administrative complaint procedure.
In March of 2002, the Bush Administration proposed amendments to the Privacy Rule that would address several complaints registered by patients and medical facilities alike. Specifically, the impact of the proposed amendments would remove the requirement for express consent in such communications as pharmacists filling prescriptions, patient referrals to specialists, treatments provided or authorized from telephone communications, and emergency medical care. The relaxed consent requirement would only apply to uses and disclosures for treatment, payment, and health care operations (TPOs) purposes. All other uses and disclosures would continue to require express patient consent.
Voluntary Consent for Release of Medical Information
Almost all requests for release of medical records contain a requirement that patient consent be obtained in writing. Medical providers or custodians of medical records may or may not accept facsimile (FAX) transmission of authorizations/signed consent forms. In legal matters, the process may be simplified by a patient authorizing his or her attorney to obtain copies of records (or review originals).
Waiver of Consent for Release of Medical Information
There are ways in which a patient may "waive" the confidentiality of medical records. A common way by filing a lawsuit or claim for PERSONAL INJURY. By doing so, the patient has put his or her physical condition "at issue" in the lawsuit. Therefore, the law presumes that the patient has waived all confidentiality regarding his or her medical condition, and there is an implied authorization to the patient's doctor for disclosure of all relevant information and medical records.
Involuntary Release of Medical Information
In recent years, many courts have held that doctors are supposed to protect third persons who may be harmed by patients. This often results in a duty to release medical records or medical information without either knowledge or consent on the part of the patient. For example, without a patient's permission or knowledge, doctors may warn others or the police if the patient is mentally unstable, potentially violent, or has threatened a specific person. In some states, the duty to report or warn others "trumps" the right to confidentiality or privileged communication with a doctor. Courts will decide these matters by balancing the sanctity of the confidentiality against the foreseeability of harm to a third party.
Under most state laws, birth and death certificates are a matter of public record. The advent of physician-assisted suicides in less than a handful of states (e.g., Oregon) created new concerns for the scope of privacy and confidentiality. Some states have addressed such matters by express legislation, e.g., permitting the registration of physician-assisted deaths directly to state offices rather than to local county offices of vital statistics. Others have permitted dual-systems that incorporate specific codes for "cause of death" on public records, but more thorough explanations on private state records. Many doctors simply list innocuous language, such as "cardiac-respiratory failure," on public records, and leave blank the secondary or underlying cause. Similar issues of limited disclosure often arise on birth records. In some circumstances, personal details such as PATERNITY, marital status, or information regarding a newborn's HIV status may WARRANT the filing of dual records (one requiring more disclosure than the other) for separate purposes and separate viewers, based on a "need to know" criterion.
Disclosures to State or Federal Authorities
Under most state statutes, doctors and health care providers generally have duties to report incidence of certain sexually transmitted diseases, CHILD ABUSE, communicable diseases, HIV/AIDS, or other conditions deemed to be risks to the health and safety of the public at large. Some states have developed registries to track the incidence of certain conditions, (e.g., certain forms of cancer) that may later help researchers discover causes. In registry cases, personal data about the patients is released only to the necessary local, state, or federal personnel, and the data usually does not contain "patient identifiers."
Selected State Disclosure Laws
ALABAMA: Medical records of "notifiable diseases" (those diseases or illnesses that doctors are required to report to state officials) are strictly confidential. Written consent of patient is required for release of information regarding sexually transmitted disease. (Ch. 22-11A-2, 22)
ALASKA: Mental health records may be disclosed only with patient consent/court order/law enforcement reasons (Ch. 47.30.845). In cases of emergency medical services, records of those treated may be disclosed to specified persons.(Ch. 18.08.086). Express language permits disclosure of financial records of medical assistance beneficiaries to the Dept. of Social Services. (Ch. 47.07.074)
ARIZONA: There are mandatory reporting requirements for malnourishment, physical neglect, SEXUAL ABUSE, non-accidental injury, or other deprivation with intent to cause or allow death of minor children, but the records remain confidential outside judicial matters (Ch. 13-3620). Access to other medical records is by consent or pursuant to exceptions outlined in Ch. 36-664.
ARKANSAS: Arkansas has a special privilege permitting doctors to deny giving patients or their attorneys or guardians certain medical records upon a showing of "detrimentality" (Ch.16-46-106). Otherwise, access by patients and their attorneys are covered under Ch. 23-76-129 and 16-46-106.
CALIFORNIA: Doctors may withhold certain mental health records from patients if disclosure would have an adverse effect on patient. (H&S Section 1795.12 and.14).
COLORADO: Doctors are permitted to withhold from patients psychiatric records that would have a significant negative psychological impact; in those cases, doctors may prepare a summary statement of what the records contain (Ch.25-1-801). There are mandatory disclosure requirements for certain diseases (Ch 25-1-122).
CONNECTICUT: Limited disclosure of mental health records (Ch. 4-105) and limited disclosure to state officials (Ch.53-146h; 17b-225).
DELAWARE: Strict disclosure prohibitions about sexually transmitted diseases, HIV infections (Tit. 16-711). However, such diseases must be reported to division of Public Health, by number and manner only (Title 16-702).
DISTRICT OF COLUMBIA: Public mental health facilities must release records to the patient's attorney or personal physician (21-562).
FLORIDA: Mental health records may be provided in the form of a report instead of actual annotations (455-241). Patient consent is required for general medical records releases except by subpoena or consent to compulsory physical exam pursuant to Civil Rule of Procedure 1.360 (455-241).
GEORGIA: Mandatory disclosure to state officials for child abuse and venereal disease. (Ch. 19-7-5; 31-17-2)
HAWAII: Hawaii Revised Statute 325-2 provides for mandatory disclosure to state officials for communicable disease or danger to public health. Names appearing in public studies such as the Hawaii Tumor Registry are confidential and no person who provides information is liable for it (324-11, et seq.).
IDAHO: There is mandatory disclosure for child abuse cases within 24 hours (16-1619) and sexually transmitted diseases (39-601). Both doctors and nurses may request protective orders to deny or limit disclosure (9-420).
ILLINOIS: Mandatory disclosure to state officials for child abuse and sexually transmitted diseases (325 Illinois Compiled Statutes Annotated 5/4).
INDIANA: Insurance companies may obtain information with written consent (Ch 16-39-5-2). Mandatory disclosure to state officials for child abuse and sexually transmitted diseases (31-6-11-3 and 4) (16-41-2-3).
IOWA: Mandatory disclosure to state officials of sexually transmitted diseases (Ch. 140.3 and 4).
KANSAS: Mandatory disclosure to state health officials of AIDS (65-6002(c)). Mental health records only released by patient consent, court order, or consent of the head of mental health treating facility (59-2931).
KENTUCKY: Either patient or physician may ask for PROTECTIVE ORDER (422-315). Patients must make written requests for records (422.317).
LOUISIANA: Louisiana Code of EVIDENCE, Article 510 waives health care provider-patient privilege in cases or child abuse or molestation. Mandatory disclosure of HIV information (Ch.1300-14 and 1300-15).
MAINE: Doctors may withhold mental health records if detrimental to patient's health (22-1711.20-A Maine Revised Statutes Annotated, Section 254, Subsection 5, requires schools to adopt local written policies and procedures).
MARYLAND: Physicians may inform local health officers of needle-sharing partners or sexual partners in cases of transmittable diseases (18-337).
MASSACHUSETTS: Any injury from the discharge of a gun or a burn affecting more than five percent of the body, rape or sexual ASSAULT triggers mandatory disclosure law (Ch. 112-12A). No STATUTORY privilege.
MICHIGAN: Mandatory disclosure to state officials for communicable diseases (MCL.333.5117).
MINNESOTA: Minnesota Statutes Annotated 144.335 authorizes withholding mental health records if information is detrimental to well-being of patient. Sex crime victims can require HIV testing of sex offender and have access to results (611A.07).
MISSISSIPPI: Patient WAIVER is implied for mandatory disclosures to state health officials. Peer review boards assessing the quality of care for medical or dental care providers may have access to patient records without the disclosure of patient's identity (41-63-1, 63-3).
MISSOURI: Information concerning a person's HIV status is confidential and may be disclosed only according to Section 191.656.
MONTANA: Mandatory disclosure to state officials for sexually transmitted disease. (Ch. 50-18-106). Recognized exceptions for release of records without patient consent (e.g. mental INCOMPETENCY) are covered under 50-16-530.
NEBRASKA: Nebraska Revised Statutes 81-642 requires reporting of patients with cancer for the Dept. of Health's Cancer Registry. The Dept. also maintains a Brain Injury Registry (81-651). Mandatory disclosure to state officials for sexually transmitted disease. (71-503.01).
NEVADA: Mandatory disclosure to state officials for communicable disease. (441A.150) There is a state requirement to forward medical records (with or without consent) upon transfer to a new medical facility (433.332; 449,705).
NEW HAMPSHIRE: New Hampshire maintains that medical records are the property of the patient (332:I-1) Mandatory disclosure to state officials for communicable disease (141-C:7).
NEW JERSEY: Limited right of access to mental health records for attorneys and NEXT OF KIN. Mandatory disclosure to state officials for child abuse (9:6-8.30), pertussis vaccine (26:2N-5), sexually transmitted disease.(26:4-41), or AIDS (26:5C-6).
NEW MEXICO: Mandatory disclosure of sexually transmitted diseases (24-1-7).
NEW YORK: Records concerning sexually transmitted disease or ABORTION for minors may not be released, not even to parents (NY Pub. Health 17).
NORTH CAROLINA: North Carolina General Statute 130A-133, et seq. provides for mandatory disclosure to state officials for communicable disease.
NORTH DAKOTA: Mandatory disclosure to state officials for child abuse, communicable diseases, or chronic diseases that impact the public (23-07-01, 50-25.1-01).
OHIO: Mandatory disclosure to state officials for child abuse (2151-421), occupational diseases (3701.25), contagious disease including AIDS (3701.24), or cases to be included on the Cancer Registry (3701.262).
OKLAHOMA: Mandatory disclosure to state officials for child abuse, communicable or venereal diseases (23-07-01, 50-25.1-01).
OREGON: Oregon Revised Statute 146-750 provides for mandatory disclosure of medical records involving suspected violence, physical injury with a knife, gun, or other deadly weapon.
PENNSYLVANIA: Mental health records in state agencies must remain confidential (Title 50-7111).
RHODE ISLAND: Mandatory disclosure to state officials for occupational disease (Ch. 23-5-5), communicable or venereal diseases (23-8-1, 23-11-5).
SOUTH CAROLINA: Mandatory disclosure to state officials for sexually transmitted disease (z016744-29-70). There is also express privilege for mental health provider-patient relationships under Ch. 19-11-95.
SOUTH DAKOTA: Mandatory disclosure to state officials for venereal disease (34-23-2) or child abuse or neglect (26-8A-3).
TENNESSEE: There are also requirements for mandatory disclosure to state officials for communicable disease (68-5-101) or sexually transmitted diseases (68-10-101).
TEXAS: There are mandatory disclosure requirements for bullet or gunshot wounds (Health & Safety 161.041), certain occupational diseases (Health & Safety 84.003) and certain communicable diseases (Health & Safety 81.041).
UTAH: There are mandatory disclosure requirements for suspected child abuse (62A-4A-403), communicable and infectious diseases (including HIV and AIDS) (26-6-3).
VERMONT: Records concerning sexually transmitted disease require mandatory reporting (Title 18-1093). Any HIV-related record of testing or counseling may be disclosed only with a court order evidencing "compelling need." (Title 12-1705).
VIRGINIA: Mental health professionals may withhold records from patient if release would be injurious to patient's health. (8.01-413).
WASHINGTON: Mandatory disclosure to state officials for sexually transmitted disease (70.24.105) child abuse (26.44.030) or tuberculosis (70.28.010).
WEST VIRGINIA: Mandatory disclosure to state officials for venereal, communicable disease (Ch. 16-4-6; 16-2A-5; 26-5A-4), suspected child abuse (49-6A-2), gunshot and other wounds or burns (61-2-27).
WISCONSIN: There are mandatory reporting requirements for sexually transmitted diseases (252.11), tuberculosis (252.07), child abuse (48.981) and communicable diseases (252.05).
WYOMING: Rather than expressly creating a statutory privilege, Wyoming addresses the matter by limiting doctors' TESTIMONY to instances where patients have expressly consented or where patients voluntarily TESTIFY themselves on their medical conditions (putting their medical conditions "at issue") (Ch. 1-12-101). There are mandatory reporting requirements for sexually transmitted diseases, child abuse, and communicable diseases (14-3-205, 35-4-130, 35-4-103).
"Confidentiality of Death Certificates." Issues in Law & Medicine, Winter 1998.
"Medical Records." National Survey of State Law, 2nd ed. Richard A. Leiter, Ed. Gale: 1997.
Standards for Privacy Rule of Individually Identifiable Health Information, 65 Fed. Reg 82462, 2001. Available at .
"Standards for Privacy Rule of Individually Identifiable Health Information-Proposed Rule Modification." FDCH Regulatory Intelligence Database, 21 March 2002.
Did this raise a question for you?