Guideline: Health Records Release

Protecting patients’ health information is a top concern for chiropractic organizations. As such, these practices should have written policies and procedures for the release of health records that comply with both state and federal laws. In most cases, patients must provide written authorization to permit the disclosure and use of their protected health information (PHI) for:

  • Legal, marketing, sales, and research purposes

  • Life insurance requests

  • Psychotherapy note requests

  • Requests from any third party not involved in the patient’s care and treatment

According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), authorization to use or disclose PHI is not required for:

  • Treatment purposes (e.g., referral to a specialist)

  • Payment for health treatment or care

  • Healthcare operations (e.g., certain administrative, financial, legal, and quality improvement activities of a covered entity — i.e., a healthcare provider, a health plan, or a healthcare clearinghouse — that are necessary to run its business and to support the core functions of treatment and payment)

  • Certain legal circumstances, public health activities, and judicial or administrative proceedings (e.g., reporting child abuse or neglect, communicable diseases, or gunshot or knife wounds)


However, chiropractors should be cognizant of their states’ laws before they develop policies addressing the release of PHI. Some states may have privacy regulations that are more stringent than federal regulations for the release of PHI and provide greater access to patients. Therefore, it’s best to seek legal counsel to confirm those applicable state regulations.


The objectives of this guideline are to:

  • Discuss who is authorized to consent to the release of health records or PHI

  • Explain the minimum requirements for a HIPAA-compliant records release authorization form

  • Provide guidance related to the release of sensitive information, such as details about sexually transmitted diseases, drug/alcohol abuse, or psychotherapy notes

  • Examine issues related to the release of minors’ health records

  • Review the potential denial of a records release request

  • Provide information related to charging fees for copies of health records

  • Discuss other records release considerations, such as maintenance of original records, tracking disclosures of PHI, and documenting the release of health records


Chiropractic organizations are required to implement and maintain written policies and procedures that guard against unauthorized or inadvertent use or disclosure of patients’ PHI. These policies and procedures should specify who is authorized to consent to the release of health records.

Further, organizations should have written policies for patients that explain in plain language the authorization process and the necessary steps for releasing health records.

Patients and Patient-Authorized Representatives

Patients or their authorized representatives must consent to the use or disclosure of PHI for purposes other than treatment, payment, or the healthcare operations of the organization, except when a disclosure is required by law.

First and foremost, each organization’s health records release policy should address who may request and receive a copy of a patient’s health record. In addition to the patient, other individuals also might be legally authorized to request the release of PHI. Although state specific, a legally authorized representative usually is one of the following:

  • A legal guardian

  • An individual who holds a healthcare or durable power of attorney that includes healthcare powers

  • A birth or adoptive parent (of a minor patient)

Another example of a legally authorized representative is the executor of an estate. When a patient is deceased, the executor of the estate takes precedence over other legally authorized representatives.


However, HIPAA Privacy Rule 45 CFR § 164.510(b) also permits disclosure of PHI to a decedent's family members and others who were involved in the care — or payment for care — of the decedent prior to death, unless disclosure would be inconsistent with any prior expressed preference of the deceased individual or state law.[1]

Note specifically that, even if a patient dies, the healthcare organization must still protect the patient’s PHI. HIPAA requires protection of a decedent’s PHI for a period of 50 years from the date of death.[2] Disclosure of decedents’ PHI also must comply with state laws.

Chiropractic organizations should have processes in place for staff to follow in the event that any questions arise about whether a person is a patient’s legally authorized representative. Staff should be trained to ask for verification of the identity and the authority of the individual making the request.

Legal, Judicial, and Military Entities

In certain circumstances, law enforcement agencies can compel the release of patient information. Staff should be aware of these circumstances and document them in the written policies for release of health records and PHI.


Before the release of PHI to a law enforcement agency, consult an attorney to review state and federal laws to ensure disclosure is appropriate. Unless a statute specifically compels disclosure, law enforcement officers may not have a right to review a patient’s healthcare information.

HIPAA permits disclosure of PHI without the patient’s consent if it is related to a legitimate law enforcement inquiry — for example, to assist law enforcement in identifying a suspect or victim, amid concerns about national security activities, and in relation to allegations of healthcare fraud. Chiropractic organizations, however, should ensure that release is also permissible under state law.

All permissible law enforcement inquiries should be in writing and specify the scope of information requested and purpose of the inquiry. However, only information specifically related to the inquiry should be released.

A request for release of health information also may occur during the course of a judicial or administrative proceeding. HIPAA states that a covered entity may disclose PHI in the course of any judicial or administrative proceeding that is:

  • In response to an order of a court or administrative tribunal (but only to the extent expressly authorized by such order)

  • In response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal, if (a) the covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to notify the subject of the PHI about the request, or (b) the covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to secure a qualified protective order[3]

The chiropractic organization’s health records release policy also should incorporate any state laws that stipulate or prohibit circumstances in which attorneys may subpoena the release of health information without production of a signed authorization.

Additionally, HIPAA specifically precludes individuals serving in the military from barring release of their health information to military authorities.[4]


When a patient or his/her legally authorized representative requests the release of PHI, the requestor must complete and sign a HIPAA-compliant authorization form. At minimum, the authorization form should include:

  • The patient’s full name, birthdate, health record number, address, and phone number. The form also might potentially include a unique patient identifier or social security number (whole or last four digits). However, patients are not required to provide social security numbers as part of the initial patient registration process.

  • The name or other specific identification of the person(s) authorized to make the requested use or disclosure of the patient’s PHI.

  • The name or other specific identification of the person(s) who may use the PHI or to whom the covered entity may make the requested disclosure.

  • A description of each purpose of the requested use or disclosure of PHI. The statement, “at the request of the individual,” may be used when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. 

  • Specific PHI that is being authorized for release.

  • An expiration date or an expiration event that relates to the individual or to the purpose of the use or disclosure.

  • A statement regarding the individual’s right to revoke the authorization and the steps that must be taken to do so. 

  • A statement that the covered entity may not condition treatment on the provision of an authorization, except for certain permitted research purposes.

  • A statement that the information might be subject to re-disclosure and might no longer be protected by federal or state privacy laws.

  • Signature of the patient, the patient’s authorized legal representative, or an officer of the court who has authority to compel the release of PHI.

Once the written authorization is obtained, it should be documented in the patient’s health record. The chiropractic organization also should provide the patient with a copy of the written authorization. Further, the organization should have a written policy clarifying oral requests for release of health records. HIPAA and most state laws mandate that a valid authorization must be in writing.


As part of health records release policies and procedures, chiropractic organizations should implement mechanisms designed to prevent the improper release of sensitive information, such as PHI related to sexually transmitted diseases, HIV/AIDS status, or drug/alcohol abuse.


Chiropractic organizations’ health records release policies should include written guidance on the release of records for minors and disabled individuals who require guardians.

Generally, a child’s legal guardian or natural/adoptive parent (even if divorced, separated, or never married) can obtain copies of most records by signing a written authorization — unless a court order forbids access to the records by any of these parties. If a minor patient’s parents are divorced (and possibly disagreeing about who is authorized to have access to the patient’s health record), a staff member may verify custody by asking the parents to provide specific legal documentation to ensure release to the correct guardian/parent.

In addition, these parties cannot access copies of the child’s records related to care for which the minor has exercised his/her right to consent (determined by state law) if the minor has not agreed to allow disclosure to the parents.

Unless a stepparent adopts a child or has been legally appointed as the child’s guardian, the stepparent has no legal right of access to the records. The child’s parent can sign an authorization form allowing the stepparent access to the records. However, before implementing such a policy, consult legal counsel to ensure it complies with state laws. 

If a minor is emancipated, married, or authorized to consent to healthcare without parental consent according to federal or state law, only the minor can authorize release of healthcare information pertaining to his/her care.



In addition to stating criteria for the release of PHI, health records release policies should stipulate the circumstances in which access to health records might be denied. Depending on the situation, grounds for denial may be unreviewable or reviewable. For more information, see the HIPAA Privacy Rule 45 CFR § 164.524(a) (2), (3).

All denials must be timely and provided to the patient in writing, with a plain language description of the basis for denial. Additionally, written denials must contain statements of the individual’s rights to have the decision reviewed and how to request such a review. The notice must also inform the individual of how to file a complaint with the organization or the Secretary of the U.S. Department of Health and Human Services.


Health records release policies should clearly state whether charges will be levied for health record copies. However, the policy should acknowledge that it is unethical and, in some states, prohibited to refuse to provide copies of records because a patient’s account shows an outstanding balance or the patient refuses to pay for the records at the time of receipt.

HIPAA and most state laws limit the amount that can be charged for duplication and searching services. HIPAA permits a cost-based fee only if the individual requests a copy of the PHI. The fee may include only the cost of (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.[5]

HIPAA prohibits charging patients for handling fees, chart-pulling fees, or per-page fees in excess of the direct cost of materials, even if state laws permit it.[6] According to HIPAA, individuals must agree to these charges in advance. 


Chiropractic organizations should develop policy statements that specifically define what they consider a “legal patient record.” These policy statements will help organizations track, preserve, and retain electronic records for business, legal, and compliance purposes. Important considerations include:

  • When are patient health records considered complete for accreditation/compliance purposes?

  • What data are disclosed upon request for health records?

  • What authorizations are required for release of PHI?

Establishing a clear definition of the legal patient record and specific policies related to documentation will help chiropractic practices respond to requests for disclosure; comply with state and federal health record retention schedules; and safeguard records against breaches, tampering, and destruction.


To define a legal patient record, HIPAA uses the term “designated record set,” which includes a group of records maintained by or for a healthcare practice, that includes (1) health and billing records about individuals maintained by or for a healthcare provider; (2) enrollment, payment, claims adjudication, and case or medical management records maintained by or for a health plan; or (3) records used in whole or in part by or for the provider to make decisions about patients.[7] Additionally, records of third parties may make up the “designated record set” if the records include information that the healthcare provider has used or relied upon in the treatment of that patient.[8]

Other considerations also should be included in chiropractic organizations’ policies for release of PHI. For example, these policies should:

  • Acknowledge the chiropractor’s obligation to maintain the original health records, but to promptly provide copies in response to valid requests. (Note: No patient is entitled to original records)

  • Acknowledge that unless the patient or authorized requesting party states otherwise, records of other providers that are included in the patient’s health record are considered part of the record and should be included in the material copied and provided.

  • Clarify what information Labor and Industries may obtain if a patient has filed a worker’s compensation claim.

The chiropractic organization also should determine how access to health records will be monitored and how to implement an effective system for tracking and documenting uses and disclosures of PHI to comply with accounting of disclosure requests. If an electronic health record system is in place, staff should run regular reports to review compliance with health records release policies.



Protecting patients’ health information is imperative. To carefully guard against the unauthorized release of PHI, chiropractic organizations should have written policies and procedures for the release of health records.

These policies and procedures should comply with both state and federal laws, and they should clearly outline who is authorized to consent to the release of PHI, the process for authorizing release, and any special considerations related to record release.



[1] HIPAA Privacy and Security Rule, 45 C.F.R. § 164.510(b) (5) 2013.

[2] HIPAA Privacy and Security Rule, 45 C.F.R. § 164.502(f) 2013.

[3] HIPAA Privacy and Security Rule, 45 C.F.R. § 164.512(e) (1) 2016.

[4] HIPAA Privacy and Security Rule, 45 C.F.R. § 164.512(k) (1) 2016.

[5] HIPAA Privacy and Security Rule, 45 C.F.R. § 164.524(c) (4) 2013.

[6] HIPAA Privacy and Security Rule, 45 C.F.R. § 164.512(c) (4) 2016.

[7] HIPAA Privacy and Security Rule, 45 C.F.R. § 164.501 2013.

[8] American Health Information Management Association. (2011, February). Fundamentals of the legal health record and designated record set. Journal of AHIMA 82, 2: expanded online version.

© 2021 MedPro Group Inc. All rights reserved.