Legal FAQs

* Click question to view the answer.

Can a health care provider release records of another health care provider?

Previous recommendations not to re-disclose information were based on the legal issues related to information not created by the current provider; such information may not be a “final” copy or may not match what another provider has. This could cause the accuracy and validity of the medical record to be questioned in a court case, etc. However, HIPAA regulations stipulate that if you keep other providers’ records and use them to make health care decisions, you make those records part of your “designated record set” (see definition below) and release them only under the appropriate conditions for disclosing.

Definition of Designated Record Set

We are not aware of any State law defining a designated record set. The HIPAA definition is:

(1) A group of records maintained by or for a covered entity that is:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

Assuming the information (from another provider) is officially maintained in the designated record set (and has been used to make a decision about the patient), it is PERMISSIBLE under HIPAA to re-disclose it for any disclosure allowed by law or with patient authorization. If a request states, “all medical records,” it is “common practice” to include copies that are “integral” to the facility’s record, such as a physician’s office-created history and physical exam. However, it is not “common practice” to re-release other copies sent to the facility for continuum of patient care. It would be REQUIRED to re-release anything (except for psychotherapy notes) in the designated record set if the patient or their personal representative is exercising their “right to access,” or it is required by law, such as specified in a subpoena or court order. For other permissible disclosures, the facility may want to consider if the requestor is going to be charged a per-page fee and may want to clarify this with the requestor before providing copies they may not want or need (good customer service.

There may be circumstances where a facility would NOT want to re-disclose information without patient authorization, court order, subpoena or other legal process, such as copies of mental health or alcohol and drug rehabilitation records. For this reason, it is advisable to include a statement on all patient authorization forms that “the disclosure may include records of testing or treatment for drug or alcohol abuse, mental health, Human Immunodeficiency Virus (HIV) and/or Acquired Immune Deficiency Syndrome (AIDS), if applicable.”

Alcohol and Drug Rehabilitation Records

If a facility has a federally funded Alcohol and Drug Rehabilitation (A&D Rehab) program, those records have special protection under 42 CFR, Part 2. If the alcohol and drug information is recorded in other records that the facility holds, does this information also have special protection, such as a physician who documents a history of substance abuse and lists drugs the patient has used? What if a copy from the alcohol and drug rehabilitation is used by an acute care hospital (with no A&D program) for treatment…does that still have special protection? There is a potential conflict with HIPAA and other Federal law in that if a facility uses the A&D Rehab copies to make decisions about the patient, it should be made part of the designated record set of that facility subject to the Patient’s Rights under HIPAA Privacy, such as right to access (which excludes psychotherapy notes). Although any facility that is not a dedicated (federally funded) alcohol and drug rehabilitation facility is generally exempt from the special rules under 42 CFR, Part 2, relating to federally funded A&D Rehab facilities, Subpart B, Section 2.32 of this law has a prohibition on redisclosure, unless you have express written consent by the patient or is otherwise prohibited by 42 CFR Part 2. But it also has a section (2.23) stating that patient access of his or her own record is not prohibited. Therefore, “special protection” could conceivably apply to the copies of the record if requested by anyone other than the patient or their legal personal representative unless it is accompanied by “express written consent.” If your authorization form includes appropriate wording for A&D Rehab records, you may be covered. Of note, a subpoena (with reasonable assurances) to a general hospital to produce its copies of A&D Rehab records may not be sufficient for release. A court order may have to be obtained.

Destroying records from other health care providers

Would it be improper to destroy copies of medical records from another facility, if it was unknown if it was used to make a decision about the patient, as delineated by the definition of a “designated record set?” It was agreed that copies of medical records from another facility may be destroyed if it is known that they were not used to make decisions about the patient. One hospital returned any copies received after patient discharge. However, it was generally agreed that the facility would be taking a risk of non-compliance with HIPAA if it destroyed information that may have been used and should be made part of the facility’s designated record set. Therefore, it was recommended to consult with your Privacy Officer, Risk Management department and attorney to assess the risk and decide on a solution for your facility.

Can PHI be released if created after the date of authorization?


If PHI is created after the date the authorization is signed but before the date of expiration of the authorization, under HIPAA regulations, covered entities are permitted to release the information. Covered entities are not required to do so. If an entity so chooses, the entity could contact the patient for another authorization. This should be a policy decision and documented in the HIM Policies and Procedures.

HIPAA Regulations stipulate the following aspects of a valid authorization form:

  • Description of information to be used or disclosed
  • The name of the person/entity or class of persons authorized to make disclosure
  • The name of the person/entity or class of persons authorized to receive the information
  • The purpose of the disclosure. “At the request of the individual” is acceptable if initiated by the individual.
  • An expiration date or event that relates. For research, “end of the research study” or “none” is acceptable.
  • Signature and date. If a “personal representative,” a description of the authority to act on the person’s behalf.

And the following statements:

  1. An individual’s right to revoke the authorization in writing and either
    • The exceptions to the right to revoke and a description of how they may revoke it, or
    • A reference to the facility’s notice of privacy practices which explains the above.
  2. The ability or inability to condition treatment, payment enrollment or eligibility for benefits if the patient does not sign authorization or the consequences of a refusal to sign the authorization
  3. The potential for information disclosed to be subject to re-disclosure by the recipient and no longer protected by the HIPAA Privacy Rule.
  4. The potential for information disclosed to no longer be protected.

Can a foster parent consent to treatment?

If the foster parent can provide documentation that they have been given the authority by the Department of Human Services to consent for treatment or provide authorization for release of information, then yes, a foster parent can consent to treatment for the foster child and PHI can be released to a foster parent. A provider can require legal documentation of the foster care relationship.

For children in foster care, the State of Tennessee is considered their legal guardian and no information should be disclosed to the biological parents of these children. References to Tennessee Law that support this answer are listed below:

  • TCA 37-2-415 (a)(14) indicates that “the department shall permit, through written consent, the ability of the foster parent or parents to communicate with professionals who work with the foster child, including therapists, physicians and teachers that work directly with the child.”
  • TCA 37-2-415(a)(6) states, “The department shall provide a means by which the foster parent or parents can contact the department twenty-four (24) hours a day, seven (7) days a week for the purpose of receiving departmental assistance”

Should my facility/health care organization have a policy permitting email communication between our physicians, other care givers, other staff members and our patients?

Email communication between patients and their health care providers is becoming more and more commonplace. Yes, you should have a policy and procedure addressing this activity. Here are some guidelines you might review – this is not an exhaustive list of resources available through the Internet, but it is a good place to start.

  • AHIMA Practice Brief: E-mail as a Provider-Patient Electronic Communication Medium and its Impact on the Electronic Health Record ( – click HIM Resources)
  • AMA’s Guidelines for Physician-Patient Electronic Communications
  • Phoenix Health Systems: Electronic Communications
  • Vanderbilt University Medical Center, Guidelines for Patient-Physician Electronic Mail
  • The University of Texas Medical Branch, Electronic Mail Containing Protected Health Information (PHI)

Any policy should address when/if email communications will become part of a patient’s medical record or designated record set – refer to HIPAA regulations and JCAHO standards in making this determination. Finally, you should obtain input and approval of the policy from your facility/organization’s legal counsel.

Can I release information in cases of suspected or known child abuse?

T.C.A. 33-3-111 states:

Records of child service recipient not available to person accused of abusing recipient – Exceptions and limitations.

(a) In any case where a person is known to have been accused of physically or sexually abusing or neglecting a service recipient (defined below) who is a child, the service recipient’s record shall not be accessible to the person accused of such abuse or neglect except if:

(1) A court orders access under subdivision § 33-3-105(3) ; or

(2) (A) The child’s qualified mental health professional has determined in the course of such treatment or service, after consultation with the child, the child’s guardian ad litem, and others on the child’s behalf whom the professional deems appropriate, that the release of the child’s record to the accused person would not be harmful to the child, and (B) The accused person is the parent, legal guardian, or legal custodian of the child.

(21) “Service recipient” means a person who is receiving service, has applied for service, or for whom someone has applied for or proposed service because the person has mental illness, serious emotional disturbance, or a developmental disability

Does this law apply to hospital medical records even though it resides in the law that addresses the State Department of Human Services? Does the hospital have to determine if the child is a “service recipient?”

Yes, most health care attorneys believe that this law does apply to hospital medical records, and they advise their client hospitals NOT to release any medical records of a child who is suspected or known to have been abused to the person(s) suspected of the abuse. The hospital does not have to determine if the child is a “service recipient” because any child who is suspected or known to have been abused is automatically a “service recipient”. What if the person suspected of the abuse is cleared of the charge? Can that person bring suit against the hospital for denying him/her copies of their child’s records? Yes, they could. But, one must consider whether the risk of such litigation is outweighed by the potential harm that could be done to the child if records were released to an abusing parent. The bottom line: when there is suspicion of physical or sexual abuse to a child, do not release that child’s record to the person(s) suspected of the abuse, regardless of the relationship of the person(s) to the child. Any known or suspected child abuse or neglect should be reported as described in T.C.A. 37-1-403.

Is it legal to allow physicians within a group practice to sign records for each other?

This is a common question because it has become a common practice in some areas to allow physicians to authenticate entries in medical records for one another. But, the answer is “No;” the legal standards for medical record authentication are clear that the author or originator of the order must authenticate the entry. The purpose of authenticating an entry is to identify the author, to verify the reliability of the entry, and to place responsibility of the entry on the author. The federal Conditions of Participation (42 CFR 482.24) clearly state “All entries must be legible and complete, and must be authenticated and dated promptly by the person (identified by name and discipline) who is responsible for ordering, providing, or evaluating the service furnished”. The Standards of the Joint Commission echo this requirement. Electronic signature is acceptable.

Material contained on this website is not intended to provide legal advice nor to cover all aspects of the material presented. Visitors are encouraged to consult legal counsel concerning matters presented. THIMA has no liability or responsibility to any person or entity with respect to any loss or damage caused by the use of this advice.