Q: I’m a physiatrist so a lot of my patients have ongoing lawsuits over slip-and-falls and MVA’s and we get lots of requests for records. We check that the request came with a HIPAA-compliant authorization or we have the patient fill one out at the office. Once we have that we just send a copy of the chart.  Now, my office manager just got back from a HIPAA course and she says that this is opening us up to liability. I don’t understand this because we make sure to get the authorization.  

A: The issue here is the permissible scope of the release of protected health information.   

An authorization acts as a waiver of confidentiality limited to what it specifically lists.  

For example, an authorization for “Records of treatment for injuries resulting from the MVA of (date)” would only definitely waive privacy rights as to diagnostic and therapeutic actions that you undertook.  It could be argued to not extend to notes on the expected length of care or to cover statements of long-term prognosis.  It certainly would not encompass your memorialization of the patient saying that he was distracted by his ringing cell phone just before the accident.  

On the other hand, if the patient had authorized a release for “my records” or “the complete medical record” or “the records from (date) to (date)” then you could just send the full record or the full record within those dates.  

You should still, even in that wider setting though, redact the comment about the cell phone, since it was not actually required for the medical care. 

If you send an inappropriately extensive record an angry patient who believes that that cost them their case would have the basis for a HIPAA complaint, a Board complaint, or even a lawsuit under state confidentiality law. 

Bear in mind that this is not like doctor-patient privilege. Under that doctrine you cannot be compelled to testify as to matters that were revealed to you that were necessary to render medical care, so the role of the statement that is sought is the discriminator on the extent of that shield. Privilege, though, is an evidentiary issue while releasing records is a custodial one: you are the fiduciary keeper of the patient’s health information and so are charged to maintain its confidentiality except to the extent that the patient has waived that. 

 With these principles in mind, when these requests come in have your HIPAA-knowledgeable office manager review them as to the actual scope of the authorization and then tell the staff what they may send and what they have to hold back.