Health records are privileged or confidential communications between patient and health professional. Disclosure of a health record must be made only with the written permission of a patient to a person designated by the patient, such as the patient's attorney or health professional. Case law and subsequent legislation have consistently supported the patient's right to confidentiality. Under the law, all patient communication with the health professional must be kept confidential unless disclosure is specifically authorized by the patient.
The information in health records is considered the property of both the patient and the clinic, but the physical records themselves belong to the clinic. Patients or their agents are entitled to a complete copy of the records, but clinics may charge a reasonable copying fee before releasing the records. Other parties requesting patient records (including licensing or regulatory agencies, credentialing panels, public health agencies, spouses, and employers) must first obtain the patient's consent.
Guidelines to minimize risk when releasing information from a patient’s records:
The Health Insurance Portability and Accountability Act (HIPAA) requires any health professional who transmits health information in an electronic transaction to use a standard format and to abide by certain privacy requirements. HIPAA exempts health professionals who transact personal health information only in a paper format. If the health professional conducts some covered transactions of personal health information electronically and some in a paper format, then all transactions (paper or electronic) must comply with HIPAA.
Additionally, the HIPAA privacy rule requires activities such as the following: