HIPAA Handling Patient Requests for Medical Record Restriction

September 26th, 2018

Healthcare compliance professionals frequently face confusing situations about sharing of protected health information (PHI).  The Health Insurance Portability and Accountability Act (HIPAA) supports the protection of privacy of medical records. However, even when a patient does not authorize sharing of his record, there are permitted uses and disclosures, such as for the purpose of treatment, payment, or healthcare operations (TPO). 

The U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) provide a series of topical fact sheets on HIPAA Permitted Uses and Disclosures with examples of when PHI can be exchanged under HIPAA without first requiring a specific authorization from the patient. Please note that state laws may also apply. 

Permitted Uses and Disclosures for Health Care Operations 

The ONC issued a useful fact sheet explaining Permitted Uses and Disclosures for Health Care Operations.  For activities that fall within HIPAA’s definition of “healthcare operations,” an entity covered by HIPAA (Covered Entity), such as a physician or hospital, can disclose PHI to another Covered Entity (or a contractor working for that covered entity, i.e., Business Associate). A Covered Entity (CE) can disclose PHI (orally, on paper, by fax, or electronically) to another CE or that CE’s Business Associate for the following subset of healthcare operations activities without needing patient consent or authorization:  

45 CFR 164.501; 45 CFR 164.506(c)(4). 

Three conditions must be met when sharing PHI for the purposes stated above: 

  1. Both CEs must have or have had a relationship with the patient (can be a past or present patient);
  2. The PHI requested must pertain to the relationship; and 
  3. The discloser must disclose only the minimum information necessary for the healthcare operation at hand.  

What is meant by the term “minimum necessary”? 

Covered entities are required to have reasonable minimum necessary policies and procedures to limit how much PHI is used, disclosed, and requested for certain purposes. Minimum necessary policies and procedures must also reasonably limit who within the entity has access to PHI, and under what conditions, based on job responsibilities and the nature of the business.  

For example, the minimum necessary standard requires that a CE limit who within the entity has access to PHI, based on who needs access to perform their job duties. If a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the employee to do his job, the hospital is not applying the minimum necessary standard. Therefore, any incidental use or disclosure that results from this practice, such as another worker overhearing the hospital employee’s conversation about a patient’s condition, would be an unlawful use or disclosure under the HIPAA Privacy Rule. 

Minimum necessary standard is not required among physicians discussing a patient’s medical chart for treatment purposes and does not apply to disclosures, including oral disclosures, among healthcare providers for treatment purposes. 

Permitted Uses and Disclosures for Treatment 

The fact sheet titled “Permitted Uses and Disclosures: Exchange for Treatment” explains how HIPAA supports sharing of PHI between and among healthcare providers in order to treat or coordinate care for their patients. CEs may disclose PHI (orally, on paper, by fax, or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization. 45 CFR 164.506(c)(2). Treatment is broadly defined to include: 

45 CFR 164.501. 

The disclosing CE is responsible for the PHI until recipient CE has received the information. HIPAA requires disclosing the PHI to the receiving CE in a permitted and secure manner, which includes sending the PHI securely and taking reasonable steps to send it to the right address. The receiving CE is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to subsequent uses or disclosures or any breaches that occur.  

Common HIPAA Questions  

How should we ensure that we’re staying compliant with HIPAA Privacy and Security Rules when sharing PHI for purposes of treatment or operations? 

Many issues are covered under HIPAA Privacy and Security.  Here are a few important reminders regarding permitted uses and disclosures:  

What are the reasonable safeguard requirements? 

Reasonable safeguards vary from CE to CE depending on factors, such as the size of the CE and the nature of its business. In implementing reasonable safeguards, CEs should analyze their own needs and circumstances, such as the nature of the PHI it holds, and assess the potential risks to patients’ privacy. CEs should also consider the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards. 

Consider the following examples of appropriate administrative, technical, and physical safeguards: 

To gain more HIPAA insight and practical tips, consider purchasing The Fundamentals, a user friendly, four-module course designed to help healthcare professionals understand the essential principles and practices of compliance.

Julie Sheppard, BSN, JD, CHC, is the president and founder of 1st Healthcare Compliance. With the increase in compliance challenges facing healthcare providers, Julie was inspired to create a practical, comprehensive healthcare compliance solution, and founded First Healthcare Compliance in 2012. Julie is a nurse, an attorney, and certified in Healthcare Compliance by the Compliance Certification Board. www.1sthcc.com


HIPAA Handling Patient Requests for Medical Record Restriction. (2018, September 26). Find-A-Code Articles. Retrieved from https://www.findacode.com/articles/hipaa-handling-patient-requests-for-medical-record-restriction-34327.html

© InnoviHealth Systems Inc

Article Tags  (click on a tag to see related articles)

Complete & Easy HIPAA Compliance

A simple and practical guide to implementing HIPAA, HITECH, and Omnibus Final Rule components. Includes the forms and policies and information you need to meet compliance requirements. Plus over 50 customizable forms!

Publish this Article on your Website, Blog or Newsletter

This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.

If you would like a specific article written on a medical coding and billing topic, please Contact Us.


innoviHealth Systems, Inc.
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (8-5 Mountain)
free demo
request yours today
free subscription
for any budget

Thank you for choosing Find-A-Code, please Sign In to remove ads.