A Brief Overview of Federal and State Laws Applicable to Requests for Medical Records
By Kenneth M. Brown, Esq. & Peter Espey, Esq.
Wilson Elser Moskowitz Edelman & Dicker LLP, Florham Park, NJ

Practicing psychiatrists face many questions when presented with a request for medical records. In addition to the innate sensitivity of their records, psychiatrists may encounter additional complexities if the request is made on behalf of a minor. Given the highly technical nature of federal laws and the potential interplay of state laws, psychiatrists should tread carefully when responding to requests for medical records. This article provides an overview of the applicable federal regulation and a brief review of some state-specific approaches to such requests. All physicians may want to seek guidance from an attorney or a risk management professional to establish a plan for dealing with requests generally or responding to particularly complex requests.

HIPAA and Records Requests Generally

The federal Health Insurance Portability and Accountability Act (HIPAA) generally applies to requests for a patient’s medical records. HIPAA does not apply to all physicians, but does broadly apply to those who transmit “protected health information” (PHI) electronically. Physicians should keep in mind that state laws may provide greater privacy protection than those required by HIPAA.

medrecords_insession_wint17_smallThe definition of PHI is broad and encompasses the information included in a patient’s medical records. A series of regulations created pursuant to HIPAA, known as the Privacy Rule, governs the disclosure of PHI such as medical records. In the context of the Privacy Rule, there is a difference between consent and authorization. Consent allows a patient to ratify a physician’s disclosure of PHI for the purposes of treatment, payment or health care operations.A physician may ask a patient for consent in these situations, but it is not mandatory. For example, a physician may discuss a patient’s medical condition with another treating doctor without asking the patient for approval. As explained below, although this is the case under HIPAA, there may be higher levels of protection under your state’s laws.

In contrast, written and signed authorization generally must be obtained in all other situations involving release of a patient’s records. For example, there are regulations and state laws applicable to requests for records via a subpoena or from a court. A subpoena from an attorney should include a statement or indication that the attorney requesting records made reasonable efforts to give notice to the patient and an opportunity to object or that reasonable efforts have been made to secure a protective order. A physician may want to contact the patient or the patient’s attorney before releasing records requested by a subpoena to confirm in writing that the subpoena was received and the patient has no objection.

A court order need not be accompanied by an authorization. The physician may only provide PHI to the extent expressly authorized by the court order.2

HIPAA Part 2 Confidentiality Protections in Substance Use Treatment

Another set of federal regulations also applies to treatment for substance use. These regulations are commonly referred to as “Part 2” and predate HIPAA. Part 2 applies to all identifiable patient information for patients in a substance use program subject to federal regulation or a program which receives any assistance from a federal agency or department. There is a complex interplay between the Privacy Rule and Part 2; however Part 2 is generally more restrictive with regard to the release of patient information. Generally, a signed authorization is required before a physician may release any information about a patient’s substance use treatment.

Part 2 also requires that a minor sign an authorization before the release of information pertaining to his substance use treatment even if the information is being released to his parents. There are a few exceptions to the general requirements for a signed authorization, such as an initial report of child abuse or communications with medical personnel during a medical emergency. It is important to have a thorough understanding of these regulations or consult a risk management professional before releasing records pertaining to substance use.

Medical Records and Minors

Generally, a parent can sign an authorization for an unemancipated minor with some notable exceptions. Consistent with HIPAA, state laws can still prohibit disclosing a patient’s records or PHI to his or her parents. In general, states can enact more stringent privacy protections than those provided under HIPAA and the applicable federal regulations.

It should be noted that the age of consent may differ for mental health and substance use treatment. For example, in Pennsylvania any minor fourteen years of age or older may give consent to any outpatient mental health treatment.3 New Jersey law allows a minor of any age who believes he is suffering from alcohol or drug dependency to give consent for treatment by a physician.4 Thus, it is important to know your specific state’s laws on when patient consent is required to release information.

If the minor patient has consented to treatment by the physician and no other consent is required, his or her parents do not automatically function as a personal representative with authority to sign an authorization. However, the patient still can agree to allow a parent or parents to act as a personal representative.5 If the parent has agreed to confidentiality between the patient and the physician, the parent also does not constitute a personal representative with authority to sign an authorization. As regulations concerning consent differ between states, it is important to be aware of your specific state’s regulations on age of consent when providing behavioral health and substance use treatment.


HIPAA regulations include a series of elements that must be present in an authorization for it to be considered valid.6 These are described in the regulations as the “Core Elements.” The authorization must be signed by the patient requesting records or an authorized representative. If signed by a representative, the representative must provide a description of his authority to act on behalf of the patient, such as a power of attorney.

The signature, as well as the authorization document, can be a copy or facsimile. As to the nature of a valid signature, electronic or handwritten, the HIPAA regulations do not provide much guidance. The website for the U.S. Department of Health and Human Services indicates that signatures can be obtained electronically, provided they are valid under “applicable law.” The use of electronic signatures raises issues of federal laws other than HIPAA and state laws. Some states have laws permitting electronic signatures, assuming the signor adopts an electronic signature as his or her signature.

Other core elements of a valid authorization include a description of the information to be released, purpose of disclosure, the name of the person or class of individuals to whom the records will be provided, and an expiration date or event upon which the authorization will expire. However, a patient may indicate that there is no expiration date or event for an authorization. It is recommended that the authorization be limited to one year. Note, however, that under Part 2 of the Substance Abuse Confidentiality Regulations, a time limit is not specified, but rather the authorization should include a date, event, or condition upon which the authorization will expire. The duration of the authorization should be limited to a timeframe reasonably necessary to serve the purpose for which the authorization was given.7

HIPAA regulations also require an authorization to provide three statements to inform a patient about the scope of the authorization.

  • First, the authorization must include a statement indicating an individual’s right to revoke an authorization.
  • Second, there must be language in the authorization indicating that a doctor cannot condition treatment on the provision of the authorization. A different statement must be included where treatment is being conditioned upon provision of a signed authorization, such as in situations involving medical research.
  • Third, the authorization must provide a patient with notice that information or records released by the physician may be subject to re-disclosure and may no longer be protected by the Privacy Rule.

It is important to be aware of your specific state’s regulations on authorization and what is required.

Patients may withdraw consent at any time. They may have consented for you to communicate with a family member or another provider earlier in treatment, but later in treatment revoke consent. If a patient indicates verbally that they withdraw consent, memorialize this in writing. Ask the patient to sign a document and maintain in your medical record.

HIPAA & Psychotherapy Records

The Privacy Rule specifically addresses the release of psychotherapy records, which are defined by HIPAA regulations as notes recorded in any medium that document or analyze “the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.”8 Notably, psychotherapy records must be kept separate from the rest of a patient’s medical record to be afforded additional protections.

Psychotherapy records do not include documentation of “medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.” Generally, a doctor must obtain a signed and valid authorization for the release of psychotherapy records before releasing them for any reason. However, there may be instances where a court orders a release of psychotherapy records. Should you encounter this, contact your insurer to obtain advice on how to proceed before releasing the records.

Examples of State-Specific Privacy Provisions

States have the option to institute a greater level of privacy protection beyond those provided under HIPAA. Many states also have their own regulations for the release of medical records. Some states have regulations that specifically provide heightened protections for records pertaining to behavioral health, substance use and sexually transmitted diseases. It is important to be aware of your specific state’s regulations on release of records and the ability to communicate with others about treatment.

Withholding Release of Records

Some states may allow instances where the records may be withheld from release. For example, in California, a minor patient’s representative is not entitled to a copy of the patient’s records under certain circumstances. These include situations where the treating physician determines access to the records would lead to a detrimental impact on the relationship between the physician and the minor patient, harm the minor’s physical safety or negatively impact the patient’s psychological well-being.9 In these situations, the physician is required to make an entry in the medical record indicating the date of the request and the physician’s refusal to provide the records, and describe the potential adverse consequences of allowing access to the patient’s records. The physician may have to make the records available for inspection by a doctor selected by the patient’s representative. If you encounter this situation, consult your attorney or risk management professional.

Texas has similar regulations regarding the release of records for treatment of a minor patient. The case of Abrams v. Jones involved a divorce and illustrates some of the issues physicians may face.10 The patient’s father requested a copy of his daughter’s records from a psychologist who started treating the 11-year-old after the parents began a divorce proceeding. The psychologist refused to provide his treatment records to the father because he believed that it would not be in the best interest of his patient. The psychologist offered to provide his records to a new psychologist of the father’s choosing who could make a determination as to whether withholding them was in the patient’s best interest. The father filed suit and the Supreme Court of Texas ultimately considered whether the psychologist properly withheld his records. The Court determined that withholding the records was in the patient’s best interest and approved the psychologist’s decision.


Releasing medical records can be complex. It is important to be aware of applicable federal and state laws. Through careful review and planning, physicians can ensure they respond to requests for health information while complying with legal obligations. It is important to obtain legal and risk management advice when you have questions about releasing records.


About the Authors

Kenneth M. Brown, is a partner in Wilson Elser’s New Jersey office, has extensive trial experience and for more than 30 years has represented physicians, nurses and other health care professionals in health law matters, including medical malpractice actions and before professional licensing boards.

peterespyPeter Espey is an associate in Wilson Elser’s New Jersey office focusing his practice in the areas of medical malpractice and insurance defense.

45 C.F.R. 164.506

2 45 C.F.R. 164.512(e)(1)(i)

3 35 P.S. 10101.1(a)(1)

4 N.J.S.A. 9:17A-4

5 42 C.F.R. 164.502(g)

6 45 C.F.R. 164.508(c)

7 42 C.F.R. 2.31(a)(9)

8 42 C.F.R. 164.501

9 California Health & Safety Code Section 123115

10. Abrams v. Jones, 35 S.W.3d 620 (Tex. 2000)