Disclosure of PHI Obtained From Other Providers

Patients have the right to request a copy of their medical record, and covered entities must provide it and include any information that was created by, or obtained from other healthcare providers that is contained in the patient record.

The Privacy Rule states:

“A covered entity is required to provide access to protected health information in accordance with the rule regardless of whether the covered entity created such information or not… In order to assure that an individual can exercise his or her access rights, we do not require the individual to make a separate request to each originating provider.

If the individual directs an access request to a covered entity that has the protected health information requested, the covered entity must provide access.”

The inclusion of other providers’ information is not exclusive to patient access rights. For example, if a hospital requests a patient’s full medical record for treatment purposes, then the entire contents of the medical record, including records that were created by other providers, should be included.

Health and Human Services has posted the following question and answer that addresses the issue in a more general manner, rather than only referring to patient requests:

Question – A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider.  Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer – Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.”

While a covered entity may deny access to information that was received from someone under a promise of confidentiality (if access would be reasonably likely to reveal the source of the information), a covered entity may not deny access to PHI when the information has been obtained from a healthcare provider. If a patient authorizes disclosure of his/her PHI, or disclosure is otherwise permitted by the Privacy Rule, a provider may not restrict disclosure of PHI based on who created it.