MPIE Risk Management GEM (Volume V): Guidance on the Release of Medical Records

Due to ongoing medical issues, a patient requested a leave of absence from work. Short-term disability paperwork along with copies of medical records were requested by the patient’s employer to consider/grant the request. The patient’s employer sent the necessary paperwork and signed medical records release authorization to the practice. The authorization form only requested documents relevant to the procedure/condition (as was appropriate) over the last year. After the request was processed, it was found that all the patient’s medical records from the last year (including therapy/substance abuse notes) were provided to the patient’s employer. The therapy and substance abuse notes did not pertain to the procedure/treatment or ongoing medical condition for which the patient was seeking the leave of absence.
Due to the improper release of medical records/HIPAA breach, the employer terminated the employee, and the practice was sued by the patient for damages sustained from loss of employment.

The above scenario highlights the need for staff education and adherence to guidance related to medical records release requests. There are several types of entities that may seek medical records from healthcare practices. When receiving a medical record authorization, it is essential to know what is required to be released and to ensure the practice staff seeks to protect the patients’ medical records since this is an integral part of the overall delivery of safe and trusted healthcare. Briefly covered below are the most common entities that request medical records, guidance on release and when to reach out to MPIE. MPIE Risk is available to advise you via our Hotline 616-202-1997 or

Most Common Types of Medical Record Requests and Risk Management Guidance:

Attorney Letter
A letter from an attorney requesting medical records on behalf of a patient.

What is the risk?
This request may indicate that the patient is seeking legal advice for potential litigation and may warrant reporting to MPIE claims intake.

Risk Management Recommendations
Before sending a copy of the patient’s medical records to the attorney:
Have the provider review the release and the patient’s record.

Ensure that the request includes an authorization that is signed/dated by the patient or includes a court order.

Contact MPIE or your risk management department to review the request if there is any concern with the request or the care/outcome for the patient.

Document that the information was sent to the attorney.

If all records within the patient’s medical record have been requested, include every document within the medical record.
The subpoena will request that specific records are produced. A court order should also be included to release the records.

What is the risk?
Not producing the records could result in further court actions such as a bench warrant. If records are not produced within the period specified in the subpoena (usually 21 days), then the requesting party can request a Show Cause hearing. The Show Cause hearing notice will be sent to the provider. If they do not appear for the Show Cause hearing, then a bench warrant will be issued.

Risk Management Recommendations
Immediately contact your organization’s risk management department, practice manager, or MPIE Risk Management for assistance.
Under HIPAA, parents have the right to access medical records. 

What is the risk?

HIPAA violation – even though parents have a right to access medical records, there are specific medical records that can not be released without the minor’s consent.

Risk Management Recommendations
Biological parents have the right to their child’s medical record. Neither parent has the right without the minor’s consent to information protected by state statutes, such as care and treatment related to pregnancy, HIV, STD, substance abuse and mental health. Exceptions may apply; please see state statutes for specifics on age requirements and release specifications or consult risk management or legal advisor.
Please see the Michigan Laws Related to Right of a Minor to Obtain Health Care without Consent or Knowledge of Parents
Divorced Parents
When parents are divorced, their respective rights and parental obligations are defined by the custody arrangement approved by the court.

What is the risk?
There can be instances where one of the parents is prohibited from having access to the child’s medical records or there is a protective order in place, so it is important to review the custody arrangement prior to releasing any information.

Risk Management Recommendations
Verify the identity of the individual requesting the minor’s medical records, make sure they have the legal authority required. This can be done by asking for a copy of the divorce decree, custody agreement, or court order and then verifying it against a driver’s license or other photo ID with signature.
Please see the MPIE Risk Management Manual – Chapter 4: Medical Records (Minor Medical Records)
Deceased Patient
Records for a deceased patient should include a letter of authority in addition to a signed request. The letter of authority is given to the executor of a person’s estate by the Probate Court upon their death.

What is the risk?
HIPAA does not give family members the right to access patient records, unless the patient is a spouse, or has designated them as a personal representative.
For next of kin questions see the following resources:
MPIE RM Manual – Deceased Patient Records (pg. 45)

Risk Management Recommendations
Under Michigan Law, the authority to release a patient’s records succeeds to one of the two classes of persons upon the patient’s death:

Legal Representative
Beneficiary (or heir) of the patient’s estate – this includes next-of-kin and other persons designated as beneficiaries under a will/trust, made by the deceased patient
If there is doubt about who is requesting a copy of medical records, ask for proof. Generally, a photocopy of the deceased patient’s trust or will, and a copy of the requestor’s photo I.D. will suffice.

An Authorization for Release of Medical Records should be signed by the legal representative or beneficiary on the patient’s signature line. The signer should print both name and status (e.g., Executor of the Estate, Beneficiary) next to his or her signature.


If you are an employed provider of a healthcare system and have questions on this subject, please consult your organization’s risk management department for advisement as to system policy or protocol.