Skip to main content

Releasing Medical Records – Guidelines for Reducing Your Risk of a Violation

A frequently asked question we receive at CAP is "Can I release the records?" Medical practices often receive medical record release requests from multiple sources, including subpoenas, attorneys letters, law enforcement, regulatory agencies, and patients themselves. As we know, this is a complex question that has many facets and is subject to specific protection for sensitive information. The federal Health Information Portability and Accountability Act (HIPAA) of 1996 and California law provide guidance on the release of medical records. However, to protect yourself from inappropriate release of records and potential violations of patient privacy and confidentiality, it is important to know when you can, and cannot, release records and when to seek guidance from your professional liability carrier.

Following are examples of the most common types of requests for patient records and general risk management tips.

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.



Reduce Your Risk

Attorney Letter

Letter from an attorney requesting medical records on behalf of a patient. This type of request may indicate the patient is seeking legal advice in anticipation of litigation.

• Letter must be accompanied by a signed release or authorization from your patient. 

• CAP recommends our members compare the patient’s signature with existing records or you may call the patient to confirm.


Subpoena Duces Tecum

Is a request for a production of records. It is a court ordered command.2 The term “subpoena” literally means “under penalty.”3

Review subpoena for:

• Notice to Consumer or Employee.  This document confirms your patient has been notified and you are not obligated to notify the patient of the request.

• Proof of Service.

• Contact your professional liability carrier if in doubt.

Workers' Compensation Subpoena for Medical Records

Same as Subpoena Duces Tecum.

• Same as Subpoena Duces Tecum.

Health Plan Access to Medical Records

Federal privacy regulations (HIPAA) permit the disclosure of confidential medical information to health plans in certain situations without the patient’s authorization for the following purposes, such as for, diagnosis/treatment, payment purposes, peer review activities, etc.⁴ 

• Ensure all patients have a signed HIPAA Notice of Privacy Practice.  Find a sample here:

What if your patient requests information not be disclosed to a health plan?

• Effective February 17, 2010, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 requires physicians covered by HIPAA to comply with an individual’s request to restrict disclosure of protected health information (PHI) to a health plan if:⁴

1. Purposes of payment or healthcare operations.

2. The PHI was paid out-of-pocket in full.

Minor’s Parents Request for Records

Pediatric offices have a special challenge. Divorced, separated, and/or parents in the process of a divorce may attempt to restrict the other parent’s rights to access. However, parents have a right to their child’s medical records regardless of marital status with the exception of a court order restricting release.

• Request to view court document denying
parental access.

In general, persons having responsibility for decisions respecting the healthcare of a minor should have access to information on the minor patient’s condition and care.  (Health & Safety Code §123110.)5

Patient Request

The HIPAA Privacy Rule states individuals have a right to their “protected health information.” Patients, or their legal representatives, generally have a right to inspect and copy their medical records.⁵

Click here for CAPsules article regarding release guidelines for patient requests.…

Law Enforcement

Many agencies fall under Law Enforcement and guidance varies.

Contact CAP Hotline at 800-252-0555 for risk advice.


Other entities you may encounter in your practice that may request records include, but are not limited to:

Coroner’s Office

Medi-Cal and Medicare investigators

Regulatory agencies

Many requests for medical records must also satisfy special confidentiality requirements.

Special confidentiality requirements are specific laws that require additional specific authorization to protect the release of medical records involving the diagnosis and/or treatment of the following patient conditions: minors, HIV, psychiatric/mental health conditions, and alcohol/substance abuse. If a patient does not authorize the release of this specific medical information, the office must declare in writing the following: "This disclosure does not contain patient medical information, if any, that is protected by special state and/or federal confidentiality laws and which cannot be disclosed without specific written consent." Once the requesting party has been given notice that this information may be withheld from the release, the burden of obtaining the patient's consent shifts to the requesting party.1

In summary, ensure your practice has proper policies and procedures in place for responding to requests for the release of records and that these processes are followed to decrease your risk of violating federal or state patient privacy laws. If in doubt, call CAP’s Risk Management Hotline at 800-252-0555 for guidance.   


Rikki Valade is a Senior Risk Management and Patient Safety Specialist for CAP. Questions or comments related to this article should be directed to



1CAP Risk Management (12/2019) Patient Record requests:  What Is Proper Release Protocol?

2Cornell Law School; Legal Information Institute.

3FindLaw (2018) What is a Subpoena?…

CMA California Physician’s Legal Handbook (01/2020), Document #4202 Health Plan Access to Medical

CMA California Physician’s Legal Handbook (01/2021), Document #4205 Patient Access to Medical Records