Obtaining Medical Records

Phone: 843-674-2160
Fax: 843-674-2198
Email: flor-roi-request@musc.edu

• Personal requests for paper copies will be charged as outlined in SC state statute, Section 44-7-130, a fee of $0.07 per page with a fee of no more than $50.00. Personal requests for electronic/DVD delivery will be charged at the rate of $6.50 plus tax.
• Third party requests (attorneys, insurance, etc.) will be charged as outlined in SC state statute, Section 44-7-130, a fee of no more than $0.65 per page up to 30 pages and $0.50 per page thereafter will be billed.
• In certain cases, a clerical fee of $15.00 will be administered. Requestors will be sent a prepayment invoice upon determination of total cost.
• Radiology DVD imaging copy charges:
  
  • $6.50 for patients ($3.00 each additional copy)
  • $50.00 for third party requestors ($5.00 each additional copy)
  • *Plus tax and postage fees

The Health Insurance Portability & Accountability Act (HIPAA) sets the standard for a valid authorization to release information. Valid Requests must clearly state the following:

* All requests should be submitted to one of the sites. Requests should not be submitted to a provider’s office or clinic.

Right to Revoke
A valid authorization must contain a statement pertaining to the individual’s right to revoke authorization.

Condition Statement
A valid authorization must contain a statement about the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.

Re-Disclosure
A valid authorization must contain a statement that there is potential for the PHI to be re-disclosed by recipient and thus, no longer protected by the HIPAA Privacy Rule.

Purpose
A valid authorization must contain a description of the purpose of the requested use of disclosure of protected health information.

Expiration Date
A valid authorization must contain an expiration date or event for which the request will expire.

Description of Disclosure
A valid authorization must contain a description of the information to be disclosed (visit dates, types of record and reports).

Signature and Date
An authorization signed and dated by the patient, or, in the case of a minor, by his or her parent(s) or legal personal representative under HIPAA, is required.

Statement of Assurance
Please either provide proof of assurance that the opposing party was served with a copy of the subpoena and no objections were filed or a signed authorization from the patient.

Who Can Release Records
The authorization must identify who is authorized to release records.

Who Can Receive Records
The authorization must identify who is authorized to receive records.

MUSC accepts electronic signatures that includes the author's e-signature, full name, credentials, date and time of e-signing.

A transmittal or cover letter can be used to narrow or provide specifics about a request for protected health information as described in an Authorization, but it cannot expand the scope of the Authorization.

For example, if an individual has authorized the disclosure of "all medical records" to an insurance company, the insurance company could by cover letter narrow the request to the medical records for the last 12 months. The cover letter could also specify a particular employee or address for the "class of persons" designated in the Authorization to receive the information. By contrast, an insurance company could not by cover letter extend the expiration date of an Authorization, or expand the scope of information set forth in the Authorization.

Yes, provided that the Authorization encompasses the category of information that was later created, and that the Authorization has not expired or been revoked by the individual. Unless otherwise expressly limited by the Authorization, a covered entity may use or disclose the protected health information identified on the Authorization regardless of when the information was created.

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

Yes, as long as the Authorization describes, among other things, the information to be used or disclosed by the covered entity in a "specific and meaningful fashion," and is otherwise valid under the Privacy Rule. See 45 CFR 164.508(b)(1) and 164.508(c)(1)(i).

An Authorization would be valid if it authorized the covered entity to use or disclose an "entire medical record" or "complete patient file." On the other hand, without further definition, an Authorization to use or disclose "all protected health information" might not be sufficiently specific, since protected health information encompasses a wider range of information than that which is typically understood to be included in the medical record, and individuals are less likely to understand the breadth of information that may be defined as "protected health information."

Yes. A covered entity is permitted to use or disclose protected health information pursuant to any Authorization that meets the Privacy Rule’s requirements at 45 CFR 164.508. The Privacy Rule requires that an Authorization contain certain core elements and statements, but does not specify who may draft an Authorization (i.e., it could be drafted by any entity) or dictate any particular format for an Authorization. Thus, a covered entity may disclose protected health information as specified in a valid Authorization that has been created by another covered entity or a third party, such as an insurance company or researcher.

Yes. The Privacy Rule gives individuals the right to revoke, at any time, an Authorization they have given. The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid Authorization, or where the Authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself.

The Privacy Rule requires that the Authorization must clearly state the individual’s right to revoke; and the process for revocation must either be set forth clearly on the Authorization itself, or if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the Authorization can refer to the Notice of Privacy Practices. Authorization forms created by or submitted through a third party should not imply that revocation is effective when the third party receives it, since the revocation is not effective until a covered entity which had previously been authorized to make the disclosure receives it.

Yes. One Authorization form may be used to authorize uses and disclosures by classes or categories of persons or entities, without naming the particular persons or entities. See 45 CFR 164.508(c)(1)(ii). For example, it would be sufficient if an Authorization authorized disclosure by "any health plan, physician, health care professional, hospital, clinic, laboratory, pharmacy, medical facility, or other health care provider that has provided payment, treatment or services to me or on my behalf" or if an Authorization authorized disclosure by "all medical sources." A separate Authorization specifically naming each health care provider from whom protected health information may be sought is not required.

Similarly, the Rule permits the identification of classes of persons to whom the covered entity is authorized to make a disclosure. See 45 CFR 164.508(c)(1)(iii). Thus, a valid Authorization may authorize disclosures to a particular entity, particular person, or class of persons, such as "the employees of XYZ division of ABC insurance company."

Yes. Under the Privacy Rule, a covered entity may use or disclose protected health information pursuant to a copy of a valid and signed Authorization, including a copy that is received by facsimile or electronically transmitted.

Patients have the right to request an amendment if they believe information in their medical record is inaccurate or incomplete. To submit a request, please complete the Patient Amendment Request form linked below and follow the submission instructions included on the form. When completing the form, please provide as much specific detail as possible, including dates of service and a clear description of the information you believe is incorrect or incomplete. Once received, your request will be reviewed by the appropriate clinical and health information teams. You will receive a written response regarding the determination within the timeframe required by regulation.

Download Patient Amendment Request form (PDF)

These Federal rules mandate when your protected health information may be used or disclosed without your authorization. Please see our Notice of Privacy Practices for additional information.

You have the right to revoke this authorization, in writing, at any time before it ends. However, your written revocation will not affect any disclosure of your medical information that person(s) and/or organization(s) listed on the Authorization to Disclose Protected Health Information form have already made, in reliance on this authorization, before the time you revoke it. Your revocation must be made in writing and addressed to:

Medical University of South Carolina, Health Information Services
3 Southpark Circle
Suite 103
Charleston, SC 29407

If the person(s) and / or organization(s) authorized by this form to receive your medical information are not health care providers or other individuals who are subject to federal health privacy laws, your medical information may be re-released without your prior permission.

South Carolina Law requires most medical records to be kept for a period of ten (10) years. In some cases, however, records may be kept longer. We will let you know if your records are unavailable.

You have the right to inspect or copy the medical information you are authorizing for disclosure, with certain exceptions provided in 45 CFR §164.524. If you would like to inspect your records, please contact the

Medical University of South Carolina, Health Information Services
3 Southpark Circle
Suite 103
Charleston, SC 29407

If you are requesting that your medical records be disclosed/released or sent to other hospitals, clinics, or physicians for further medical care, no copying fees will be charged. However, you must pay for copies you request for other purposes.

Generally, if you are 18 years of age or older, you are the only person who is permitted to sign an authorization to disclose your medical information. If you are under the age of 18, your parent or guardian must sign this for form you. However, there are situations in which this general rule does not apply. For more information regarding who is authorized to sign this form, contact

Medical University of South Carolina, Health Information Services
3 Southpark Circle
Suite 103
Charleston, SC 29407
843-792-3881

Please provide a Probated Will naming the Personal Representative (Executor) or an Order appointing the Personal Representative of the Estate in full capacity and authorizing the representative to act on behalf of the Estate. (Contact the Probate Court in the County which the person last resided.)

In order to receive the records of a person who has been deemed incapacitated by the Court, an Order of Appointment from the Probate Court is needed. (Contact the Probate Court in the county which the person last resided.)