Frequently Asked Questions About Medical Records

Following are frequently asked questions about obtaining medical records from MUSC Health.

Is there a fee to obtain my records?

• Personal requests for paper copies will be charged as outlined in SC state statute, Section 44-7-130, a fee of $0.07 per page with a fee of no more than $50.00. Personal requests for electronic/DVD delivery will be charged at the rate of $6.50 plus tax.
• Third party requests (attorneys, insurance, etc.) will be charged  as outlined in SC state statute, Section 44-7-130, a fee of no more than $0.65 per page up to 30 pages and $0.50 per page thereafter will be billed.
• In certain cases, a clerical fee of $15.00 will be administered. Requestors will be sent a prepayment invoice upon determination of total cost.
• Radiology DVD imaging copy charges:
  • $6.50 for patients ($3.00 each additional copy)
  • $50.00 for third party requestors ($5.00 each additional copy)
  • *Plus tax and postage fees

What is a Valid Authorization?

The Health Insurance Portability & Accountability Act (HIPAA) sets the standard for a valid authorization to release information. Valid Requests must clearly state the following:

* All requests should be submitted to one of the sites. Requests should not be submitted to a provider’s office or clinic.

Right to Revoke
A valid authorization must contain a statement pertaining to the individual’s right to revoke authorization.

Condition Statement
A valid authorization must contain a statement about the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.

Re-Disclosure
A valid authorization must contain a statement that there is potential for the PHI to be re-disclosed by recipient and thus, no longer protected by the HIPAA Privacy Rule.

Purpose
A valid authorization must contain a description of the purpose of the requested use of disclosure of protected health information.

Expiration Date
A valid authorization must contain an expiration date or event for which the request will expire.

Description of Disclosure
A valid authorization must contain a description of the information to be disclosed (visit dates, types of record and reports).

Signature and Date
An authorization signed and dated by the patient, or, in the case of a minor, by his or her parent(s) or legal personal representative under HIPAA, is required.

Statement of Assurance
Please either provide proof of assurance that the opposing party was served with a copy of the subpoena and no objections were filed or a signed authorization from the patient.

Who Can Release Records
The authorization must identify who is authorized to release records.

Who Can Receive Records
The authorization must identify who is authorized to receive records.

Electronic signatures

MUSC accepts electronic signatures that includes the author's e-signature, full name, credentials, date and time of e-signing.

Can an authorization be used together with other written instructions from the intended recipient of the information?

A transmittal or cover letter can be used to narrow or provide specifics about a request for protected health information as described in an Authorization, but it cannot expand the scope of the Authorization.

For example, if an individual has authorized the disclosure of "all medical records" to an insurance company, the insurance company could by cover letter narrow the request to the medical records for the last 12 months. The cover letter could also specify a particular employee or address for the "class of persons" designated in the Authorization to receive the information. By contrast, an insurance company could not by cover letter extend the expiration date of an Authorization, or expand the scope of information set forth in the Authorization.

May a covered entity disclose protected health information specified in an authorization, even if that information was created after the authorization was signed?

Yes, provided that the Authorization encompasses the category of information that was later created, and that the Authorization has not expired or been revoked by the individual. Unless otherwise expressly limited by the Authorization, a covered entity may use or disclose the protected health information identified on the Authorization regardless of when the information was created.

What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

May a covered entity use or disclose a patient’s entire medical record based on the patient’s signed authorization?

Yes, as long as the Authorization describes, among other things, the information to be used or disclosed by the covered entity in a "specific and meaningful fashion," and is otherwise valid under the Privacy Rule. See 45 CFR 164.508(b)(1) and 164.508(c)(1)(i).

An Authorization would be valid if it authorized the covered entity to use or disclose an "entire medical record" or "complete patient file." On the other hand, without further definition, an Authorization to use or disclose "all protected health information" might not be sufficiently specific, since protected health information encompasses a wider range of information than that which is typically understood to be included in the medical record, and individuals are less likely to understand the breadth of information that may be defined as "protected health information."

Does the Privacy Rule permit a covered entity to use or disclose protected health information pursuant to an authorization form that was prepared by a third party?

Yes. A covered entity is permitted to use or disclose protected health information pursuant to any Authorization that meets the Privacy Rule’s requirements at 45 CFR 164.508. The Privacy Rule requires that an Authorization contain certain core elements and statements, but does not specify who may draft an Authorization (i.e., it could be drafted by any entity) or dictate any particular format for an Authorization. Thus, a covered entity may disclose protected health information as specified in a valid Authorization that has been created by another covered entity or a third party, such as an insurance company or researcher.

Can an individual revoke his or her authorization?

Yes. The Privacy Rule gives individuals the right to revoke, at any time, an Authorization they have given. The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid Authorization, or where the Authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself.

The Privacy Rule requires that the Authorization must clearly state the individual’s right to revoke; and the process for revocation must either be set forth clearly on the Authorization itself, or if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the Authorization can refer to the Notice of Privacy Practices. Authorization forms created by or submitted through a third party should not imply that revocation is effective when the third party receives it, since the revocation is not effective until a covered entity which had previously been authorized to make the disclosure receives it.

May a valid authorization list category of persons who may use or disclose protected health information, without naming specific individuals or entities?

Yes. One Authorization form may be used to authorize uses and disclosures by classes or categories of persons or entities, without naming the particular persons or entities. See 45 CFR 164.508(c)(1)(ii). For example, it would be sufficient if an Authorization authorized disclosure by "any health plan, physician, health care professional, hospital, clinic, laboratory, pharmacy, medical facility, or other health care provider that has provided payment, treatment or services to me or on my behalf" or if an Authorization authorized disclosure by "all medical sources." A separate Authorization specifically naming each health care provider from whom protected health information may be sought is not required.

Similarly, the Rule permits the identification of classes of persons to whom the covered entity is authorized to make a disclosure. See 45 CFR 164.508(c)(1)(iii). Thus, a valid Authorization may authorize disclosures to a particular entity, particular person, or class of persons, such as "the employees of XYZ division of ABC insurance company."

Is a copy, facsimile, or electronically transmitted version of a signed authorization valid under the Privacy Rule?

Yes. Under the Privacy Rule, a covered entity may use or disclose protected health information pursuant to a copy of a valid and signed Authorization, including a copy that is received by facsimile or electronically transmitted.