HIPAA Consult


Answers to your questions about... copying sensitive chart entries; sharing data with noncovered entities.

Copying fees and sensitive chart entries Q. I plan to cut my hours in preparation for retirement and I expect many of my patients to leave the practice. If I'm required to respond to multiple record requests, may I charge a reasonable fee for copying and sending large records? Also, how should I handle any "delicate" and possibly inflammatory entries in charts?

The second question you raise is more difficult. Generally, you can't deny access to any part of a medical record under HIPAA, with certain exceptions: psychotherapy notes (unless the requesting doctor has obtained prior patient authorization); information compiled in anticipation of legal proceedings; CLIA information; research records during the course of a study; or records obtained from someone other than a healthcare provider, under a promise of confidentiality.

But you'll find no protection for indelicate entries. Although many state laws permit doctors to redact portions of the medical record, HIPAA doesn't recognize this right.

Sharing data with noncovered entities Q. I'm part of a five-doctor internal medicine group with managed care contracts through two different hospital PHOs. Recently, in connection with a quality improvement project it's conducting, one PHO demanded to see charts for a sampling of all our diabetic patients. Since only a handful of our patients with diabetes are enrolled through this PHO, we refused to release the patient charts of other patients for fear of violating HIPAA. Did we do the right thing?

A. Yes. Generally, covered entities-you and a hospital, for example-may use patient information for their own operational purposes, including quality assurance reviews. Similarly, if two covered entities have treated the same patient, they may exchange relevant information for quality assurance or other operational purposes.

In the case you describe, however, the PHO isn't considered a covered entity under HIPAA because it's not a healthcare provider, payer, or clearinghouse. Still, the PHO may be able to set things up so that it could legitimately obtain patient information from you, along with its other physician members. One, it could characterize itself as your business associate and enter into a business associate agreement with you. Or two, it could enter into a "data use agreement" with you, permitting you to release a "limited data set"-that is, information that excludes such identifying data as names, addresses, phone numbers, and Social Security numbers.


Margaret M. Davinomdavino@kbrny.comis a healthcare attorney with Kaufman Borgeest & Ryan, in New York City. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice.

Please submit questions via e-mail to or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.

Related Videos
Robert E. Oshel, PhD
Gary Price, MD, MBA
Jolie Apicella, JD
Victor J. Dzau, MD, gives expert advice
Ron Holder, MHA, gives expert advice
remote patient monitoring
no shows
© 2023 MJH Life Sciences

All rights reserved.