by Ann L. McNary, JD

Ms. McNary is Senior Risk Manager at Professional Risk Management Services (PRMS)

Funding: No funding was provided for the preparation of this article.

Disclosures: The author is an employee of PRMS. PRMS manages a professional liability insurance program for psychiatrists.

Innov Clin Neurosci. 2022;19(1–3):71–73.

This ongoing column is dedicated to providing information to our readers on managing legal risks associated with medical practice. We invite questions from our readers. The answers are provided by PRMS (, a manager of medical professional liability insurance programs with services that include risk management consultation and other resources offered to health care providers to help improve patient outcomes and reduce professional liability risk. The answers published in this column represent those of only one risk management consulting company. Other risk management consulting companies or insurance carriers might provide different advice, and readers should take this into consideration. The information in this column does not constitute legal advice. For legal advice, contact your personal attorney. Note: The information and recommendations in this article are applicable to physicians and other health care professionals so “clinician” is used to indicate all treatment team members.


I received a request for a patient’s records, and I haven’t been able to sleep. Does this mean I’m going to be sued?  


While many things have changed during the COVID-19 pandemic, some things have remained exactly the same. Record requests are still one of the most frequently asked about topics on our Risk Management Consultation Services helpline, and clinicians are still often quite alarmed when they receive one. In the 13 years since I began working at Professional Risk Management Services (PRMS), I honestly can’t think of a day when someone didn’t have a question about a records request. And while these requests are often a source of extreme consternation, I also know that the vast majority are not a prelude to an impending lawsuit. To reassure those of you who may be a recipient of a record request and to provide guidance on responding to those requests, we thought it would be a good time to go over the basics.

The who and why. Records or treatment information may be requested by a variety of different people, in a variety of different ways, for a variety of different purposes. Yes, of course, records are requested by attorneys who are contemplating filing a lawsuit against a healthcare practitioner, but there are many, many other reasons that have nothing to do with questions regarding the care provided to a patient. This is by no means an exhaustive list, but as an illustration, records may be requested by the following:

  • Subsequent treating physicians for continuity of care
  • Insurance companies to substantiate billing (use audits)
  • Attorneys defending people whom your patient has sued
  • Police investigating crimes involving a patient 
  • Family members of patients who have committed suicide who are looking for answers
  • Parents of minor children
  • Coroners investigating patient deaths
  • Attorneys involved in will disputes who are questioning a patient’s competency
  • A court hearing a patient’s lawsuit or criminal case
  • Government agencies investigating a patient’s ability to perform a job, possess a weapon, child abuse allegations, etc.
  • Divorce attorneys involved in custody disputes
  • Patients who want them just because they are entitled to them
  • Life insurance companies following a patient’s application for insurance or a patient’s death
  • Medical record collection agencies working on behalf of attorneys or health insurance companies

The how. Requests for information may be verbal or written. If written, they may arrive via text, email, fax, regular mail, or they may be hand-delivered. You may receive a text from a patient requesting records or a formal legal document, such as a subpoena or a court order. The one thing that all of these have in common is that you must consider and, except in extremely rare occasions, respond to them. There are professional, ethical, and legal penalties for failing to respond to a valid request in a timely manner. However, that response often does not include providing the requested information.

Verbal requests. Verbal requests usually come from a patient, a member of the patient’s family, or a law-enforcement professional. 

From patients. The risk management advice is to require patient record requests be in writing, which might be required under state law. Keep in mind that regulators are undertaking enforcement initiatives to ensure patients can easily access their own records without administrative burdens or delays. As an example, the Office of Civil Rights (OCR) has focused on this patient right in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Right of Access Initiative, under which it has investigated and agreed to many resolution agreements with covered entities who fail to provide individuals with timely access to their medical records.

From those other than patients. Verbal requests are almost always insufficient to allow or compel disclosure of patient information. The primary exception to this rule is an emergency situation (e.g., a call from the emergency room or a call about an imminently suicidal patient). If there is no emergency, the appropriate response is to explain that the request must be put in writing and that the requestor must either provide a patient authorization or a court order or otherwise cite their authority to access the information. As you would not necessarily know whether the request was being made by someone with authority to have the information or someone posing as someone with authority to have the information, at this juncture you should avoid even confirming that the person in question is or was your patient.

Written requests. When a written request is received, it should be evaluated as soon as possible, as time is usually of the essence. Under HIPAA and the laws of most states, one receiving a valid request has a specific amount of time in which to respond, (e.g., 30 days or less). Subpoenas will provide a specific date by which a response must be received. Even if this response does not involve providing the requested information, it must still be made in a timely fashion. 

Ideally, all requests for information should be in the form of, or include, a written release authorization or a court order. Written requests without one of these are almost always insufficient to allow or compel the release of information. The exception might be a medical examiner investigating a patient death or child protective services investigating child abuse, as many states provide these entities with statutory authority to obtain information upon their request. Written release authorizations are documents whereby the individual who has the legal authority to control the protected information provides permission and direction to disclose specified information. The written authorization serves to protect you from potential liability for disclosing information.  

A proper authorization almost always compels you to release records, even if you do not wish to do so. Some state statutes, as well as the HIPAA Privacy Rule, allow you to provide a summary of treatment in lieu of a copy of a patient’s entire chart; however, in many instances, individuals who request a copy of a record will insist on receiving a complete copy and will be entitled to receive it. Some states and the Privacy Rule allow you to refuse to release information that would be detrimental to the patient; however, there will typically be an appeal mechanism under which the patient can have your denial of access reviewed. The standards for exercising this discretion are very high. For example, information could be withheld if disclosure would cause the patient to become imminently suicidal or homicidal, but information could not be withheld if it would simply cause the patient to become angry and file a lawsuit.

The elements of an authorization for release of medical information. From a general risk management perspective, the basic elements that should be present in a valid authorization for release of information include the following:

  1. The name of the person or entity being authorized to make the disclosure
  2. The name or title of the individual or the name of the organization to which the disclosure may be made
  3. The name of the patient
  4. The specific type of information to be disclosed (e.g., psychiatric information and substance abuse treatment information)
  5. The specific purpose of the disclosure
  6. A statement that the authorization to disclose is subject to revocation at any time, except to the extent that the program or person that is to make the disclosure has already acted in reliance on it
  7. The signature of the patient or person legally authorized to give consent with any necessary supporting documentation (e.g., a copy of the legal papers appointing an individual as representative of a deceased patient’s estate)
  8. The date on which the authorization was signed
  9. A specific date or event upon which the authorization expires.

In addition to the basic elements of a valid authorization, additional elements may be required depending on the practice state or the type of information being disclosed. For example, federal regulations that protect the confidentiality of substance abuse treatment records require particular elements be included in the written form for disclosure of patient information (See 42 CFR Part 2, section 2.31). Likewise, clinicians who are covered providers under the HIPAA Privacy Rule must use authorization forms with specific required elements set out by that regulation. Individual states may also have their own requirements. For example, in Illinois, the Mental Health and Developmental Disabilities Confidentiality Act requires that authorizations be witnessed.

Subpoenas. A subpoena is a legal document used to obtain the testimony (written or oral) of a witness in a legal proceeding. Subpoenas are usually issued by attorneys, and while they do have the authority of the court behind them, they do not carry the same weight as actual court orders.   

There are two types of subpoenas: 1) a subpoena for written information, referred to as a subpoena duces tecum, and 2) a subpoena for oral information, either for deposition or in-court testimony.

A subpoena alone may not be sufficient to compel the release of mental health/psychiatric information. This does not mean, however, that a subpoena may be ignored. Valid subpoenas require a timely response even if no information is released. The subpoena will state a deadline for response, and legal sanctions may be imposed by the court for failure to deliver a response within the stated timeframe.  

Subpoenas for written information (subpoenas duces tecum). A subpoena for written information without an accompanying written authorization to release information is almost always insufficient to allow or compel disclosure of records. Upon receiving a subpoena duces tecum, you should contact the patient, if possible, to notify them of receipt of the subpoena. Subpoenas are frequently issued without the knowledge of patients, especially those without an accompanying written authorization. If there is no accompanying written release authorization, you should ask the patient for one. The patient will probably need to consult with their attorney on the issue. The attorney might advise the client to sign a release or make a motion in court to have the subpoena quashed (i.e., stopped). In any case, the response from the patient and/or their attorney must be obtained in a timely manner. You should not delay your response unreasonably because of the inaction of a patient or a patient’s attorney.

If the subpoena is accompanied by a signed authorization, you should evaluate the release as set forth above. If the release authorization is adequate, it should be sufficient to compel the release of the information as directed by the authorization, even if you do not wish to do so. As explained above, the written release authorization serves to protect you against potential liability for disclosing the information.

It is a good risk management practice to always contact the patient, if possible, to advise the patient of the receipt of a subpoena and to confirm their desire to have that information released. If the patient refuses to provide an authorization or cannot be reached, or if the patient revokes the authorization and directs you to not disclose the information, you should call your professional liability insurance carrier’s risk management department to assist with developing an appropriate response.

A few states do have statutory procedures in place that may compel the release of information with a subpoena, even without a written release authorization. However, it is not always clear when the legal requirements have been met. This is another situation where your professional liability insurance carrier’s risk management department can be of assistance.

Subpoenas for oral information (subpoenas for deposition or testimony). Determining the appropriate response to subpoenas for deposition or testimony is trickier than that for subpoenas duces tecum. A subpoena for deposition or testimony is usually sufficient to compel you to appear at the appointed place and time, but it is seldom sufficient to allow or compel the disclosure of protected information. This places you in the untenable position of having to appear without being able to say anything. You should contact your carrier immediately upon receipt of a subpoena for deposition or trial testimony.

Court orders. Court orders and subpoenas can be very difficult to tell apart. The language used in the two types of documents tends to be very formal and might appear very similar. To further complicate the issue, an attorney might insist that a subpoena is a court order, and, in a very general sense, they would be right. A subpoena does have the authority of the court behind it, but it is not a court order.

A court order is issued by a judge after one or both parties has made a motion for some kind of action to be taken (e.g., the releasing of psychiatric records). Court orders alone are almost always sufficient to compel the disclosure of information, even if the patient does not wish to allow it. However, some court orders might not be sufficient, for example, if a proper hearing has not taken place regarding the motion. The hearing is vital, because the involvement of a judge in the decision-making process acts to shield you from potential liability for disclosing information. Indeed, so powerful is the judge’s authority that to refuse to comply with a court order carries the very real possibility of being held in contempt of court.

All court orders require a response within a specific amount of time. You should call your professional liability insurance carrier’s risk management department immediately upon receipt of a court order.

How to prepare. The greatest risks stemming from a record request are in failing to respond in a timely manner to requests and disclosing information without proper legal compulsion. As it is highly likely that at some point you will receive a request for records, your practice should have written policies and procedures for responding to information requests appropriately. Written confidentiality policies and procedures are required under HIPAA’s Privacy Rule, as well as under some states’ laws.  

As it is often difficult to determine whether the documents you have received are sufficient to compel the disclosure of mental health records, never hesitate to seek the advice of your professional liability insurance carrier’s risk management department to both review the documents and help you to prepare a formal response if release of records is not permitted.