Can Doctors Share Patient Information Without Permission?
By Melissa McCall, J.D. | Legally reviewed by Aviana Cooper, Esq. | Last reviewed July 26, 2023
This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.
The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.
Can physicians share patient information without permission? The short answer is no. The information contained in medical records is confidential under federal and state law.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects "individually identifiable health information" (or "protected health information"). It does so through the Privacy Rule.
The Privacy Rule covers a patient's medical records and PHI. The Privacy Rule gives patients rights over their medical information. This includes the right to access their protected health information. It also gives them the right to get a copy of their protected health information and request corrections.
Patients must permit disclosure of their medical records or protected information. There are many scenarios requiring patient authorization to disclose medical records. This includes health plans, health care clearinghouses, and other health care operations. These entities can access a patient's medical records and health information. As a result, they are subject to patient privacy rules.
There are exceptions to these laws. Physicians may share medical records and personal medical information without consent. This article explores privacy protections and instances where permission is not needed.
HIPAA
HIPAA includes federal privacy protections for personal health information. Covered entities typically need consent under HIPAA's privacy rule to disclose medical records. They cannot share medical information without permission. HIPAA defines covered entities. They include insurance companies, pharmacies, and health care professionals. Covered entities also include HMOs and government health plans, such as Medicaid.
In most cases, patients must provide written authorization to disclose personal health information. If the patient has a personal representative, that person can provide written authorization upon providing documentation that this person is the representative of the patient. Health care providers must provide their patients with a notice of privacy practices. This notice outlines the safeguards providers use to protect patients' privacy. Patients learn how their provider or health care system uses their private health information. They also have a right to access their medical information.
The only exception to this rule is mental health. Patients do not have the right to psychotherapy notes. The U.S. Department of Health and Human Services (HHS) has an Office for Civil Rights (OCR). The OCR enforces HIPAA's Privacy Rule and Security Rules. Any patient who has experienced an improper disclosure should contact the OCR. Report improper disclosures that include a criminal offense to law enforcement.
Emergencies
Consider this scenario: A patient gets into an accident and needs emergency surgery. After surgery, the patient is unconscious. The surgeon may discuss the patient's medical information with a family member.
This is an example of a time when consent is not needed. Medical information includes test results and X-rays. They may also discuss this information with a personal representative.
This exception includes friends if it is in the patient's best interest. The physician can disclose information relevant to the patient's current medical care. But they can't discuss medical information unrelated to the traumatic injury. The physician cannot discuss any unrelated information from before the injury occurred. The law limits the discussion to the injury only.
Routine Care
Many providers use electronic health records in their practices. Often, practices include different providers and allied health providers. Allied health providers include nurses and pharmacy technicians.
Consider a health maintenance organization (HMO) as an example. Many HMOs bundle primary care, specialized care, and radiology in one building. In this scenario, other providers do not need permission to view patient records. This is because patients consent to share information when they sign up.
Electronic health records offer seamlessness in patient care. Electronic health records provide one central location for a patient's test results, vital signs, and more. Electronic health records also include a patient's personally identifiable information. This includes birth date, address, and social security number. Under HIPAA, doctors can share patient information and records as necessary. This includes general health and medical treatment.
For example, say a primary care physician refers their patient for an x-ray in the same practice. The radiologist does not need consent to review the patient's records. By contrast, hospital employees cannot look up a patient's medical record on a whim.
Without permission, this would be a violation of HIPAA's Privacy Rule. This exception to the Privacy Rule helps streamline medical treatment. For example, a new provider in the same practice does not need consent to see the patient's records. They can view the patient's medication list before prescribing a new medication.
A patient's electronic health records receive the same privacy protection as paper records. Covered entities must notify the patient if there is a breach. They must also inform the Secretary of Health and Human Services. They must also notify major media outlets if the breach affects more than 500 people in the same state.
Government Reporting
There are circumstances where a physician must disclose personal medical information. Doctors must file birth and death certificates, for example. They must report diseases they've treated so state agencies can track public health. These disclosures should not include the patients' names.
Doctors can also use your health information if necessary to protect public health. This includes reporting a flu outbreak or a pandemic.
Doctors must also report suspected cases of child abuse. As "mandated reporters," they do not need patient consent. A mandated reporter is a person required to make such disclosures. They include physicians, social workers, and child care workers. This is similar for mental health providers. If they believe their patient is a danger to themselves or others, they must report this. Mental health providers should include this in their notice of privacy practices.
Talk to an Attorney
Medical privacy laws are complex. Both state law and federal law address health information privacy. For personalized advice, contact a local experienced health care attorney today.
Next Steps
Contact a qualified health care attorney to help navigate legal issues around your health care.