7 Legal Errors You Must Avoid

Uncategorized Nov 04, 2021

Dealing with medical records is a complicated subject, with many areas where mistakes are possible. When it comes to HIPAA, there are many preconceptions that some practices have that are not only incorrect, but can often lead to larger problems which can be very costly for the practice as a whole. In my time dealing with HIPAA regulations, I have seen a great deal of misconceptions that exist surrounding HIPAA, and several of them appear quite frequently. There are seven major examples of legal errors that I have seen, and I will break them down for you to help make sure that you don’t fall into the same traps that others have. 

Misconception #1

  • A noncustodial parent does not have the right to access their child's records. 

That is false. Unless there's a state specific law that says otherwise, both parents have a right to have access to their child’s medical records, unless there is a court order barring one parent from having that access. This remains true even if the custody has been divided unevenly. Both the primary and secondary caregiver have equal access to medical records.

Misconception #2

  •  Physicians don't have to provide patients access to their entire medical record. 

That is also untrue in most cases. A medical practice must provide the complete medical record to patients, including progress notes when requested. There are, however, some exceptions. One is that if there is a mental health note that suggests these records should be withheld, then you may want to consider withholding that information. If you are a mental health counselor you should know what to look for. Otherwise, if there's information in the records that might cause harm to the patient or to others if you disclose it to the patient, that may be withheld as well in some cases. Always check with an attorney before withholding information in someone’s records. 

Misconception #3

  • The obligations contained in the Notice of Privacy Practices that you give to a patient when they first come in is your entire HIPAA obligation. 

That is not the case. This is probably the most widespread misconception regarding HIPAA. There are three parts to HIPAA: the Privacy Rule, which gets most of the attention, the Security Rule, which is just as important, and High-Tech related rules, which deal with many of the technical, online aspects of HIPAA. If you don't know what you're doing, at the very least consult the HIPAA Policies and Procedures Manual, which we have here at Functional Lawyer. Other recommended actions are to find a HIPAA specialty group that will help you, or you can talk to your attorney regarding your obligations under HIPAA.

Misconception #4

  • Physicians are not required to provide medical records. It must be done through a third party. 

This is incorrect. Physicians must give patients access to their medical records upon request. Today, it's easier than ever to access records online, so this request can be granted easily.

Misconception #5

  • Physicians are allowed to charge a flat fee to access records. 

There isn’t a flat fee authorized under HIPAA. In fact, the fees that you actually are allowed to charge are somewhat technical. While you can’t charge a flat fee for someone to access their records, you can, however, charge for the labor involved in copying records. You can also charge for the CD or USB drive used if they request their records in that way, but there is no flat rate permitted by HIPAA for simply accessing medical records.

Misconception #6

  • Record requests can be honored without a patient's signature. 

Although this can be true in some situations, like when looking for payment or sharing the records with another physician for the purposes of treatment, it's generally a good idea to get a signature when there is a records request, even if it’s not technically required. 

Misconception #7

  • Records requests can be dishonored or refused if a patient owes money to the practice. 

This is not the case, and behaving as if it is has gotten many practices into trouble. In fact, one of the primary focuses of the Office of Civil Rights (OCR), which enforces HIPAA, is that patients must receive their records no less than 30 days after request whether they owe money or not. You don't want to have someone owing you $300 lead to a HIPAA violation of $5,000, so it’s best to just give them their records and then try to collect the payment in the usual manner. Record requests are a major focus of the OCR, so it is critical to get this right.


Hopefully, this has helped to provide clarity on at least one of these legal errors. If you, like many, are now the HIPAA security officer or the privacy officer in your practice for the very first time, I suggest you try to access some help, because these issues are important and if handled incorrectly can lead to many issues down the road. As always, if you have any questions, you can reach out to Functional Lawyer on social media or subscribe to our YouTube Channel for more content. 

Schedule Your Consultation

The purpose of this call is to collect a "Patient History" and assessment in order to provide a 360-degree snapshot of the current legal health of your business.

Schedule Your Consutation

50% Complete

Download your FREE guide 

Enter your information below to receive your guide. It will be delivered to your inbox shortly.