HIPAA Authorization Requirements for Treatment-Related Medical Records Sharing
Written patient authorization is NOT required under HIPAA when healthcare providers share medical records for treatment purposes, and your statement accurately reflects current federal law. 1
Core HIPAA Treatment Exception
HIPAA explicitly permits healthcare providers to disclose protected health information (PHI) to another healthcare provider without the patient's written authorization when the disclosure is for treatment purposes of that individual, as codified in 45 CFR 164.506. 1 This treatment exception is fundamental to care coordination and has been consistently recognized across multiple medical specialty guidelines. 1
The treatment exception applies specifically when:
- The disclosure is between covered healthcare entities 1
- The purpose is for treatment, care coordination, or continuity of care 1
- The information shared is relevant to the patient's medical care 1
Information Blocking Considerations
Your reference to the ONC's Cures Act Information Blocking Final Rule is accurate and adds an important enforcement dimension. 2 Healthcare facilities that require written patient authorization for sharing electronic health information for treatment purposes could be found in violation of information blocking regulations. 2 This creates a dual regulatory framework where:
- HIPAA permits disclosure without authorization for treatment 1
- Information blocking rules may penalize facilities that create unnecessary barriers to such disclosure 2
Critical Exceptions and State Law Preemption
Your statement correctly notes that state or other federal laws may impose additional requirements. 1 Two specific areas require heightened attention:
Behavioral Health Records
Federal alcohol and drug abuse treatment confidentiality rules (42 CFR Part 2 regulations) require formal patient consent for sharing records from specifically licensed substance abuse treatment facilities that receive federal funding, even when HIPAA would otherwise permit disclosure. 1 This creates a more restrictive standard than general HIPAA provisions. 1
Mental health records may also be subject to more restrictive state laws beyond HIPAA requirements, though HIPAA itself does not require separate authorization for most mental health information shared for treatment purposes (with the exception of separately maintained psychotherapy notes). 1
State-Specific Requirements
Some states have enacted privacy laws that are more restrictive than HIPAA and are not preempted by federal law. 3 Minnesota, for example, has maintained consent requirements for medical records use that exceed HIPAA standards since 1976. 3 Providers must verify whether their state imposes additional authorization requirements beyond federal HIPAA provisions. 3
Practical Implementation for Your Request
Your medical records request is compliant with HIPAA for the following reasons:
- It explicitly states the purpose is coordination of medical care and continuity of care 1
- It involves transfer of care between healthcare providers 1
- The disclosure falls squarely within the treatment exception 1
Common pitfalls to avoid:
- Do not assume all behavioral health records can be shared without authorization—verify whether Part 2 regulations apply 1
- Confirm that no state law in your jurisdiction requires additional authorization beyond HIPAA 3
- Ensure the requesting provider is a covered entity under HIPAA 1
- Verify that the disclosure is genuinely for treatment purposes rather than administrative or billing purposes 1
Documentation Best Practices
While authorization is not required, the disclosure should be documented in the patient's medical record as part of standard care coordination practices. 1 The receiving facility should maintain appropriate security measures for transmitted PHI, preferably using encrypted transmission methods rather than unsecured email or fax when possible. 1