How to Transfer Medical Records Under HIPAA (Step-by-Step Guide)

Obtain Patient Authorization

Start by determining whether the HIPAA Privacy Rule requires a signed Patient Authorization Form for the disclosure. Transfers for treatment between Covered Entities may not need authorization, while disclosures to third parties or for non-treatment purposes generally do. When a patient directs you to send records to a third party, a written, signed request specifying the recipient and destination is required.

When authorization is needed, use a clear form that includes: patient identifiers, a description of the information to be released, purpose, recipient, expiration date or event, the right to revoke, and the risk of redisclosure. Capture the patient’s signature and date, and offer a copy. Keep the original with your release-of-information records for Documentation Compliance.

Confirm scope with the patient: full designated record set or specific items (e.g., labs, imaging, immunizations). Explain exclusions such as psychotherapy notes and information prepared for legal proceedings. If other laws apply (e.g., substance use disorder records under 42 CFR Part 2 or state rules on sensitive data), obtain any additional consents required.

Verify Recipient Identity and Authority

Validate who is receiving the records and their legal authority. For patients, verify identity using government-issued ID or secure portal authentication. For personal representatives, collect documentation such as a healthcare proxy, guardianship, or power of attorney, and ensure it covers healthcare decisions at the time of disclosure.

For other healthcare providers, confirm organizational details (address, phone, NPI) and the intended recipient. For non-provider recipients (insurers, attorneys, schools), ensure the authorization covers them and matches the disclosure’s scope. If a Business Associate will handle or transmit the records, verify a current agreement is in place with the Covered Entity.

Document your verification steps. When in doubt, contact the requester directly using a verified number, not one provided only in the request, to prevent misdirection or social engineering.

Prepare Medical Records

Collect only what is necessary for the stated purpose. For most requests, compile the designated record set: clinical notes, problem list, medication list, allergies, vital signs, test results, imaging reports, care plans, immunizations, and billing records. Apply the minimum necessary standard for non-treatment disclosures.

Ensure completeness and readability. Convert to the format requested if readily producible; otherwise, offer an alternative format both parties can use. Redact third-party information as required by law, and separate excluded content such as psychotherapy notes. Use OCR where possible so digital files are searchable.

Label files clearly (patient name, DOB, record type, date range). If you provide a summary or explanation instead of full records, obtain the patient’s agreement and note any applicable fees for that preparation.

Choose Secure Transfer Method

Match the method to sensitivity, urgency, and recipient capabilities. Preferred options include:

• Direct EHR-to-EHR exchange or FHIR-based APIs for provider-to-provider transfers.
• Patient portal download or secure messaging when the patient retrieves or receives records electronically.
• Encrypted email (TLS/S/MIME) with strong authentication; avoid standard email unless the patient specifically requests it after being advised of risks.
• Secure file transfer (SFTP) or encrypted cloud delivery with expiring links and access controls.
• Physical media (encrypted USB/CD) or mailed paper copies when electronic transfer is not feasible.
• Fax only with safeguards: verify number, use a cover sheet with minimal PHI, and confirm receipt.

Confirm Encryption Standards are met for data in transit and at rest, and that both sender and recipient can open the chosen format without weakening security.

Implement Transfer Safeguards

Apply layered protections before, during, and after the transfer. Combine Administrative Safeguards, Physical Security Controls, and technical measures to reduce risk and demonstrate compliance.

• Administrative Safeguards: role-based access, workforce training, sanctioned workflows for releases, and incident response procedures. Use checklists to prevent wrong-patient or wrong-recipient disclosures.
• Physical Security Controls: restrict areas where PHI is handled, secure printers and fax machines, lock rooms and cabinets, and control media storage and shipping with tamper-evident packaging.
• Technical safeguards and Encryption Standards: TLS 1.2+ for transmission, strong encryption (such as AES-256) for stored files, multi-factor authentication, unique user IDs, automatic logoff, and audit logging. Use data loss prevention tools and verify destination addresses before sending.

Document any patient-requested exceptions (e.g., unencrypted email to the patient) and keep proof that risks were explained and accepted.

Document Medical Records Transfer

Maintain a clear audit trail. Record the request date, requester identity and authority, legal basis (authorization or right of access), scope, format, transfer method, date and time sent, staff member handling the release, and confirmation of receipt. Retain tracking numbers for mailed items and delivery confirmations for electronic transfers.

Log disclosures when an accounting is required, especially for releases outside treatment, payment, and healthcare operations. Store authorizations, correspondence, and transmission receipts according to policy and retention schedules to support Documentation Compliance.

Respond to Records Requests

Process requests promptly. Under the right of access, respond within a reasonable period, typically no later than 30 days from receipt, with a single permissible extension of up to 30 additional days when necessary and communicated in writing. If state law is stricter, follow the shorter timeframe.

Provide records in the form and format requested if readily producible; otherwise, offer an accessible alternative. If you deny or limit access, cite the permissible basis, explain appeal or review rights when applicable, and provide any non-excluded portions without delay.

Keep patients informed about status and expected delivery dates, and escalate complex requests (e.g., large images or mixed media) early to meet deadlines.

Charge Reasonable Fees

Fees must be reasonable and cost-based. Allowable charges include labor for copying (creating and delivering the copy), supplies (paper, USB, CD), and postage. Do not charge fees for searching, retrieving, or maintaining records, and avoid per-page fees for electronic copies.

Publish a simple fee schedule, provide estimates up front, and obtain consent for any optional summaries or explanations that incur preparation fees. Offer convenient, secure payment options and never withhold records because of unrelated unpaid bills.

Bottom line: verify authority, limit disclosures to what’s needed, use secure methods with strong safeguards, keep thorough documentation, meet response timelines, and apply fair, cost-based fees. This approach aligns operational practice with the HIPAA Privacy Rule while protecting patients and your organization.

FAQs.

What are the HIPAA requirements for transferring medical records?

You must have a valid legal basis (patient right of access, treatment-related disclosure, or a signed authorization), share only the minimum necessary for non-treatment purposes, secure the transfer with appropriate technical and administrative safeguards, and document the request and disclosure to demonstrate compliance.

How can healthcare providers verify recipient authorization?

Confirm identity with reliable credentials (photo ID, secure portal authentication) and verify legal authority for personal representatives (e.g., healthcare proxy or guardianship). For third parties, ensure the Patient Authorization Form explicitly names the recipient and scope, and verify contact details independently before sending.

What secure methods are approved for medical record transfer?

Use secure EHR exchange or FHIR APIs, patient portal delivery, encrypted email, secure file transfer (SFTP), or encrypted physical media. Fax may be used with precautions. Choose methods that enforce Encryption Standards, access controls, and audit logging.

How long do providers have to respond to medical record requests?

Providers should respond as soon as possible and generally no later than 30 days from receipt of the request. One 30-day extension is allowed when necessary, but you must inform the requester in writing and explain the reason and new timeline. If state law requires a faster response, follow the stricter deadline.