May a covered entity use or disclose a patient’s entire medical record based on the patient’s signed authorization?

Answer:

Yes, as long as the Authorization describes, among other things, the information to be used or disclosed by the covered entity in a "specific and meaningful fashion," and is otherwise valid under the Privacy Rule. See 45 CFR 164.508(b)(1) and 164.508(c)(1)(i).

An Authorization would be valid if it authorized the covered entity to use or disclose an "entire medical record" or "complete patient file." On the other hand, without further definition, an Authorization to use or disclose "all protected health information" might not be sufficiently specific, since protected health information encompasses a wider range of information than that which is typically understood to be included in the medical record, and individuals are less likely to understand the breadth of information that may be defined as "protected health information."

Created 9/4/03