Step 4:  Getting the information to the requestor If you are not doing so already, consider implementing and maintaining a sign-out sheet specifically for the purpose of tracking the following information related to a request for records:    the date on which the records were picked-up the printed name and the signature of the patient or the patient’s designee picking up the records   If the patient is unable to pick up the records in person, arrangements should be made in advance, permitting the patient’s designee to obtain the records in the patient’s absence.    The patient representative or designee should present written proof that s/he is acting at the behest of the patient (a note signed by the patient). This document should include the following: identify by name the patient’s designee require photo ID as proof of the individual’s identity, if not your patient make a photocopy of this ID and maintain in the medical record attached to the patient’s request for records  If not being picked up in person by the patient or the patient’s designee (such as in the case of an attorney request or court order), the information in the record may be delivered via certified mail with a return receipt requested (which is to be maintained in the patient’s medical record).   Exercise caution when faxing sensitive, behavioral health-related information presents another potential risk exposure (such as a breach of confidentiality, violation of privacy or violation of HIPAA regulations). Special care must be exercised if an urgent situation mandates the use of facsimile technology in order to transmit patient information.    Prepare a cover page which explicitly states the confidential nature of the fax and details the steps to be followed in the event the fax ends up in the hands of a recipient other than the one intended by you. Prior to transmission, call the receiver to verify the receiving fax machine is operative and to alert the party that you are ready to transmit. Once the transmission is complete, save a printed copy of the transmission receipt and also call the intended recipient to verify receipt of the information you faxed.  Make a note of this call on the transmission receipt page and keep with the patient’s record. And finally, do not attach patient information to an email or send patient information in an email. The chances are too great that patient confidentiality and privacy may be compromised or violated if your computer or your recipient’s computer does not have the appropriate firewalls in place to guard against and thwart malicious attempts by hackers to gain access to the information in your possession.   To summarize Most record requests can be handled routinely as prescribed by state and federal regulation.  A request should be submitted in writing by the patient or the patient’s representative and include a fully executed, HIPAA-compliant Request for Records form bearing the patient’s signature.   In most instances, a summary of treatment is acceptable in lieu of a photocopied complete record.   In those instances where a request is out-of-the-ordinary (such as a court demand or a request from a government agency), and you have questions about how to respond, contact the Princeton Insurance Healthcare Risk Services Department at 1-866-Rx4-RISK. We’ll be happy to assist you.     *You must be a registered user at PrincetonInsurance.com to access the insured secure site, where the Physician Office Practice Toolkit and other valuable resources can be located. If you need help registering, call our Help Desk at 1-800-334-0588.