Purpose:
To provide clear procedures for both releasing patient information from Tulsa Family Psychiatry & Wellness (TFPW) and requesting information from other healthcare entities, while ensuring compliance with HIPAA, Oklahoma state privacy law, and 42 CFR Part 2 (Substance Use Disorder confidentiality).
Legal Framework
- HIPAA (45 CFR 164.506): Allows disclosure for treatment, payment, and healthcare operations without authorization.
- Oklahoma Statute 43A-1-109: Permits limited sharing of mental-health information between providers for treatment purposes.
- 42 CFR Part 2: Adds stricter confidentiality for SUD-related information—requires explicit patient consent before release or request.
Releasing Records From TFPW
Step 1 – Receive & Verify
- ROI requests may arrive via fax, mail, or the Charm questionnaire (TF) – ROI – Authorization for Release of Information.
-
Verify patient identity and confirm a valid, signed authorization.
- If records include SUD information, confirm Part 2-compliant consent is on file.
Step 2 – Review & Prepare
- Ensure request form is complete and scope is defined.
- Retrieve only the requested documents.
- Redact unrelated or third-party data; confirm accuracy.
Step 3 – Protect Privacy
- Encrypt all electronic transmissions or send through secure portal.
- Never email unencrypted PHI.
-
For paper records, use sealed envelopes labeled “Confidential Medical Records.”
Step 4 – Deliver & Document
-
Record details in the patient chart under quick notes and on the release document internal comments field.
-
Date released • Recipient • Records provided • Staff initials
-
-
Confirm receipt whenever possible.
Step 5 – Billing (if applicable)
-
Apply copy fees per Oklahoma statute; issue receipt for payment.
Requesting Records From Other Providers
Step 1 – Patient Authorization
- Obtain a signed Authorization for Release of Information permitting TFPW to receive records.
- For SUD-related records, authorization must explicitly reference 42 CFR Part 2.
Step 2 – Submit Request
-
Send through secure fax, encrypted email, or provider portal.
-
Request only the minimum necessary information.
Step 3 – Process Inbound Records
-
Save to patient chart under Documents > Outside Records
- Name it: Give the document a meaningful name – PROVIDER/Facility + Date (MM/DD/YY)
-
Add SUD to the file name of records containing substance use treatment history
-
-
Notify provider when upload is by assigning the records to them for review.
-
Note when the next scheduled visit is in the internal comments field so they can reference when they should review it.
- If they are urgently waiting, it is best practice to send them a Charm message as well to notify them of the records.
-
Step 4 – Record Tracking
-
Log inbound request date, source, and receipt date in quick notes, and internal comments field on the request document.
Record Type Summary
| Record Type | Governing Law | Patient Consent Needed | Handling Notes |
|---|---|---|---|
| General medical | HIPAA | Standard ROI | Encrypt & log |
| Mental health | HIPAA + OK §43A | ROI | Review for sensitive notes |
| Substance Use Disorder | HIPAA + 42 CFR Part 2 | Part 2 Consent Required | Restricted access; Privacy Officer review |
Key References
-
HIPAA Privacy Rule (45 CFR Parts 160 & 164)