Despite the above two recognized areas of law that purported to shield medical information about a person from unauthorized release or disclosure, there continued to be substantial “gray areas” susceptible to varying interpretations and applications. For example, do “medical records” include dental records, pre-employment physical examination records, self-generated records (documents created or completed by the patients themselves, such as healthcare questionnaires), birth and death certificates? And what about records generated by quasi-medical personnel, e.g., physical therapists or mental health counselors? Further, there appeared to be a developing area of case law that permitted, in fact demanded, the unauthorized release of medical information (i.e., against the patient’s wishes and/or without the patient’s knowledge) if, without the release, there was a substantial risk of harm to a third person (e.g. by violence of the patient or by communicable or sexually transmitted disease).

To address these concerns, all fifty states have enacted laws that govern the release of medical re-cords. They encompass the recognition of any legal privilege (privileged communications between the health care provider and the patient), any prerequisites to the release of records (almost all require patient consent), and the circumstances under which records or information may be released in the absence of consent.