Long Distance Records
Accessing Medical Information in Foreign Countries
Many countries have limitations on how treating professionals may exchange health information. For example, Canadian
healthcare providers are governed by the Personal Information
Protection and Electronic Documents Act, which requires patient consent to release any personal information.
The European Union’s Privacy Directive, Directive 95/46/EC,
prohibits release of any medical information from a “
controller” (all healthcare entities that collect personal information
on patients are controllers) to any country without “adequate
safeguards”—the United States is such a country—unless an
“unambiguous” informed consent of the patient is obtained in
advance of the release of the information.
In April 2011 India adopted new privacy regulations known as
the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules,
2011, which prohibit the transfer of “sensitive personal information” (including medical information) to any person or entity
whose privacy and security standards are not as stringent as the
Indian regulations, regardless of the specific informed consent
of the person whose information is to be transferred.
The impact of these and similar rules in other countries may
mean that direct provider-to-provider transfers of medical information for purposes of treatment may be unavailable. Consequently, domestic providers may be forced to rely on patient-provided records, the completeness and veracity of which may
certainly be questionable.
information in the designated record set will be subject to the
HIPAA privacy rule.
Transferring Medical Information to Foreign Providers
Once a foreign patient returns home, his or her local providers
may wish to coordinate follow-up care. In this circumstance, the
provisions of the HIPAA privacy rule (or more stringent provisions of applicable state laws) will govern the release of information.
There are no distinctions made in HIPAA regarding the nationality of the person whose protected health information is
being used or disclosed. Consequently, a domestic provider will
be free to make disclosures to foreign providers for treatment,
consistent with the provisions of HIPAA, without regard to the
strictures of the foreign providers’ own privacy laws—unless,
of course, the patient has specifically requested a restriction on
It would be a mistake to assume that foreign nationals receiving medical care from domestic providers do not enjoy the same
protections and privileges regarding the privacy of their health
information. Indeed, the creation of separate systems to handle
the records of such individuals would be inviting problems providers do not need and should not court.
However, it would also be a mistake to assume that the ease
with which domestic providers routinely obtain medical information from others would exist when requesting records from
The impact of rules governing patient consent and privacy in other
countries may mean that direct provider-to-provider transfers of
medical information for purposes of treatment may be unavailable.
Lack of access to complete records may also result in duplicative testing and delays in treatment while confirmatory diagnostics and evaluations are performed, a situation which in most
cases could have been avoided had the domestic provider felt
comfortable in relying on the existing patient record.
Incorporating Information from Foreign Records
Records received from a foreign provider are considered part
of the domestic provider’s designated record set, as defined in
the HIPAA privacy rule, if they are used to make decisions about
This does not mean, necessarily, that these records will be included in the domestic provider’s official record of patient care.
Some providers believe that only records created by or at the request of its employees and staff members should be included in
the official patient record; others believe that all records used in
developing a plan of care and in treating the patient, regardless
of source, should be included in the official patient record.
State law may require the inclusion of external records in cer-
tain circumstances. 3 Regardless, information in the designated
record set must be disclosed to the patient upon request, and all
Providers treating foreign nationals should establish pro-
cedures by which pertinent medical records are received far
enough in advance to evaluate them for patient care purposes,
and they should be sensitive to the fact that the patient may be
seeking care in the United States for reasons beyond the quality
of care, including that of seeking medical privacy. ¢
1. “Medical Tourism Seminar at the University of Texas,
USA.” Press release. January 4, 2012. www.prweb.com/re-
2. Pipes, Sally C. “Why Canadian Premier Seeks Health Care
in U.S.” San Francisco Chronicle, February 25, 2010. http://
3. AHIMA. “Fundamentals of the Legal Health Record and
Designated Record Set.” Available in the AHIMA Body of
Knowledge at www.ahima.org.
Barry Herrin ( email@example.com) is an attorney and partner in the Atlanta office of Smith Moore Leatherwood LLP.