Skip to Content

Va. Code Ann. § 32.1-127.1:03 - Health records privacy

Link to the law
This will open in a new window

The state of Virginia recognizes an individual's right to the privacy of the content of his or her health care records. Health care records are the property of the health care entity that maintains them, and no entity may disclose an individual's health records except when permitted or required by law. Records may not be removed from the facility premises without the approval of the health care entity, except as required by court order or subpoena or in accordance with regulations relating to change in ownership of health records. No one may redisclose health care records without the specific authorization of the individual, except as permitted or required by law. 

If a patient, a minor patient's parent or guardian submits a written request for disclosure of the patient's health care records, or if a patient provides verbal authorization to discuss the records with a designated third party in an emergency situation, a health care entity must disclose the records in accodance with the authorization. Health care entities must disclose a patient's health records to the patient, and as otherwise required or authorized by law.

Health care records must be made available electronically only as authorized by the HITECH Act and HIPAA. A health care entity does not need to provide records in a requested electronic format if:

  • Such format is not reasonably available without additional cost to the entity;
  • If the records would be subject to modification in the format requested; or
  • If the entity determines that the integrity of the records could be compromised in the format requested.

Requests for access to health records in an electronic format must be made in writing, dated, and signed by the requestor, identify the nature of the information requested, include evidence of the requestor's authority to receive access, identify the person to whom information is to be disclosed, and specify the preferred format. Within 15 days of receiving a request for access, the entity must take one of the following actions:

  • Furnish the copies of or allow access to the requested records in electronic format, if requested;
  • If the information does not exist or cannot be found, inform the requestor;
  • If the entity does not maintain a record of the information, inform the requestor and provide the name and address of the entity that does maintain the record, if known; or
  • Deny the request. 

Access to an individual's records must be denied if the individual's treating physician (or treating clinical psychologist) includes a written statement in the patient's record that, in the exercise of his or her professional judgment, access by the individual would be reasonably likely to endanger the life or physical safety of any person, or that access would be reasonably likely to cause substantial harm to a person (other than a provider) who is referenced in the record. Upon denying access, the entity must inform the patient of his or her right to designate, or to request  that the health care entity designate, another reviewing physician (or clinical psychologist) to determine whether to make the record available to the patient. The entity must comply with the judgment of the reviewing provider, and must permit copying and examination of the record by the reviewing provider. Any record copied for review must include a statement detailing the treating physician's reason for the initial access denial.

An entity may impose a reasonable cost-based fee for a patient's access to records, which may include only the cost of supplies for and labor of copying the requested information, postage (if the patient requests that the information be mailed), and preparation of an explanation or summary (if the patient agrees to receive such explanation or summary instead of the actual record). 


Current as of June 2015