The Two Classes of Medical Records
Not every record should be released the same way. A practical framework for deciding what a patient may readily access — and what stays protected until a court calls for it.
Every hospital records officer has faced this moment: a patient — or a patient's lawyer — asks for "the complete medical records," and everyone freezes. Release everything, and you may be handing over material that will be used against the hospital in a case that hasn't been filed yet. Refuse, and you may be violating the patient's right to their own health information. Both instincts feel right. Both can be wrong.
The confusion comes from treating "medical records" as one undifferentiated thing. They are not. For legal purposes, the records a hospital holds fall into two very different classes, and the right response depends entirely on which one is being asked for.
The legal starting point
Philippine law gives patients a clear right to access their health information. The Data Privacy Act of 2012 grants every data subject the right to reasonable access to their personal data, and Department of Health issuances treat the patient as the owner of the information contained in the medical record — even as the hospital owns the physical record itself. So the question is never whether a patient can access their information. It is what, exactly, they are entitled to receive, and in what form.
This is where the distinction between the two classes becomes essential.
Class A — readily accessible, synthesized records
The first class is the information that summarizes and communicates the patient's care: the clinical abstract, the discharge summary, laboratory and imaging results, the operative record, and similar synthesized documents. These exist precisely to be shared — with the patient, with other physicians, with insurers. A patient asking for these is asking for something they are plainly entitled to, and a hospital should have a smooth, routine process to provide them.
When a request comes in for Class A records, the answer is essentially yes — verify the requester's identity and authority, log the request, and release.
Class B — protected, clinical and litigation-sensitive records
The second class is different in kind. It includes the raw, granular, internal material: individual progress notes, nurses' notes, internal incident reports, quality-assurance reviews, and the working annotations of the care team. This material is sensitive not because it is being hidden, but because it was never meant to be a public-facing account. Incident reports and QA reviews in particular may be protected, and releasing them reflexively can waive protections and hand a future opponent a roadmap.
When a request reaches into Class B, the answer is not no — it is not yet, and not without the right basis. These records are appropriately released through legal process: a court order, a subpoena, or the documented, specific authorization that the situation calls for.
Operationalizing it: a release protocol
A hospital does not want its records officer making this legal judgment on the spot. The solution is a written release protocol that builds the two classes into the workflow:
Classify every record type in advance as Class A or Class B, so front-line staff are not improvising.
For Class A requests, verify identity and authority, then release through a standard, logged process.
For Class B requests, route them to counsel or a designated officer, and require the appropriate legal basis before anything is released.
Document every request and every release — who asked, what was given, on what basis.
The payoff
Sorting records into two classes protects the patient's right of access and the hospital's legal position at the same time. It lets staff say yes quickly to the things patients are entitled to, and say "through the proper channel" to the things that need one — without panic, and without improvising legal judgments at the records counter.
This article is general information, not legal advice. For a specific situation, consult counsel.