Attestation No Longer Required for Many Record Requests: What You Need to Know

Updated July 1, 2025- New Attestation Updates

The world of medical record requests has always been complex, but recent changes have added a new layer of complication: the requirement for attestations in many cases, which have recently been repealed per the U.S. Department of Health and Human Services. This shift comes in response to ongoing political and legal battles surrounding reproductive healthcare rights in the United States.

Background: The Reproductive Healthcare Debate

For decades, abortion was federally protected in the United States, but the Supreme Court’s decision to overturn Roe v. Wade shifted the power to regulate reproductive healthcare back to individual states. As a result, laws now vary widely across the country, with some states protecting access to reproductive services and others criminalizing them.

Amidst this evolving landscape, the Biden administration implemented protections aimed at safeguarding individuals seeking reproductive healthcare. Specifically, these protections prevent the release of medical records if the intent is to investigate or punish individuals who have sought or provided reproductive healthcare services in states where such services are restricted or illegal.

Why Are Attestations Now Required?

Release of Information (ROI) offices are now tasked with ensuring that medical records are not being released for purposes of investigation or punishment. To address this, an attestation—a formal statement verifying the intent behind a records request—is increasingly being required.

While the law suggests that patient-signed authorizations should be sufficient, many ROI offices are erring on the side of caution and requiring attestations for all requests, regardless of whether a patient authorization is included.

Inconsistent Policies Across Providers

The interpretation and implementation of these requirements have not been uniform across ROI vendors. Here’s where things currently stand with key industry players:

• Sharecare & Healthmark: Do not require attestations for patient-signed authorization requests.
• Datavant (CIOX) – will NOT require an attestation with a patient-signed authorization going forward. Several steps have been taken internally to ensure this practice has been implemented uniformly across their many onsite ROI operation centers.
• MRO– Will continue to require the attestation with all requests at this time.

These policies are still evolving, and our ongoing discussions with vendors are expected to provide more clarity in the coming weeks.

What This Means for You

For now, here are the key takeaways for handling record requests:

• Expect to see rejections citing a missing attestation
• NRR can keep a signed attestation on file for your firm that can be utilized in all record requests going forward.  This can save your staff valuable time in completing attestations for each request.

Staying Adaptable in a Changing Landscape

This is an ongoing situation, and updates are expected as vendors, legal teams, and government agencies continue to clarify the rules. For now, flexibility and attention to detail will be key.

Please bookmark this post, and we will keep you informed as changes unfold. Thank you for your continued diligence in navigating this challenging regulatory environment.

There have been legal challenges that may affect the viability of this new rule remaining as currently written long term. This HIPAA Journal article, “States Challenge HIPAA Privacy Rule Update Strengthening Reproductive Health Information Privacy,” provides additional details on the topic. Details regarding the repeal can be found from the U.S. Department of Health and Human Services, “HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet”. 

As always, please reach out to the National Record Retrieval Team with any questions or assistance needed.