Managing Unsolicited Health Information in the Electronic Health Record

This practice brief has been updated. See the latest version here. This version is made available for historical purposes only.

Patient engagement is developing as a key focus area in US healthcare, and patients are increasingly able—and willing—to report additional health information to their providers. Historically, healthcare providers have received unsolicited patient health information, including health data volunteered by the patient or other providers responsible for patient care. In its most simple form, unrequested information is data received by a healthcare provider who has taken no active steps to ask for or collect that information. In some instances, this information is provided in the absence of an existing patient-physician relationship. For example, consider a patient who has recently moved to a new location. Though the individual may have already picked a primary care physician for insurance purposes, if they are seen in an emergency room prior to established contact they may still wish to send the information from their visit to the primary provider.

Today, unsolicited health information may come from many sources, such as health information exchanges (HIEs), personal health records (PHRs), or patient-generated health information from mobile devices. This unsolicited data can arrive in a variety of formats from paper to electronic media. As a result, healthcare providers are receiving more unsolicited information than ever before, the influx of which necessitates new methods to handle and process the data in an effective manner.

Some specialty physicians believe they have an obligation to send the patient’s primary care providers copies of the documentation for all encounters and treatment notes. The assumption is that all healthcare providers who treat the patient later will benefit from these records of historical care, even if the treatment does not relate to the current medical condition. Likewise, the patient may believe the information collected through a mobile health application is valuable and want the information included in the health record.

In the past, unsolicited health information that corresponded to existing patients was often filed in the paper record under a generic “correspondence” tab. Likewise, information that was received but that did not correspond to an existing patient was often placed in a file that would then be periodically reviewed to determine if the patient had followed up to establish a relationship with the provider. After a time period predetermined by the provider’s retention policy, if the patient does not present for care then the health information is destroyed.

When unsolicited health information is received, providers will need to address the receipt of the information, workflow challenges, and liability issues to ensure the information is handled effectively. This practice brief addresses the primary challenges in receiving unsolicited health information, followed by key recommendations to help manage it.

Unsolicited Records’ Primary Challenges

The information contained in a patient’s health record is used for a multitude of purposes, such as:

  • Treatment
  • Quality of care outcomes
  • Research
  • Fiscal responsibility
  • Risk management
  • Legal compliance

With electronic health records (EHRs) and other technological advances, the healthcare industry is moving toward achieving the goal of recording the entire continuum of patient care for treatment of the patient. Receiving health records that were not requested, however, brings up several challenges that providers must address, such as how to use, store, and determine the value of unsolicited health information.

Receiving Unsolicited Information

Integrating unsolicited information with a provider’s health record poses potential challenges for easily locating the information at a later date. Without notifying the receiving healthcare provider in advance, patients may request that all of their health information—including information that may not be relevant to their current care—be forwarded to an additional provider also involved in the patient’s care.

Patients may choose to do this in an effort to help the provider understand their unique medical circumstances, without being aware that the provider is unlikely to review all of the additional information received. Some of the content, including reports and test results, may be exact duplicates of information already available to the provider. Pertinent information helpful to the provider may arrive mixed in with volumes of non-essential information. Review of the variety and volume of the unsolicited information can be both a time consuming and costly process for the provider.

Managing the Media

The technological advances in EHRs, HIEs, e-mail, and mobile devices combined with the patient’s awareness and involvement in their healthcare all contribute to the myriad of media types in which providers receive unsolicited health information. Patients may e-mail health information or transmit electronic monitoring and test results to hospitals, physicians, and other providers. Patients also may store their personal health records on flash drives, compact discs, mobile applications, or paper files and want their providers to review all of this information during an office visit. Information received from multiple senders may contain duplicate, conflicting, or contradictory information. All of these challenges could result in errors in the record.

Health records on electronic media present additional challenges in a practice where the EHR system is not configured to receive or read from external devices. The patient may prefer their records be copied from the electronic media and have the device returned—a process that requires additional work and time. When interfacing with external devices, there is also a chance that the electronic media provided by the patient has a virus or other harmful program that will affect the provider’s system.

Workflow Challenges

Historically documents were routed to a specified location or individual in the provider’s office when unsolicited information arrived via paper charts. It was the responsibility of this individual, such as a file clerk or medical assistant, to match the information with a scheduled patient, categorize the incoming documents, and direct them to the provider for review. Once the appropriate provider(s) reviewed and/or notated the document, it was filed in the correct location in the patient chart. For example, there may be separate tabs for laboratory reports, imaging reports, and other correspondence or miscellaneous items. In addition, paper charts typically required a sign-out sheet so that all staff would know the location of the health record. Some providers had quality reviews routinely performed to ensure that all documents were in the correct patient chart and filed in the appropriate location.

The EHR can now allow records to be filed prior to the patient visit. Processes must be established to ensure the health records are filed to the correct patient and that the provider is notified that new information is available.

Confirming Provider-Patient Relationship

Providers face a significant challenge when it comes to a full review and analysis of all the unsolicited information they are likely to receive, particularly when there is not a prior established relationship with the patient. Providers might receive health information from patients who have been referred for specialty care but have not yet confirmed an appointment with the medical specialist. Specialists receive volumes of unsolicited information from primary care providers that may be non-essential for the specialist to make a treatment determination.

Regardless of the source or method of transfer, the provider should first determine the status of the provider’s relationship with the patient and whether there is an existing record. Using the identifiers contained in the information received, the provider should attempt to match the information with an existing patient record. If the patient does have an established relationship and record with the provider, processing can proceed to the next step.

In some cases, however, the patient may not have a record. For example, the patient may be planning to move to the area and is forwarding information to an office in which they plan to establish care. Or the patient has selected a provider within their health plan, but has not yet presented to the provider for evaluation.

When health information is received for a patient with no prior relationship or record with the provider, the provider must first determine if there is a policy in place that permits the retention of such information. If the provider policy permits retention of unsolicited information received with no prior record of relationship with the patient, regular intervals should be established to review the information and determine if the patient has followed up on establishing care with the provider. If the individual does present, then the information that is used for patient care should be included in the record. If the patient has not established a care relationship with the provider within the retention time period allowed in the provider’s policy, the information should be destroyed or returned to the sender.

Determining Pertinent Information

Once the patient relationship is confirmed, the next step is to determine if the unsolicited records will be incorporated, in whole or in part, into the provider’s official record of care. The patient may have requested that their entire record be forwarded, but the receiving healthcare organization may not need all the information to treat the patient. Some of the data received will require a certain level of medical knowledge to determine the value to the provider and subsequent care for the patient. For example, laboratory results from different laboratories may have different normal ranges, which can impact trending and comparing laboratory results in an EHR.

Some documents have succinct summaries of relevant information that supports the longitudinal record and clinical decisions. For example, if the unsolicited records contain a discharge summary, that document might be retained. Conversely, months of inpatient progress notes might not hold the same long-term clinical value. As a rule of thumb, always include any record that is used to make a decision about the diagnosis or treatment of the patient. Information that is not used to treat the patient should be destroyed or returned to the source of the information.

Integrating Health Information

Once health information has been identified as relevant and the decision made to retain it, the information must be integrated into the EHR. Protocols should be established to determine what will be included in the health record. The provider’s workflow should incorporate the review and processing of unsolicited records, and the protocol should include the provider’s approach to all types of media in order to ensure consistency when processing all unsolicited health information. The protocol should also include guidance on whether the unsolicited information will be entered into the record in chronological order or as a specific encounter. It’s important to incorporate unsolicited information in a way that ensures a clear differentiation between information received from external sources and similar types of information obtained internally. It may be necessary to revise the systems in order to make sure information can be both effectively integrated and subsequently retrieved.

Developing an Information Release Policy

If all unsolicited information is entered into the EHR, applicable law might create the presumption that the provider reviewed and utilized all of the information. Some state laws, for instance, might dictate this expectation. Unsolicited health information that is included in the legal health record may be disclosed pursuant to a patient request or external legal process. Providers should have a statement in the policy that unsolicited information included in the patient’s legal health record may be sent to other providers as authorized by the patient or for continuing care as determined by the provider. These policies should be communicated to patients when they provide unsolicited information.

Legal Considerations

Providers who receive unsolicited health information continue to wrestle possible clinical concerns. Any documents or information filed, maintained, or scanned into a patient’s health record—including external source documents—are part of the legal health record (see “Fundamentals of the Legal Health Record and Designated Record Set,” available in the HIM Body of Knowledge). These health records are subject to all applicable state and federal regulations concerning privacy, security, use, maintenance, and disclosure. Legal implications and liability issues must be considered when making retention decisions about unsolicited health information.

Retention Policies

Providers must determine if and how unsolicited health information will be retained and stored based on their definition of the legal health record. Each provider must identify what records are in their legal health record. Some data that arrives electronically may not be compatible with the provider’s EHR and could create inclusion, storage, and retrieval issues. If unsolicited health information is incorporated into the EHR, the provider will be responsible for knowing what it contains and its relevance to patient care. If the information is stored, providers must be sure it is indexed to the correct patient. This can be confusing and difficult if unique patient identifiers do not accompany the unsolicited information or if the individual has not yet been registered as a patient.

It is important to keep in mind throughout this process that providers have no obligation to accept unsolicited health records from outside sources. This does not mean that unsolicited health information is not desired or pertinent to patient care, only that the provider is not required to accept or retain it.

Liability Issues

Legal ramifications may occur if inadequate review of received unsolicited health information leads to ill-informed medical decisions or missed diagnoses. Providers that accept unsolicited information without completing a review may be held responsible for knowing the information is housed in their legal health record. In addition, there may not be legal precedents within that state to assist providers in establishing their policies and procedures regarding unsolicited health information. When developing a legal health record policy, providers should consult with healthcare regulatory counsel to address these liability concerns.

For example, the Texas Medical Association has adopted a practice guideline for providers to follow when individuals do not have an existing patient-provider relationship. The guideline states, “A physician might receive unsolicited medical test results on behalf of persons with whom they have not established a patient-physician relationship, who have [been] given the physician’s name in order to receive the medical screening test. In this event, physicians may return the results to the medical screening agency. In no event does receiving unsolicited medical screening test results alone establish a patient-physician relationship.”1 In accordance with this policy, the provider may be protected from liability if the unsolicited health information is returned to the agency that sent the result.

Recommendations and Best Practices

Identifying the challenges presented by unsolicited health information is easier than determining what actions should be taken with the information. Recommendations for managing unsolicited information include:

  • Develop policies with providers to determine:
    1. Which unsolicited information will be retained routinely based on protocol (threshold for volume, type of report, specialty, and other established variables) and forwarded to the provider for review
    2. The process for routing unsolicited information that falls outside of the protocol
    3. The disposition of information that will not be retained based on clinical decisions

  • Develop policies for the administrative aspects of receiving and processing unsolicited information
    1. Establish a definition of the legal health record
    2. Determine how to manage e-mails/articles concerning health issues received from patients
    3. Define guidelines for use of patients’ personal health records
    4. Determine how health information maintained in various media formats will be managed

  • Review information received to:
    1. Determine if a patient-provider relationship exists
    2. Verify if it is required for treatment or if it is redundant, outdated, or non-essential
  • Determine how unsolicited information received for a patient not associated with the provider will be processed
    1. Determine how the unsolicited information will be stored until a patient is identified or the information is destroyed
    2. Establish a method to monitor if the individual has made an appointment within a defined period of time (i.e., within 60 days from the receipt of the unsolicited information)
    3. Define time frames to destroy information that is not matched with an existing or scheduled patient

  • Create provider-defined protocols for processing unsolicited health information
    1. Develop protocols by specialty, clinical area, or document type for health information that may be accepted into the EHR and routed to the provider for review
    2. Determine who will ensure pertinent external health information is routed to and reviewed by the provider when the EHR does not provide the ability to incorporate the information prior to the first appointment
    3. Determine which healthcare provider will receive the health information that is outside of the established protocol and requires professional interpretation to determine what to retain
    4. Define timeframes for a provider to review the unsolicited information

  • Develop standardized indexing protocols for filing information in the EHR to allow ease of retrieval
  • Utilize a non-networked computer for viewing or printing, or enable software to assist in preventing harmful information from being uploaded since external electronic media may have viruses or have other harmful effects on the computer or system
  • Provide education to all providers and staff on the steps that should be taken when they receive unsolicited health records, since health information can come into a practice in multiple places

As electronic technology progresses, some of the challenges with unsolicited health information will be addressed through technological advances. As providers gain more experience with managing unsolicited health information in an electronic environment, best practices will surface that will be helpful to providers.


  1. Texas Medical Association. “Unsolicited Medical Screening Test Results.” Board of Councilors Current Opinions. Modified February 2005.


AHIMA. “Fundamentals of the Legal Health Record and Designated Record Set.” Journal of AHIMA 82, no.2 (February 2011): expanded online version.

Herrin, Barry. “Unsolicited Medical Information: Use It Or Lose It?” LegalHIMformation, May/June 2008.

Prepared by

Anita Archer
Barbara Bolser, JD, MS, RHIA
Mary Johnson, RHIT, CCS-P
Jennifer Miller, MHIS, RHIA
Cindy C. Parman, CPC, CPC-H, RCC
Diana Warner, MS, RHIA, CHPS, FAHIMA


Cecilia Backman, MBA, RHIA, CPHQ
Kathy Downing, MA, RHIA, CHPS, PMP
Barry S. Herrin, FACHE, Esq.
Jennifer Horner, MSHI, RHIA
Lesley Kadlec, MA, RHIA
Elisa Kogan, MS, MHA, CDIP, CCS-P
Deborah Kohn, MPH, RHIA, CPHIMS
Beth Liette, MS, RHIA
Diana Reed, RHIT, CCS-P
Jill Roberson, MBA, RHIA, CHPS, CCS
Angela Dinh Rose, MHA, RHIA, CHPS, FAHIMA
Sharon Slivochka, RHIA

The information contained in this practice brief reflects the consensus opinion of the professionals who developed it. It has not been validated through scientific research.

Article citation:
AHIMA. "Managing Unsolicited Health Information in the Electronic Health Record" Journal of AHIMA 84, no.10 (October 2013): 70-73.