How records leave Eureka. All five ways.
Your patients' records leave Eureka in exactly five ways: their own access request, their written directive, a verified third-party authorization, a treating clinician at the doctor's direction, or a court. There is no sixth way. Eureka is on no health information network, exposes no API for outside apps, and never sells data. Every release is logged and visible to the practice.
1. The patient requests their own records
Under 45 CFR 164.524, patients have a right of access to their records. This is the one disclosure we must make, and the one we will never slow down. We comply within 30 days (in practice much faster), we charge nothing, and we never obstruct or discourage a patient's own access for any reason. Data minimization ends where the patient's own rights begin.
2. The patient directs us to send records to a third party
A patient can instruct us in writing to send their records to anyone they designate. For electronic records in an EHR, the law makes this mandatory, and we fulfill it within the same 30-day clock. We verify that the directive genuinely comes from the patient, and where paperwork is ambiguous about who initiated it, we clarify with the patient directly, as HHS guidance explicitly permits.
3. A third party presents a signed authorization
This is the typical life or disability insurance packet: an authorization the patient signed at application time, submitted by the insurer or its vendor. Under 45 CFR 164.508 this disclosure is permissive, not mandatory, with no deadline, and full verification is allowed. Our uniform procedure: verify the requester's identity and authority, check the authorization for validity and revocation, confirm directly with the patient that they signed it and still want the release, and only then fulfill by mail or fax. There is no instant or automated pathway. A human processes every release.
4. Another treating clinician requests records
HIPAA permits disclosures to another provider for treatment. On Eureka, these releases happen at the treating doctor's direction: the practice reviews the request and decides. We do not auto-respond to treatment queries from outside systems, because we are not connected to any system that could send one.
5. Legal compulsion
We comply with valid court orders and other legal process to the extent the law actually requires, and no further. We review each instrument for validity and scope, release only what is compelled, and, where the law permits, notify the practice and the patient before releasing.
What we never do
- No health information network participation: not Carequality, not CommonWell, not TEFCA. No outside system can query a Eureka chart.
- No third-party app API. Patient access rights are served by us sending records directly to the patient.
- No bulk interfaces, data feeds, or aggregator contracts, to anyone.
- No data sales, ever. Records are never sold, never used to train AI models, never shared with advertisers.
Sensitive records
Many Eureka practices treat conditions where a records leak has real consequences: psychiatry, addiction medicine. Where 42 CFR Part 2 applies to a practice, we follow it. Where it does not strictly apply, we adopt Part 2-style handling as voluntary policy anyway: releases of substance-use and mental-health records require specific, informed patient consent, and outbound releases carry a redisclosure notice.
Logging
Every release, in every category above, is logged: what was released, to whom, under what instrument, on what date, and who processed it. The log is visible to the practice at all times, and patients may request an accounting of disclosures as HIPAA provides.
Caveats
State medical-records statutes may impose specific timelines, fees, or stricter confidentiality rules; where state law is stricter, state law controls and we follow it. This policy is subject to review by counsel and will evolve with the law. It describes our operating policy and is not legal advice.
Questions: support@eurekahealth.com. For the promises governing all patient data on the platform, see our data promises.