Healthcare providers are often confused by or misunderstand the rules governing the release of a patient's information at the patient's request. HIPAA allows certain disclosures without the patient's written authorization, including disclosures to other providers or third party payers for purposes of treatment, payment, or healthcare operations; to family members or others involved in the patient's care or payment if certain conditions are met; or for certain government or public safety concerns if regulatory requirements are satisfied. (45 CFR 164.502, 164.506, 164.510 and 164.512). Other disclosures generally require the patient's consent or written authorization. (45 CFR 164.502). The rules for such written releases of information ("ROI's") differ depending on who is requesting the records and to whom the disclosure will be made. Show 1. Disclosures to the Patient or Personal Representatives. Under HIPAA and subject to limited exceptions, a patient or the patient's personal representative1 generally has a right to obtain a copy of the patient's protected health information maintained in the patient's designated record set.2 (45 CFR 164.524(a)(1)). If the provider chooses, the provider may require such requests to be in writing so long as the provider informs the individual of the requirement. (45 CFR 164.524(b)(1)). The provider must produce the records in the form or format requested (e.g., paper or electronic format) if readily producible. (45 CFR 164.524(c)(2)). It is usually a good idea to require written requests to document the date, scope, and format of the request. Once received, the provider has 30 days to respond to the request. (45 CFR 164.524(b)(2)). Although the provider may respond immediately, it is usually a good idea to take some time to collect and review the requested records before responding, thereby ensuring that the records provided are accurate, complete, and do not contain inappropriate information. Providers may charge the patients or personal representatives a reasonable cost-based fee for the records. (45 CFR 164.524(c)(4); see article at https://www.hollandhart.com/charging-patients-for-copies-of-their-records-ocr-guidance). The patient's right to access information generally includes all information in their designated record set, including records created by or received from other providers. (OCR, Individuals' Right under HIPAA to Access their Health Information 45 CFR § 164.524, hereafter "OCR Guide" available here). HIPAA does not specify any requirements for a patient's written request to access information, but a good form would typically include: (i) the patient's identifying and contact information; (ii) a specific description of the records requested (including the date range and type of records requested); (iii) the format in which the records are requested; (iv) the date of the request; (v) the address to which the records should be sent, if applicable; (vi) notice of any charges for the record; (vii) the patient's or personal representative's signature; and (viii) in the case of the personal representative, a description of the personal representative's authority. The provider's form or method for requesting access must not create a barrier to or unreasonably delay the individual from gaining access. For example, the provider may allow but may not require an individual:
(OCR Guide). Covered entities are expected to be able to mail or e-mail the requested records to the patient, and may not require that the patient pick up the records in person. (Id.). For more information concerning disclosing records to the patient or the personal representative, see the OCR Guide. 2. Disclosures to Third Parties. The patient or personal representative may also request or authorize disclosures to third parties. In the wake of the HIPAA omnibus rule, the form of release differs depending on the nature of the request.
Next Steps. Providers should review their forms and processes for responding to patient requests to disclose information to ensure they comply with the HIPAA rules. If they have not done so, providers should review the OCR Guide, which addresses many nuances and arguably expands patient rights and provider responsibilities as set forth in the regulations. Finally, to the extent there is a more restrictive state or federal law, the provider should comply with the more restrictive law. For questions regarding this update, please contact: This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel. 1Under HIPAA, a "personal representative" is the person who has authority to make healthcare decisions for
the patient under applicable state law. (45 CFR 164.502(g)(2)-(3)). A personal representative generally has the right to access or authorize disclosures of information just like the patient. (45 CFR 164.502(g)(1)).
(45 CFR 164.501). What is an accounting of disclosures?HIPAA Disclosure Accounting or Accounting of Disclosures (AOD) is the action or process of keeping records of disclosures of PHI for purposes other than Treatment, Payment, or Healthcare Operations. You are required by law to provide patients a list of all the disclosures of their PHI that you have made outside of TPO.
What is included on a patient's accounting of disclosures?The Accounting for Disclosures Log and Response forms may provide the name of the protocol or other research activity, a description of the research protocol or activity (including the purpose of the research and the criteria for selecting particular records), a description of the type of PHI disclosed, the date or ...
What is the difference between use and disclosure of PHI?In general, the use of PHI means communicating that information within the covered entity. A disclosure of PHI means communicating that information to a person or entity outside the covered entity, or the communication of PHI from a health care component to a non-health care component of a hybrid entity.
What is the function of release of information?What Is Release of Information? Release of information (ROI) is the process of providing access to protected health information (PHI) to an individual or entity authorized to receive or review it.
|