HIPAA Blog

[ Wednesday, January 27, 2021 ]

 

Here are a couple of questions regarding a recent seminar I conducted for Lorman Education Services: 

 

Q: The patient passes away, what do we need from family/life insurance policies in order to release records?

A: The answer depends on the specifics of state law, but the person who is "authorized to act on behalf of a deceased individual or the individual's estate" becomes the "personal representative," and has all rights the deceased person would have had if they were still alive.  This is usually the executor or administrator of the estate, or the holder of letters testamentary.  If a family member provides court papers that indicate he/she has been appointed executor, then the covered entity should treat that person as if he/she were the patient.

 Additionally, the Omnibus Rule added an additional permissive disclosure option.  "If the individual is deceased, a covered entity may disclose to a family member, or [other relatives, close personal friends, or anyone previously designated by the patient] who were involved in the individual's care or payment for health care prior to the individual's death, protected health information of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity."  Thus, if the practice provided a friend or family member with access to the patient's information before death, then unless the patient indicated otherwise, the provider can continue giving that friend/family member access to the patient's records, as long as it is consistent with the third party's involvement in the patient's care and/or payment for that care.

 Q: I am having a hard time understanding the difference between Access and Release of Information. I am from Minnesota where we have to get authorization for mostly every type of release of information. Is there an easy way to know the difference?

 A: This is a good question, and one that might change slightly if the HIPAA rule revisions proposed by the Trump administration (which were probably being announced by HHS while I was giving this presentation) are adopted by the Biden administration (they are currently on hold by the new administration).  It depends on whether the disclosure is a release pursuant to the patient's right to access, or a release pursuant to an authorization.  To release information pursuant to an authorization, the provider must ensure that the authorization contains specific information, including the patient's signature; to release information pursuant to the patient's right to access, all the provider needs is the patient's request.

 The patient has a right to access his/her own records, and that right is fairly absolute.  There has always been a question of whether a patient's right to access can be exercised by the patient by ordering the provider to give the records to a third party.  HHS' position has evolved into one where the patient has a nearly absolute right, as an extension of their right to access, to require covered entities to give the records to a third party, and to only charge the patient/third party the limited costs of producing the records.  A medical record document management company sued HHS, saying this was overly broad (the company, Ciox, mainly assisted law firms in obtaining medical records in malpractice litigation cases, and was not able to recover its costs under the HHS rule), and the court agreed that HHS' interpretation was not valid.  If the release is treated as a release pursuant to an authorization, Ciox can charge more than if it is an exercise of the patient's right to access.

 Another factor to add to the mix is that HHS and ONC (the Office of the National Coordinator for Health Information Technology) recently published rules to limit "data blocking," and require EMR systems to allow patients quick and easy access to their electronic medical records.  These prohibit health care providers from blocking patients' access to their records.  Adding hurdles to a patient's exercise of their right to access could be considered data blocking.

 In the past, as a general rule, most HIPAA lawyers would recommend that a provider go ahead and get the patient to sign an authorization form (with all the HIPAA requirements, so there would be no question about whether the PHI could be released.  However, under OCR's guidance, to the extent that is considered hindering the patient's right to access his/her own PHI, it could be a HIPAA violation.  Until the revised regulations re adopted in final form, I think this is usually still good advice (as the Ciox case makes clear, HHS' issuing of "guidance" does not have the same weight as actual regulations).  However, providers should also consider whether demanding a burdensome authorization form could be considered sufficiently onerous to count as data blocking.

 Ultimately, the best way to view the difference between releases pursuant to an access requests and releases pursuant to an authorization is to determine whether the request is coming from the patient or from someone else.  If the patient calls the practice and asks the practice to send the information to the patient's attorney, it's probably an "access" disclosure, but if the patient's attorney sends a letter asking the practice to disclose the patient's information to him/her, you probably should get an authorization form completed.

 Additionally, the practice should try to avoid making the authorization or (especially) the process for requesting access any more onerous or complicated than absolutely necessary.  For example, the authorization must say which records are to be released, and to whom; but in each case, there should be an option for "all" records or "any" third party recipient. 


Jeff [12:54 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template