[ Wednesday, January 27, 2021 ]
Here are a couple of questions regarding a recent seminar I conducted for Lorman Education Services:
Q: The patient passes away, what
do we need from family/life insurance policies in order to release records?
A: The answer depends on the
specifics of state law, but the person who is "authorized to act on behalf
of a deceased individual or the individual's estate" becomes the
"personal representative," and has all rights the deceased person
would have had if they were still alive. This is usually the executor or
administrator of the estate, or the holder of letters testamentary. If a
family member provides court papers that indicate he/she has been appointed
executor, then the covered entity should treat that person as if he/she were
the patient.
Additionally, the Omnibus Rule
added an additional permissive disclosure option. "If the individual
is deceased, a covered entity may disclose to a family member, or [other
relatives, close personal friends, or anyone previously designated by the
patient] who were involved in the individual's care or payment for health care
prior to the individual's death, protected health information of the individual
that is relevant to such person's involvement, unless doing so is inconsistent
with any prior expressed preference of the individual that is known to the
covered entity." Thus, if the practice provided a friend or family
member with access to the patient's information before death, then unless the
patient indicated otherwise, the provider can continue giving that
friend/family member access to the patient's records, as long as it is consistent
with the third party's involvement in the patient's care and/or payment for
that care.
Q: I am having a hard time
understanding the difference between Access and Release of Information. I am
from Minnesota where we have to get authorization for mostly every type of
release of information. Is there an easy way to know the difference?
A: This is a good question, and
one that might change slightly if the HIPAA rule revisions proposed by the
Trump administration (which were probably being announced by HHS while I was
giving this presentation) are adopted by the Biden administration (they are
currently on hold by the new administration). It depends on whether the
disclosure is a release pursuant to the patient's right to access, or a release
pursuant to an authorization. To release information pursuant to an
authorization, the provider must ensure that the authorization contains
specific information, including the patient's signature; to release information
pursuant to the patient's right to access, all the provider needs is the
patient's request.
The patient has a right to
access his/her own records, and that right is fairly absolute. There has
always been a question of whether a patient's right to access can be exercised
by the patient by ordering the provider to give the records to a third
party. HHS' position has evolved into one where the patient has a nearly
absolute right, as an extension of their right to access, to require covered
entities to give the records to a third party, and to only charge the
patient/third party the limited costs of producing the records. A medical
record document management company sued HHS, saying this was overly broad (the
company, Ciox, mainly assisted law firms in obtaining medical records in
malpractice litigation cases, and was not able to recover its costs under the
HHS rule), and the court agreed that HHS' interpretation was not valid.
If the release is treated as a release pursuant to an authorization, Ciox can
charge more than if it is an exercise of the patient's right to access.
Another factor to add to the mix
is that HHS and ONC (the Office of the National Coordinator for Health
Information Technology) recently published rules to limit "data
blocking," and require EMR systems to allow patients quick and easy access
to their electronic medical records. These prohibit health care providers
from blocking patients' access to their records. Adding hurdles to a
patient's exercise of their right to access could be considered data blocking.
In the past, as a general rule,
most HIPAA lawyers would recommend that a provider go ahead and get the patient
to sign an authorization form (with all the HIPAA requirements, so there would
be no question about whether the PHI could be released. However, under
OCR's guidance, to the extent that is considered hindering the patient's right
to access his/her own PHI, it could be a HIPAA violation. Until the
revised regulations re adopted in final form, I think this is usually still
good advice (as the Ciox case makes clear, HHS' issuing of "guidance"
does not have the same weight as actual regulations). However, providers
should also consider whether demanding a burdensome authorization form could be
considered sufficiently onerous to count as data blocking.
Ultimately, the best way to view
the difference between releases pursuant to an access requests and releases
pursuant to an authorization is to determine whether the request is coming from
the patient or from someone else. If the patient calls the practice and
asks the practice to send the information to the patient's attorney, it's
probably an "access" disclosure, but if the patient's attorney sends
a letter asking the practice to disclose the patient's information to him/her,
you probably should get an authorization form completed.
Additionally, the practice
should try to avoid making the authorization or (especially) the process for
requesting access any more onerous or complicated than absolutely
necessary. For example, the authorization must say which records are to
be released, and to whom; but in each case, there should be an option for
"all" records or "any" third party recipient.
Jeff [12:54 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template