Reference no: EM131044085

Release of Information Overview

This should serve as a resource for those individuals responsible for manageing or performing the process of release of information. Health care providers have a duty to maintain patient privacy and to release information when appropriate. Patient health information should be considered confidential, and should be released only in accordance with a health care information disclosure policy. The policy must define when a patient's authorization is required and should comply with state and federal statutes, the Health Insurance Portability and Accountability Act (HIPAA), Patient Bill of Rights, court rulings, administrative rules, and accrediting and regulatory agency requirements.

The HIM professional is considered the key individual in developing, implementing and maintaining privacy policies and procedures due to their specific training in handling these particular situations. An HIM professional's education and experience includes confidentiality, legal issues, and critical thinking in a variety of situations.
Patient information must be protected from unauthorized, inappropriate, or unnecessary access. Federal regulations under HIPAA established national requirements for confidentiality.

Considerations for Disclosure

The principal considerations for determining when information may be disclosed are:
• Whether a patient authorization is required
• The nature of the information requested
• Whether it is confidential or non-confidential
• The purpose of the request
• The authority of the person or agency requesting the information
• Whether any revocations or notices to withhold information are on file

State Law

This state has a statute that identifies provisions for access to health care records. The basic provisions of the law are:
A. The patient has a right to access health care information that pertains to the patient's examination or treatment of a medical, psychiatric or mental condition.

B. Upon written request from the patient, a health care provider has an obligation to supply the patient with health care information.

C. A signed and dated patient authorization is required for release of health care information except under the following circumstances:

a. Disclosure is authorized by law
b. Disclosure of immunization date
c. Medical emergency
D. Health care information may be release without patient authorization for medical or scientific research unless the patient has specifically objected to disclosure for research purposes. The health care provider must make a "reasonable effort to determine" that the researcher or organization will protect the rocor from unauthorized disclosure or misuse.
E. Health care information may not be re-released without a signed and dated authorization from the patient or patient's legally authorized representative, unless the release is specifically authorized by law.
F. An authorization is valid for one year or for a lesser period if specified in the authorization. The authorization does not expire after one year for:

a. Other health care providers
b. Health insurance plans
c. Life insurance
G. With patient's authorization, the provider may furnish a summary of the record, or copies of pertinent portions of the record, in lieu of the entire record.
H. The provider may charge a reasonable fee for the copies.
I. Information may be withheld if a provider determines that information in the record is detrimental to the physical or mental health of the patient, or is likely to cause the patient to inflict self-harm or to harm another.
a. In a licensed health care facility, this determination to withhold information must be made by the health care provider before a request is received, otherwise the request must be honored.
b. If the patient is a subject of a competency hearing, full access must be allowed.
J. A person who released health records in violation of this statute, or who alters the authorization from of another person without the person't consent, is liable to the patient for damages.
K. A provider who inappropriately charges ofr health care information may be subject to disciplinary action by the Board of Medical Practice for Physicians, or the State Health Department for other providers.
L. A health care provider should develop procedures for documenting access restrictions. The restrictions should be visibly documented in the patient health record. When information is withheld from the patient, the provider may release the information to an appropriate third party or to another health care provider, who may then release the information to the patient.

Seven Core Elements of a Valid Authorization
1. A description of information to be used or disclosed
2. The identification of the person or class of persons authorized to make the use or disclosure of the PHI
3. The identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure
4. A description of each purpose of the use or disclosure
5. An expiration date or event
6. The individual's signature and date
7. If signed by a person representative, a description of his/her authority to act for the individual
Three Required Statements of a Valid Authorization
1. An individual may revoke an authorization in writing. Plus:
a. An additional statement regarding the exceptions to an individual's right to revoke and specific instructions on how to revoke or
b. A reference to the covered entity's Notice of Privacy Practices, if this information is included
2. Treatment, payment, enrollment, or eligibility of benefits may not be conditioned on obtaining the individual's authorization. (In other words, one cannot say "sign this or we won't treat you" or "sign this or we won't cover your care."
OR:
Where the Privacy Rule allows for such conditioning, delineation of the specific consequences to an individual if he/she refuses to sign the authorization form
3. The potential for the PHIto be redisclosed by the recipient and thus, no longer protected under the Privacy Rule
An example of a redisclosure:
You send patient information to Happy Hospital.Two years later Happy Hospital includes that information in a disclosure to an attorney.(This should not happen
but it could.We should never disclose information we received from another facility.The requestor should go back to that facility for that information)

Other Considerations for a Valid Authorization
• All authorizations "must be in plain language"
• Other elements or information may be included as long as they are not in conflict with requirements
Combined Authorizations

In general, an authorization for use and disclosure of PHI may not be combined with any other document to create a compound authorization except for:

• Research
• Psychotherapy notes
• Another authorization under Section 164.508

Documentation Requirements
• A copy of the signed authorization form can be given to the patient or individual
• Covered entities must document and retain all signed authorizations for a period of six years from date of creation or when last in effect, whichever is later.
Revoking an Authorization

Revocation of an authorization is allowed at any time as long as:
• It is requested by the individual in writing
• Unless:
• The covered entity has already taken action based on the originally-signed authorization or
• When the authorization was obtained as a condition of obtaining insurance coverage
When is Use/Disclosure of PHI Allowed Without an Authorization
• For treatment, payment or health care operations (TPO)
• For public health or health oversight activities
• When use is for victims of abuse, neglect or domestic violence or other persons at risk
• For judicial and administrative proceedings
• To employers (under certain conditions)
• For use by coroners, medical examiners, and funeral directors in the case of deceased persons
• For cadaveric organ, eye, or tissue donation
• To avert a serious threat to public health or safety

When is Use/Disclosure of PHI Allowed Without an Authorization
• For law enforcement purposes
• For Workers' Compensation and specialized government functions
• As otherwise required by law
• For research (waiver approval required)

MINIMUM NECESSARY

SECTION 164.514
• A covered entity must make reasonable efforts to limit access of PHI to that which is minimally necessary to meet the purpose of the use or disclosure
• "Minimum" determination need not be made for reasonable requests made by public officials, other CE's, members of workforce, business associates, or researchers
• A covered entity may not use, disclose, or request an entire medical record unless need for such is specifically justified

ACCOUNTING OF DISCLOSURES

SECTION 164.528
Must be able to provide individuals with a record of disclosures for a period of six (or fewer) years prior to the date of their request.
What must be included in a disclosure accounting?

• Date of each disclosure
• Name of the organization or person who received the PHI
• Address of the organization or person who received the PHI
• A brief description of the information disclosed
• A brief statement of the purpose of the disclosure

Charges for an Accounting of Disclosure
• Individuals have a right to receive one free accounting per 12 month period
• For each additional request within a 12 month period the covered entity may charge a reasonable, cost-based fee.
• If a fee is charged, the covered entity must inform the individual of the fee in advance

Retrieval and Copying of PHI
• A "reasonable, cost-based fee" for requested copies may be charged
• For a summary or explanation of PHI, a preparation fee may be charged
• Costs associated with searching for and retrieving the requested information may not be charge to patients
 
Charges for ROI
• You may charge for search and retrieval and preparation time
• You may charge per page for the copies
• Check with your state statues to find out what are considered to be reasonable charges
• Many states have set guidelines on what you may charge per page