
1. Physicians deciding what should be released
Physicians may want to review a patient request and even limit what information is sent. This is not allowed. The patient has a right to receive or permit release of any or all of the record. There are limited exceptions.
2. Holding requests until the ROI charge is paid
Under HIPAA, you cannot hold patient records hostage pending reimbursement for any unpaid services. This could impact patient health. A site is allowed to charge “reasonable” fees for their health information, but if a patient can’t afford the release of information (ROI) charge, you should provide the information at no cost.
3. Giving patient information to family/friends
Office staff may be familiar with family members and assume consent without supporting documentation. Don’t! You may disclose relevant information only if you:
- obtain the patient’s agreement
- give the patient an opportunity to object
- decide from the circumstances, based on professional judgment, that the patient does not object
Reminder: A durable power of attorney (POA or DPOA) does not kick in until the person no longer is able to make care decisions.
4. Releasing a minor’s information to parents and stepparents
Some states have passed laws giving minors control over their health records concerning such things as behavioral health, mental health, substance abuse and pregnancy related testing and/or care. These records cannot be released to parents or guardians without the minor’s consent. You need to know your state laws. Once any patient turns 18 years old, parents no longer have access to any medical information since birth, without the patient’s consent.
Custody (including full) of a minor does not restrict access by the non-custodial parent unless specifically ordered by the courts (and copies of the order are provided to the office). Both biological/adopted parents have full access to medical records; stepparents have no rights unless given in writing.
5. Honoring subpoenas
In most states, subpoenas do not apply to medical or health records. To give access to health records, you either need authorization from the patient, proof that the patient/attorney of patient was notified with adequate (determined by most states) amount of time to quash, or a court order signed by a judge. Beware of “fake” subpoenas that are not filed with a court. Grand jury subpoenas have their own rules and require secrecy, including from the patient.
6. Becoming overwhelmed with burdensome payer requests
Requests for hundreds of documents from payers, often before they reimburse for care, are common. If this becomes unworkable, you are allowed some leeway for response, but communication with the payer is key. Know the type of audit and its potential financial impact on the practice. More information is available in the May/June 2021 Journal of AHIMA, “Surviving the wave of seasonal audits.”
7. Not providing staff with sufficient ROI knowledge
Most staff in a physician practice are not familiar with the complex rules around ROI. For example, you cannot limit ROI when a patient makes a request. Do you include data from other providers? How about test results from a hospital system? What about only records created within the office? You may need to include operative reports from the hospital performed by your surgeon. Another complexity is around ROI billing policies, which usually are different for different requestors such as patients, Workers’ Comp, payers, attorneys, etc.
Not following all of the different rules can lead to Office of Civil Rights complaints and fines, HIPAA violations and a negative impact on patient care. Sufficient staff ROI training is essential.
8. Not being capable of releasing records in an electronic format
If an individual requests an electronic copy of protected health information (PHI) in a specific format, it must be provided if records are stored electronically. If still using paper records, an electronic copy must still be provided if readily producible.
9. Being unable to meet turnaround times
Recent fines have revolved around not meeting the 30-day requirement for an ROI request. Meanwhile, a new HIPAA proposal is suggesting the time requirement be reduced to 15 days (not to be confused with the Cures Act/Interoperability rules eventually requiring system access to the patient within 10 days). Faster ROI is better for patient care and satisfaction of course.
10. Not having a tracking system
All release of PHI outside of TPO (treatment/payment/operations) must be tracked for 6 years in case the patient requests an accounting of disclosure. You will need to provide a listing of what was released, when, to whom and in what format, and have a copy of any signed request. This also must include any Incident/Breach with notifications.
Check out Sue’s webinar on this topic for more detailed information.