Patient Release of Information
I was recently asked about a patient encounter where the patient arrived with a social worker serving as a case manager for the patient. The case manager asked the clinic for a copy of the patient’s medical record. The astute staff denied the request, stating the encounter note would be available to the patient at the completion of the encounter and if the patient wanted to share that with them, it would be between them and the patient. In this scenario, did the clinic act appropriately? What other options did they have?
In the Omnibus Rule, patients were given additional rights pertaining to their medical records. Briefly (and not completely), patients were given the right to ask for their records in electronic form, to request cash services not be reported to their insurance carrier, and to request their information be sent to third parties.
In this particular case, there’s information we don’t know. For example, was the patient present when the request was made? If the patient was present, would the disclosure have been appropriate? Could the clinic have handed the PHI to the case manager in front of the patient and been OK? Most likely, but we wouldn’t recommend it.
As a general rule when it comes to HIPAA, document, document, document. We suggest you use an Authorization for Release form for your patients, like the one included in our HIPAA Security Suite program. On that form, you can identify exactly who the intended recipient of the patient record is and the patient can then sign that document for you. That provides you with documentation of the release and a written authorization to do so.
That’s not the end of the story. The clinic had concerns about the HIPAA compliance of the receiving entity. Extending the example, if the case manager was given the patient’s records and subsequently breached, or lost, that information, what potential liability would the clinic have? One may conclude the clinic would have no responsibility since the PHI was properly conveyed to the case worker, and that liability was transferred at that point. However, the situation may not be that simple. Potentially, this case worker, or their employer, has regular contact with this clinic. If that’s the case, could be considered a Business Associate? What rights does the clinic have to ensure their created PHI is being properly handled?
In this scenario, we wouldn’t argue for a particular definition of the case worker or their employer. They don’t fit the technical definition of a Business Associate – they are not a vendor in the service of the Covered Entity but rather an agent of the patient themselves. However, it may be prudent in the course of the release to have the case worker sign a confidentiality agreement similar to what we use with vendors who don’t fit the definition of a BA but still have incidental contact with PHI. The idea here is to put the recipient on notice, and get their acknowledgement, that they are in receipt of sensitive information that is bound by HIPAA.
HIPAA compliance can seem like a mine field. Keeping your guard up and playing it safe is sage advice. Our HIPAA clients enjoy access to our help line so when questions in your practice arise, where here to help with an experienced voice backed by our nationwide legal network.