Records Requests: Know What's Legal

Andy Stockton's two practices in Omaha, Neb., follow a simple rule: If a patient record is requested, get the patient's permission - even if the request is made by the patient himself.
The practice administrator at Colon and Rectal Surgery Inc. and The Colonoscopy Center stands behind the policy and even advises other offices to adopt it themselves, given HIPAA legal guidelines and possible "gray areas" - such as more stringent state laws - that could cause staff to grant access rather than question requests.

"I think it is easier to get your staff to a point that they check at all times," says Stockton, who has been with the practices for 16 years. "They just don't assume, because if you do assume, that's when you are going to end up getting sued."

Stockton adds that there are also exceptions in HIPAA law regarding patient records that, under specific circumstances, instruct practices on when they can (or can't) release patient records, such as when the request involves mental health issues or minors. "It is those exceptions that will come back to bite you, in my personal opinion."

Mary E. Vandenack, a partner with Parsonage Vandenack Williams LLC, in Omaha, Neb., advised Stockton's offices on the blanket permission policy following HIPAA's enactment in 2003 and agrees that amid exceptions in the privacy regulation, it is best to ask more questions.

Check the request

Requests for medical records can come from numerous sources, including the patient herself, specialists, an insurance company, Medicare, and attorneys.

HIPAA outlines how to treat all of these requests and as Stockton points out, various states have also enacted local laws to accompany the federal regulation. In general, HIPAA allows you to disclose patient records without the patient's permission under the TPO exclusion - requests pertaining to treatment, payment, and operations.

If you don't employ the same method as Stockton's practices, having patients sign a HIPAA privacy notice will also help protect you when it comes to releasing patient records. Failure to do either, Vandenack notes, can result in a HIPAA violation for your office.

Vandenack says practices should ask two essential questions when receiving a record request: Is it from the patient? If not, does the person asking have valid authorization or other legal authority to make this request?

"If [the request] is not being made by the patient and there is no clear authorization, nor a legal basis for the request, than it is illegal," she says.

As an attorney, Vandenack has seen her fair share of illegal requests, including a recent "very official looking subpoena" sent to one of her clients requesting patient records that turned out to be fabricated by a person alleging he was an attorney, who was actually seeking personal information on a patient for unknown reasons.

To help practices identify illegal requests, Vandenack and her firm have published a free medical records access guide for the states in their region, offering both HIPAA guidelines and pertinent state laws. The online resource also offers practices sample authorization forms, sample letters to patients informing them of a records request from a subpoena, for example, and a sample letter to third-party requesters indicating their legal responsibility to provide sufficient documentation with their record request.

In addition to consulting an attorney, Vandenack encourages practices to get in touch with their local medical society for guidance, especially on state laws and guidelines regarding record requests.

Have a key contact

Like Vandenack, Lisa W. Clark, a partner with law firm Duane Morris LLP in Philadelphia, recommends practices have one or two staff members who are familiar with the basic HIPAA guidelines and who can field records requests.

Of the 33 employees at Colon and Rectal Surgery Inc. and The Colonoscopy Center, only two are allowed to release medical records, giving limited power to release records, as well as limited responsibility if an issue arises.

"All of our staff is 100 percent trained [in HIPAA regulations] but they are not all allowed to release records," Stockton says.

All practices are required under law to have policies and procedures to follow HIPAA privacy rules, but as a general rule, disclosures for the most part, are permissible under the TPO exclusion, Clark says.

However, the legal guidelines also have exceptions preventing the distribution of patient records, especially when it comes to mental health issues, substance abuse issues, certain reproductive health issues, minors, and genetic issues. "Those are the five you often have to think twice about," she says.

In general, any kind of request from an employer "usually has to be looked at or thought about," Clark says. Even in cases where the employer has set up a physical for a patient, patient authorization is still a very good idea. This is also the case with an insurance company seeking information, as a patient can elect not to disclose certain procedures to their insurer.

HIPAA provisions allow patients to choose where they want their health information to go and enable them to include restrictions about that information, which Clark notes "is a real pain in the neck" for practices, but a part of the law they must acknowledge and comply with.

Do your best to preserve privacy

With more money at the federal level to pursue violations of any personal information, the grace period for HIPAA implementation has pretty much run its course.

"I think they [the federal government] gave us a honeymoon period and now, the honeymoon is over," Clark says. "I'm not in the minority here in saying that HIPAA is predominately a consumer rights law. It is very heavily weighted toward the consumer, which is why it becomes difficult for a provider to become 100 percent HIPAA compliant. In my opinion, it is more about behavior modification."

What happens if you do get investigated by the federal Office of Civil Rights for a violation - which Clark says is pursuing more and more complaints? "If you show you are making a good effort toward making your systems better and dealing with any specific issues," you could face a lighter sanction, she says.

Be diligent

If you have a records request policy in place, even if it is viewed as unpopular by some, stick with it.

"The funny part is that physicians are in the habit of whatever they want, they can have. So then HIPAA comes out and they still think all they have to do is call and say we have a shared patient, so I want this," Stockton says. "But the reality is that deviates from what HIPAA is all about. The patient can still say no."

Having a strict patient records policy in place may not be popular, but in her opinion, HIPAA is not about "the convenience of my doctors." It is about protecting patient information, and considering the number of exceptions under the federal guidelines, the blanket policy works best.
A rule that applies to all requests is both the best thing to do and in part, the easiest, in Stockton's opinion. It's easier to seek patient authorization across the board and teach staff that no records get released without this permission.

"That way, you don't have to worry about anything falling through the cracks when presented with a list of exceptions. … I prefer not to deal with those issues. I just prefer we protect ourselves and we protect our patients."

Keith L. Martin is associate editor at Physicians Practice. He can be reached at keith.martin@ubm.com.

This article originally appeared in the November 2010 issue of Physicians Practice.