The Health Insurance Portability and Accountability Act (HIPAA), which was passed by Congress in 1996, specifies who can access or retrieve a patient’s medical records. This law set limits on the use and release of medical records, and established a series of privacy standards for health care providers to follow HIPAA compliance. The HIPAA privacy and security obligations of a healthcare provider are fundamentally unchanged by transitioning to an EMR / EHR system, but may require adjustments in practice.
Providers must inform patients of a their HIPAA privacy and security rights, and must outline the policies and procedures they undertake to meet these obligations. While a health care provider owns a patient’s medical records, the patient has a right to access and ask for copies of the original medical record. Providers may not charge patients for locating and providing access to these files, but may charge “reasonable fees” for making copies, if so requested. The limits of “reasonable fees” are set by state law and vary widely. HIPAA does not prohibit charging attorneys or insurers a search and retrieval fee in addition to any copying fees.
Note that HIPAA privacy and security rights requires medical records to be retained by a provider for at least six years after either the later of the date of creation or the date when last in effect. State laws may require longer holding periods.
In the case of other providers who are covered entities, patient authorization is not required for disclosure to another health care provider for patient treatment or payment. Patient authorization is not required for health care operations if the receiving party also has a relationship with the patient and the information disclosed is used for performing care quality assessment, performance review or training, or for fraud detection.
In addition to specifying access rights for patients and limiting fees they may be charged, HIPAA privacy and security rights also limits disclosure or release of patient medical records to third parties without patient authorization.
There are numerous special situations, but the most common involve requests for information regarding deceased individuals and minors. In the case records for deceased person, a death certificate and legal documentation appointing a valid representative of the estate are both required for any information release under HIPAA compliance. In the case of a minor, which in most, but not all, cases is someone under age 18, written consent from the parent or other legal guardian is required for information release.
If you receive a subpoena, HIPAA requires a health care provider to obtain “satisfactory assurances” that the patient whose records are being requested has received notice of the subpoena or request, has had adequate time to consider it, and has not objected to it. However, so-called “super-confidential” information is protected by more stringent rules, which can complicate compliance efforts.
Super-confidential medical records containing drug and alcohol, mental health and HIV information are subject to more stringent federal and State laws under HIPAA. As a result, physician practices must determine if medical records contain superconfidential information before releasing them. Generally, a physician practice can release these superconfidential records only upon a court order or upon receipt of a HIPAA Authorization signed by the patient which explicitly acknowledges the the records contain drug and alcohol or mental health record information.
Another exception is made for information related to mental health treatment, and in many cases need not be released even at the patient’s request.
These provisions are complex, and its important to make sure that all personnel at your practice understand these HIPAA compliance issues and that they have ready access to a manual outlining appropriate procedures. In addition, it is good HIPAA compliance practice to ask for written authorization from patient’s to release information when possible, regardless of the situation. While redundant in many situations, penalties for willful non-compliance or negligence in meeting HIPAA data security and privacy rules can be substantial.