Summer 2023
Evolving Education: Releasing Medical Records
By Bart Howe
For The Record
Vol. 35 No. 3 P. 28
Five Important Things Staff Need to Know and Do
There’s an old proverb that says, “Eat the elephant one bite at a time.” Medical record release is an elephant, but we have five bite-sized tips that will help further your knowledge of this mammoth topic.
According to the Association for Health Information Outsourcing Services (AHIOS), the medical record is often referred to as the “who, what, when, where, and how” of patient care. The sheer amount of data contained inside patient records is overwhelming, but if you break it down into those buckets, it feels a bit more digestible. For example:
• Who: The patient;
• What: Documents, films, graphs, imaging, etc;
• When: Dates of visits, tests, and conversations;
• Where: Provider locations, health systems, and geographical information; and
• Why: Reasons for visits, symptoms, treatment discussions, and diagnoses.
Every health care facility a patient visits is required to maintain that patient’s medical records and protect them from loss, damage, alteration, or unauthorized use. Medical records can be considered legal documents and can only be released by facilities under specific circumstances.
Following are the five key things to do when releasing medical information:
1. Ensure that the authorization is valid.
The first question you should ask when you get a medical record request is, should these records be released to this requestor?
Under HIPAA, certain types of requests do not require individual authorization to be released, including certain requests from coroners, funeral directors, health agencies, law enforcement, and patient right of access requests made by a patient or personal representative. But apart from these exceptions, the majority of requests require individual authorization.
If a request does need authorization, what does that authorization need in order to be valid? HIPAA states that valid authorizations must be written in plain language and identify the following:
• the name of the patient;
• the person authorized to disclose the information;
• the purpose for the disclosure;
• the specific information to be released;
• the party to whom the information may be released;
• the individual’s right to revoke the authorization and how to revoke it;
• an expiration date or event;
• the signature of the patient or person authorizing the release; and
• the date the authorization was signed.
In addition, the authorization must include the following:
• a statement about the inability or ability to condition treatment, payment, or health care decisions on whether the patient signs the releases;
• a statement that the information may be redisclosed and is no longer protected by HIPAA; and
• a statement that the patient has a right to receive a copy of the authorization form.
2. Understand the nuances of navigating a subpoena.
One of these things is not like the others, and “these things” are subpoenas. Of all the different types of record requests, subpoenas come with their own set of rules and complexities, which is why there’s an entire section dedicated to them here.
Subpoenas are orders directed to an individual commanding them to appear in court on a certain day to testify or produce documents in a pending lawsuit, generally signed by an attorney. The following are a few types of subpoenas you may receive related to medical records:
1. Civil subpoenas, which have two subcategories:
a. Deposition subpoenas, where records are requested for a deposition; and
b. Subpoenas Duces Tecum, where records are to be delivered to the court.
2. Criminal or investigative subpoenas. Subpoenas have some notable exceptions that allow you, as a health information manager, to refuse compliance with the subpoena. Some examples of these exceptions are the following:
• certain test results, such as those pertaining to HIV and hepatitis B;
• hospital medical staff committee records;
• mental health records or physician-patient privileged information; and
• records pertaining to treatment for substance abuse.
Another important nuance to keep in mind is that attorneys may send you letters asking you to comply with a subpoena before you receive it, and you are not obligated to do so until you receive the subpoena and have the opportunity to vet it for release or otherwise obtain the patient’s authorization. It’s also important to remember that a court order is not a subpoena. Court orders are signed by judges, not attorneys, so if you receive a court order, different rules apply.
3. Make sure you’re maintaining an accounting of disclosures.
An accounting of disclosures is just that—an account of a patient’s medical record disclosures. An accounting of disclosures contains a lot of information, including an account of the places a record was released that were not specifically authorized by the patient or related to treatment, payment, or hospital operations. An accounting of disclosures would also include releases to third parties—for example, record releases related to a subpoena, as discussed above.
You are required to maintain an accounting of disclosures, and every 12 months, patients are entitled to a free copy of this list. For additional copies within the same 12-month period, providers may charge a reasonable fee. Patients may receive paper copies of this list for a timeframe going back six years and electronically for up to three additional years from the date of the request.
As a covered entity, you have the choice to include information related to electronic disclosures by your business associates or to provide the patient a list of your business associates so that they may follow up with them individually.
4. Know how to handle unauthorized disclosures and breaches.
Any disclosure of protected health information (PHI) to an incorrect party is an unauthorized disclosure, even if it’s inadvertent. And if you think about the millions of patient records that are requested every day across the entire US health care system, you can imagine how this occasionally can occur.
Here are a few examples of how unauthorized disclosures can occur:
• The incorrect data are in the record and then the record is released (also known as misfiles).
• The incorrect patient’s record is delivered to a requester.
• A physician shares data with the wrong patient or provider.
Health and Human Services (HHS) considers unauthorized disclosures potential breaches that must then be put through a discernment protocol to determine the likelihood of harm. This is known as a risk assessment and must be completed once you suspect a potential breach has occurred. It’s important for every health care organization to have an established protocol for investigating a potential breach. Following are questions to consider when conducting a risk assessment:
• What is the nature of the PHI involved in the disclosure?
• What is the likelihood of reidentification of the patient?
• To whom was the disclosure made?
• Was the PHI acquired or viewed?
• To what extent has the risk of the PHI been mitigated?
If you perform a risk assessment and determine that a breach has occurred, the following steps must be taken pursuant to the Breach Notification Rule found at 45 CFR § 164.400-414:
1. Notify the individual affected: This notice must be in writing, delivered by first class mail or email if the patient agrees to electronic notification. If the breach affects multiple patients, each must be notified.
2. Notify the media: If the breach affects more than 500 residents of a jurisdiction or state, you must also inform the prominent media outlets of the breach via a press release or other notification within 60 days of discovery.
3. Submit a notice to the HHS secretary via the HHS website through the submission of a breach form. If the breach covers fewer than 500 individuals, you have one year to report; however, if the breach covers more than 500, you must notify within 60 days.
5. Train and certify anyone who processes medical records.
Even when you understand the regulations and requirements related to releasing medical records, there’s nothing like a complicated real-world scenario to make you question everything you thought you knew. People who release medical records will be faced with a variety of different and challenging situations every day. That’s why training and certification are critical.
The AHIOS Institute currently offers a 100-question certification exam for the employees of member organizations to verify that those on the front lines of medical record release understand how to protect the confidentiality of patients’ personal health information when that information is released. Consider this sample question from the exam:
“Jane’s aunt passed away and Jane wants to get a copy of her aunt’s death summary. She fills out an authorization form and shows legal proof that she is a beneficiary. Her aunt was married and there is a surviving spouse. Why is she or why is she not entitled to get a copy of the death summary?”
That’s hard to answer, right? And that’s exactly why providing education, training, and certification on real-world examples is so important. Learn more about the AHIOS Institute certification at https://ahios.org/ahios-institute.
Whether you’re a seasoned health information professional or new to the landscape, don’t let medical record release be the elephant in the room. Educating yourself about the nuances around release of information will help keep you at the top of your game as you support your organization’s medical record release process and advance in your HIM career.
— Bart Howe is the CEO of HealthMark Group, a leader in digital HIM based in Dallas. In that role, he leads a team focused on developing patient-centric technology solutions that streamline the flow of health care data to promote information accessibility and workflow optimization without sacrificing privacy or security. Howe is also the president of the Association for Health Information Outsourcing Services, an organization comprising the leading HIM service companies with the mission to promote compliance and excellence in the management of confidential, patient-identifiable information.