HIPAA Focus: Handling Records Requests

By Mike McEvoy, Ph.D., RN, CCRN, REMT-P, and Paul Gillan, JD, EMT-B

A recent article in the Washington Post described a scenario in which doctors in Boston were refused information about a transplant donor from the hospital where the donor had died, citing HIPAA privacy rules.¹ The delay in getting the information, which concerned a potential infection in the donated organ, turned out to be costly and dangerous and could have been fatal to the recipient. Although the case had a happy ending, this “near miss” illustrates the dangers of misimplementing HIPAA protections.

According to the Post article, “[t]he overwhelming majority of problems [with HIPAA] appear to be the result of misunderstanding the law’s requirements or erring on the side of withholding information to avoid inadvertently violating the new restrictions.”

The most critical component of an effective HIPAA disclosure policy is a correct understanding of the law’s requirements. This article summarizes the requirements as they apply to five common areas of requests: from patients, from health care providers, from the state, from insurance companies, and from lawyers and other patient representatives.

Be forewarned: Records access is a complex area and involves both federal and state laws. It is a critical area of HIPAA implementation and difficult to accomplish without legal assistance. For that reason, in many areas below we will specifically recommend advice from legal counsel.

Patients
HIPAA specifically permits the disclosure of protected health information to an adult individual who is the subject of the information. HIPAA itself does not specifically require a written consent or authorization to provide a patient with his own records, but prudence and good business practices do. Additionally, state law may impose record- keeping requirements for such disclosures.

Be careful with records that contain information about more than one patient. You must either obtain an authorization from the second patient to release that person’s information or black out any information about the second patient before disclosing the record.

Records of minors also require caution. Technically, minors do not have the authority to consent to care and, consequently (under most circumstances), do not have the authority under state law to consent to releasing their own records. In most cases, a parent’s consent is required even if the minor is asking for his own records.

Of course, certain exceptions apply. Some states permit “emancipated minors” to consent to care, and those minors can request their own records and authorize release of their records to third parties. Further complicating the matter, some states prohibit the disclosure of sensitive information without the minor’s consent–for example, information about an abortion, venereal disease, or birth control–even to a parent. In those cases, the minor’s consent is actually required. The laws pertaining to minors vary widely from state to state and the rules–and exceptions–are often surprising, so be sure to review this aspect with legal counsel familiar with your state’s laws.

Health Care Providers
We cannot be more clear about this: HIPAA imposes no restrictions on disclosures to other health care providers for treatment purposes. There is no HIPAA consent requirement. This is no HIPAA authorization requirement. The “minimum necessary” standard does not apply. HIPAA is no excuse to deny a records request from another health care provider. You certainly don’t want to become the next HIPAA “near miss” reported in national news headlines.

Requests from other health care providers for payment purposes or for the other provider’s health care operations (most commonly, Quality Improvement) are also permissible but are subject to the “minimum necessary” standard. That means that your response to the request must be limited to the minimum information necessary to accomplish the purpose for which the records are requested. For example, if the request is for payment purposes, the patient’s name and identifying information should be included. But if the request is for QI, the name of the patient is not essential. A written authorization for disclosures for payment or health care operations purposes is not required.

Requests for purposes other than treatment, payment, or health care operations generally require an authorization from the patient. The authorization must meet HIPAA standards.²

Take care that your policy on disclosures to health care providers is consistent with your state’s laws on disclosures of medical information. Although it would be unusual, state law could require patient consent even for disclosures for treatment purposes.

The State
Records requests from state oversight authorities are not uncommon. For example, the bureau or department that licenses your EMS agency will likely also have the power to review your patient records at any time. It also likely requires EMS agencies to submit reports for certain incidents (vehicle crash, equipment failure, death of a patient, etc.), which may necessarily include PHI. HIPAA generally permits such disclosures.³

Insurance Companies
Insurers (including life insurers, accident & health insurers, and HMOs) sometimes request patient records to justify a claim. In this case, the records are used for payment purposes-either of the ambulance service or of another provider that submitted a claim for payment. In either case, the records can be provided without an additional authorization.

Disclosures for payment purposes are subject to the minimum necessary standard. A request relating to one call should be fulfilled only by records relating to that call. In contrast, a doctor seeking information about a particular patient for treatment purposes may want all of the records you have for that patient.

Again, your disclosure policy on this point must be consistent with state laws. Insurance companies usually have their members sign blanket releases authorizing the insurance company to obtain medical records if necessary to pay a claim. If your state requires such a release, you may have to request it from the insurance company before making the disclosure.

Lawyers and Other “Patient Representatives”
Lawyers-particularly lawyers without a substantial health law practice-have been stunned recently by EMS agencies turning down their records requests, citing HIPAA. In most cases, the EMS agencies were within their rights to request additional documentation (or in some cases, any documentation) from the requesting lawyer.

If the lawyer represents the patient, he should already have a HIPAA-compliant authorization from the patient that should accompany the request.

If a lawyer represents an insurance company or other person being sued by the patient, he may or may not have obtained an authorization from the patient. Typically, authorization is provided by the patient to the defending party at some point during the “discovery” phase of the lawsuit. If the lawsuit has not yet reached that point, the defense lawyer may not have an authorization. Bottom line here: no authorization, no records.

Sometimes lawyers will use a subpoena to request records. Any subpoena received by your department should be reviewed by legal counsel prior to releasing any records.

The most tricky requests come from lawyers defending EMTs in disciplinary or enforcement actions. Although most states are required to provide copies of records to EMTs they seek to discipline, states’ disclosures are often untimely or incomplete. A conscientious defense attorney will often seek copies of records directly from the agency involved. If an administrative law judge hearing the case is aware of medical records being involved, he may issue an administrative order appropriately restricting uses of the records. If this has not been done, an attorney requesting records may need to agree (or “stipulate”) that use of the disclosed records will be limited to the enforcement action, and that the records will be returned or destroyed once the hearing is over.

Another common patient representative is a parent. As we mentioned previously, parents of minors may or may not have a right to obtain their child’s records, depending on your state’s laws. The issue becomes particularly important when sensitive information is contained in the patient care report (for example, a 15-year-old girl involved in an MVC who discloses to the treating EMT that she may be pregnant). Parents of patients who have reached the “age of majority” (18 in most states) no longer have a right to their children’s records, even if the records relate to something that occurred before the child turned 18.

Accounting for Disclosures
You might get the sense that some record disclosure requests are complicated by legal battles and that some of these battles precipitate the disclosure requests you’ll receive. Cases involving divorce, malpractice, and personal injury litigation are a few of the more sensitive battles that may give rise to parties seeking disclosure of medical records. These sorts of events cry out for you to have a clear and consistent process in place for receiving and responding to requests for disclosure of medical records. They also illustrate the need to carefully account for any and all disclosures that you make.

HIPAA provides patients with the right to request an accounting of disclosures of their records by a covered entity for a six-year period prior to the date they request it, with certain specific exceptions.⁴ The most simple means to accomplish this, especially for small departments, is to attach requests for disclosures, authorization forms, and copies of correspondence releasing records to the actual records themselves. This will ensure that you have a clear and readily accessible accounting available for every record you maintain.

Conclusion
Records access policies are necessarily complex. These are a critical area of your operations that should be reviewed by an attorney. Be sure your reviewing attorney has demonstrated experience with HIPAA and is thoroughly familiar with your state’s laws concerning medical records. This is not a one-size-fits-all area.

There are many other types of access requests not covered in this article. In addition, some of the rules we have summarized above are subject to minute but significant exceptions. Your records access policy should identify areas where judgment calls must be made—for example, as to the validity of a personal representative’s authority to make an authorization on behalf of a patient—and route those judgment calls to the appropriate decision maker. Sometimes a manager or officer will be able to make these judgments; other times input from a legal professional will be required.

Above all, do everything possible to ensure that patient care is not impeded by someone’s poor understanding of HIPAA. An EMS service that misapplies HIPAA is not protecting patients (as the regulation intends) but rather threatening them with harm of an altogether different sort.

References
¹ Stein, Rob, “Patient Privacy Rules Bring Wide Confusion,” Wash. Post, Aug. 18 2003, at A01.
² The requirements are outlined in 45 CFR 164.508, http://www.hhs.gov/ocr/combinedregtext.pdf
³ See 45 CFR 164.512(d).
⁴ See 45 CFR 164.528

Past HIPAA Focus Articles
Last-minute HIPAA: Still clueless about CE’s and NPP’s? Here’s what to do.
HIPAA Focus: Notice of Privacy Practices
HIPAA Focus: Billing and Reimbursement
HIPAA Focus: Training
HIPAA Focus: Quality Improvement

Paul Gillan, JD, EMT-B, is a senior associate attorney with the regional law firm Iseman, Cunningham, Riester & Hyde, LLP, in Albany, New York. An active EMT, he devotes a substantial portion of his practice to representation of fire and EMS services, EMS councils, and individual EMTs. For more information about the firm, please visit http://www.icrh.com.