Releasing Protected Health Information Kenda Collier HCR/210 August 24, 2010 Donna DeGrio

Established by the U.S. Congress in 1996 and made effective July 1, 1997, the Health Insurance Portability and Accountability Act (HIPAA) is a group of regulations working against abuse and fraud in health insurance and the delivery of health care. HIPAA’s purpose also includes improving the health care system’s effectiveness and efficiency, providing for the continuation of health insurance coverage, and delivering consequences for organizations and individuals who do not comply with HIPAA regulations (Highmark, 2007). Different representatives and agencies can request, with or without patients’ consent, patients’ protected health information (PHI). PHI is information that is connected to an individual and includes name, telephone number, address, date of birth, social security number, name of employer, and/or Medicaid identification number (Green and Bowie, 2005). Many situations arise when the government has the legal obligation or right to a patient’s medical records. For example, state agencies are required to keep records of deaths and births. They must also maintain registries of people who have received a diagnosis of a serious illness like cancer. Disclosures of such information to the government typically do not require an individual’s authorization (Highmark, 2007). Medicaid, Medicare, veteran’s activities, national security and intelligence activities, the military, armed forces personnel, correctional institutions and presidential

protective services do not require authorization—all may receive protected health information without the consent of the individual. Some government agencies, such as the Bureau of Disability Determination and the Department of Social Services, have to receive the individual’s authorization prior to receiving his or her PHI (Green and Bowie, 2005). Attorneys almost always have to obtain the individual’s authorization for the release of PHI. The exception is if a health care provider’s attorney requests it and the information is released during normal business. Employers also have to get authorization from the individual but not in cases of work-related injuries or illnesses (the reporting of them). Health care providers are also obligated to get authorization from patients for the release of PHI, except for caregivers who are directly involved in the patients’ care. The IRS, or Internal Revenue Service, along with law enforcement agencies, has to receive consent from the patient for the disclosure of PHI. The patient or his or her representative has to obtain authorization to release PHI unless it is a situation where no authorization is required by HIPAA. Patient authorization must also be obtained by third-party payers except in the cases of treatment, payment, and any health care operations. The majority of providers allow medical professionals who are working on clinical research access to patients’ records. They may also exchange such information with other researchers. If activities have been approved of by an Institutional Review Board, PHI can be received by a research group without the individual’s authorization. If research includes actually treating the patient, authorization is required, unless the person is involved in the patient’s direct care. Patients do have the right to access their PHI for verification of information and

keeping a personal copy, unless there is information that has been compiled for use in criminal, administrative, or civil action. Information that includes psychotherapy notes and PHI that is kept by any covered entity subject to the Clinical Laboratory Improvements Amendments of 1988 is also restricted (Green and Bowie, 2005).

Usually, the only person who can authorize the release of medical records is that specific patient. Naturally, though, exceptions to the rule exist. Legal guardians, parents, or agents of a minor child are able to give this authorization. The confidentiality of medical records is maintained except for certain instances where they can be released without the consent of the patient. Records can be released, in certain circumstances, to health care workers who require the information to provide care to a patient. Organizations that are qualified and are undertaking approved research can also receive records, and as previously mentioned, certain government authorities also have that right. However, in general strict rules apply for people who receive such medical information. The privacy of the patient must be kept (Lectric Law Library’s, 2002). Safeguards that are in place must be kept for the release of the patient’s PHI. Each facility has the obligation to make sure that all patient information is kept safe from tampering, loss, theft, unauthorized access, or damage. Research groups, government agencies, and legal agencies have guidelines that have to be followed for them to receive a patient’s PHI. The privacy of records must be maintained no matter who receives them. HIPAA regulations affect everyone: patients, hospitals, health insurers, doctors, employers that provide health insurance, health care organizations, public health authorities, and life insurers. When a facility releases a copy of a patient’s PHI, it must

keep a release of information log on order for patients to receive an accounting of information disclosures for six years prior to their request. Whether consent is required or not, facilities must keep individuals’ records confidential (Green and Bowie, 2005).

References Green, M.A., and Bowie, M. J. (2005). Essentials of health information management Principles and practices. Clifton Park, NJ: Thomson. Highmark (2007). HIPAA Overview. Lectric Law Library’s (2002). Medical Records.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.