HIM 2200 Release of Information

Release of Information (ROI) is the process of disclosing patient-identifiable information from the health record to another party.

Role of HIM with ROI HIM professionals have responsibility to in determining access to and release of information from patient health records. Most HIM departments have either professionals specifically trained to do ROI on a daily basis

ROI professional Responsible for verifying a ROI form and completing patient’s request per ROI form. For example, the ROI may take the form of a patient’s request to mail copies of his or her records to a healthcare provider. ROI professional require a request in written format, verifies patient signature on the ROI, and only then release the information requested.

ROI requests 1. A completed authorization or request 2. Information on request is stored in a computer database (for example, Softmed). Generally patient name, date of birth, health record number, name of requestor, address & telephone of requester, and specific health information being requested is stored in database. 3. State & HIPAA laws govern release of health information. HIM professionals must be well aware of what information needs to be included on the authorization to be considered valid.

ROI requests cont. 4. If the request or authorization is valid, the specific information is copied and sent. 5. OR if the request is invalid, the problem with the request is noted in the computer, and the request is returned to the sender.

ROI log To comply with HIPAA standards, a healthcare facility must maintain a record that accounts for all disclosures from the health record.

Subpoena duces tecum Subpoena duces tecum: judicial request for certain information or evidence. Similar to ROI requests the subpoena is 1.Logged on database 2. Verify the subpoena to be valid and the information can be released to the court in compliance with state & federal law.

Subpoena duces tecum cont. 3. Check the health record. Is it complete? Are signatures identifiable? 4. Review the record for risk. If it is a potential malpractice case, notify administrator/facility attorney/physician. 5. Copy and certify. 6. Prepare an itemized list of the record contents which cab be used as a receipt if the record is retained by the court. 7. Record the information and number of pages in response to subpoena duces tecum 8. In response to a subponea ‘duces tecum’ a HIM professional may appear in person in court or at a deposition and give sworn testimony to the health record’s authenticity.

Verifying a ROI request All requests must follow HIPAA unless a state law is more stringent. 1. Give only ‘minimum necessary’ 2. Compare patient’s signature with one in record 3. Check the date to ensure that the request was dated after the occurrence so that the patient was aware of what was being authorized for release.

Verifying a ROI request cont. 4. Verify the insurance company (if requester) as the one belonging to the patient 5. Review the request for what was wanted and whether the requestor was entitled to the information.

Ethical Issues in ROI 1. ‘need to know’ limit information given to only need to know. 2. Privacy and confidential information are being protected. Be aware of possible redisclosures of health information. 3. Misuse of ‘blanket’ authorization. Patients sign a blanket authorization without understanding its implications. The requestor of the information then could use the authorization to receive health information for years. The patient may not be aware.

Defective authorizations The HIPAA Privacy rule declares the following authorizations invalid: The expiration date or event has passed or occurred The authorization is missing one or more items of content The authorization is known to have been revoked The authorization violates a privacy rule standard or conditioning or compound authorizations. Material information in the authorization is known to be false. Handwritten, patient generated authorizations may often be invalid under HIPAA, as most do not contain an expiration date or a statement about the individual’s right to revoke the authorization. (Encourage facility to post authorization on web)

Types of Authorizations (requests) 1. Research: authorization for use or disclosure of protected health information PHI for a research study. 2. Psychotherapy notes: authorization for the use or disclosure of psychotherapy notes may be combined with another authorization for the use or disclosure of psychotherapy notes. For example, an individual can complete an authorization that requests his psychotherapy notes be sent to his attornedy and a second mental health professional. An authorization for psychoterapy notes may not be combined, however, with an authorization for disclosure of general health information.

Types of Authorizations cont. General: authorization for the disclosure of general health information may be combined with another authorization for the disclosure of general health information. However a general authorization that conditions treatment, payment, enrollment or eligibility for benefits on completion may not be combined with another authorization. For example, an insurance company may not combine an authorization they require as a condition of enrolling in their plan with another authorization.

ROI Fees If the individual requests a copy of the protected health information or agrees to a summary or explanation of information, the facility may impose a reasonable cost based fee, provided that the fee includes only the cost of: -copying (cost of supplies & labor) -postage -preparing an explanation or summary of information

ROI Questions Does HIPAA privacy rule allow us to release patient information over the telephone without an authorization? HIPAA now allows the release of health information without an authorization from the patient in certain situations: Treatment Payment Healthcare operations (TPO)

ROI Questions Is faxing patient information legal under HIPAA? If the facility is permitted to release information for treatment purposes or by authorization, then using a fax machine is allowed. However safety steps should be ensured.

Faxing ROI safety precautions Notice of Information Practices uses and disclosures of individually identifiable health information. written authorization for any use or disclosure of individually identifiable health information when not otherwise for TPO (treatment, payment, and healthcare operations) Reasonable steps to ensure the fax transmission is sent to the appropriate destination. Ideas for doing this, preprogram fax numbers, Remind those who are frequent recipients of health information private Attach a confidentiality statement. The following is an example: The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information is prohibited from disclosing this information to any other party unless required to do so by law or regulation and is required to destroy the information after its stated need has been fulfilled.

ROI Question What are a facilities legal responsibilities when a former employee breaches confidentiality of information gained during his or her employment period? A facility can fortify its defense position by ensuring and retaining clear evidence that a former employee was trained and expressed understanding of privacy and security policies and procedures. Thorough documentation of ongoing HIPAA training will demonstrated a facilities efforts during the employment period. Addressing postemployment responsibilities is also advised. If the employee is terminated, documentation of a signed statement stating understanding the confidentiality of patient information should be expressed. DOCUMENT!!!

ROI Question Who can act as a personal representative of a minor? Either parent (unless otherwise restricted by a court order), the legal guardian or the legal custodian appointed by a court may act as a minor's personal representative

ROI Question When can a minor (someone under 18) be considered as adult and therefore guardian not allowed to complete authorization or request for medical information? This varies state by state. Check with your state law. But the following is expressed under HIPAA & Utah law. 1. Minor is emancipated. 2. Minor is married. 3. Minor is pregnant, communicable disease, drug or alcohol abuse and only if being treated for this condition.

ROI question As a parent to I have the right to get and amend my childs record? Again, this varies state by state, as per Utah law & HIPAA, the answer is No, if a healthcare provider reasonably believes there is neglect or abuse of child, then the parent does not have access to child’s record.

ROI questions I am listed as my mother’s power of attorney, do I have right to request an authorization and look at her medical information. Yes, if you are your mother’s agent or power of attorney, under Utah & HIPAA law you have this right.

ROI question My father died, to I have right to look at his records? Again varies state by state, but under Utah law & HIPAA, the answer is yes. You usually have right to get a deceased person’s medical record if you are the personal representative (adminstrator or executive). In Utah this includes deceased spouse or child.

Questions? Remember to check with HIPAA privacy rule, your state law, and facilities attorney in which how a scenario might be answered different.