HIPAA Q&A: Fulfilling Patient Records Requests and Authorizations for Releasing PHI

Under the HIPAA Privacy Rule, patients have several rights regarding their medical records, including a right to access, a right to amend, and, in some circumstances, a right to restrict disclosures of their protected health information (PHI). Understanding and complying with those rights is an important component of quality patient care. Furthermore, The DHHS Office for Civil Rights (OCR) is spotlighting the importance of these rights with its Right of Access Initiative. In September, OCR stood behind its promise to enforce patients’ Right of Access by settling a case with a hospital entity for $85,000 following the organization’s failure to release a patient’s records for more than nine months.

If you own or operate a small or medium-sized physical therapy practice, understanding the different facets of the HIPAA Privacy Rule can be challenging. There are varying deadlines and authorizations required to comply with the Rule. Also, the Rule mandates that organizations draft, implement, train, and test staff on policies and procedures to ensure that all uses and disclosures of PHI are made or denied in accordance with HIPAA regulations.

Below, I’ll explain the Right of Access Initiative as well as identify circumstances where a patient authorization for disclosure of PHI is required—all in a handy question-and-answer format:  

Question 1: A patient called our clinic and asked for a copy of his records. When do we have to provide the records? Can we provide a paper copy of the records or does it have to be an electronic copy?

Answer: The HIPAA Privacy Rule requires covered entities, such as physical therapy practices, to provide patients their records within 30 days. Whether you have to provide a paper copy or electronic access is based on the patient’s request and the format in which you store records. 

In other words, if you maintain the records in an electronic format within your documentation software and the patient asks for an electronic copy, you must provide the patient with the electronic copy. If you are still documenting on paper and you can provide the patient with a readable alternative electronic format (such as a scanned version of the records), then you should provide the records using this format. See 45 CFR §164.524(c)(2)(ii) for the exact regulatory requirement. 

The key takeaway here is that patients have a right to access their records in a timely manner, and you cannot delay the request for months and then refuse to provide the records in the requested format if you have easy access to that format.

Question 2: Can we require the patient to come to our office, show proof of ID, and sign an authorization before we provide the records?

Answer: No, you cannot create unreasonable hurdles for patients to access their records. 

And the patient does not need to sign an authorization form for his or her own records. While you can—and should—implement some verification measures to identify the patient, onerous measures that create barriers to record access could be viewed as a violation of the Privacy Rule. 

Verifying the patient’s identify before release, while ensuring timely record access, requires some professional judgement. The HHS website has many free resources to help you develop a solid policy and procedure for managing patient records requests. Here are some quick tips:

• If your practice prefers patients to request records in writing, notify patients in advance via your website or signs in your clinic.
• Make sure the purpose of your written request process is to track and validate the patient’s request and not to create a barrier for access. Consider options such as email requests; a webform on your website that the patient can complete online; and forms that request just basic information (e.g., patient name and address).
• If your documentation software has a patient portal, use it to fulfill patient records requests. The portal can verify identity through the patient’s login credentials as well as create a simple process for you to fulfill record requests and an easy method for the patient to obtain his or her records.
• Train your staff on your record request policy and procedure to avoid delays and create a pleasant experience for your patient. 

Keep in mind: Right of Access is based on the concept that patients’ ability to access their records is empowering and engages them in their own health care. PTs, OTs, and SLPs are all about engaging and empowering the patient, so providing a streamlined, efficient process for patients to access their records is more about providing good patient care than merely checking a compliance box.

Question 3: A patient requested her claims information. Is that part of the patient record? Do we have to provide this information?

Answer: Yes, you do have to provide the claims information when a patient requests it, because claims information is part of the patient record. 

Patients have a right to the Designated Record Set, which includes medical records and all claims information (essentially, all records and information used to make clinical and reimbursement decisions about the patient). In fact, Medicare’s Blue Button Initiative allows Medicare beneficiaries to download their own claims data. Health care is moving in a more consumer-driven direction; one day, all patients will have access to their records at the push of a button.

Patients have a right to request their Designated Record Set for as long as you (or your documentation system vendor) retain the information. So, now is a good time to review your state and federal requirements for retaining medical records and seek legal counsel for drafting your organization’s retention policy. Also, determining what is part of the Designated Record Set is an important exercise to make sure you are retaining and releasing the right documents. 

Luckily, OCR recognizes that the HIPAA Privacy Rule is complicated and is creating excellent resources to help providers. Check out GetMyHealthData for a comprehensive breakdown of what constitutes the Designated Record Set. 

Question 4: A private attorney contacted our practice to demand a patient’s record within 24 hours. The attorney says she has a trial in two days and needs the records to prepare her client’s (the patient’s) case. What do we need before we can disclose the records to the attorney? 

Answer: You need written authorization from the patient before you can disclose the medical records to the attorney. 

The HIPAA Privacy Rule permits use and disclosure of PHI without written patient authorization for treatment, payment for health care, or healthcare operations only. Any other use and disclosure requires advance written authorization. And the authorization has to satisfy the federal regulatory requirements and possibly state law requirements. In summary, releasing PHI for purposes beyond treatment, payment, or healthcare operations is not a simple exercise.

I strongly recommend that you work with a healthcare attorney to prepare a standard HIPAA authorization for use in your practice. Then, implement policies and procedures for releasing PHI to third parties and provide training to your staff. In the meantime, though, here are some of the elements required for a patient authorization to release PHI to third parties:

• A description of the information “to be used or disclosed that identifies” the information in “a specific and meaningful fashion” (e.g., a specific date or entire medical record).
• The name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure (e.g., physician name, practice name).
• The name or other specific identification of the person(s) or class of persons to whom the healthcare provider may make the requested use or disclosure (e.g., potential employer or attorney).
• “A description of each purpose of the requested use or disclosure” (e.g., pre-employment physical).
• “An expiration date or an expiration event that relates to the [patient] or the purpose of the...use or disclosure” (e.g., June 3, 2003, or when the record is disclosed to potential employer).
• Signature of the patient, date, and—if the authorization is signed by a personal representative of the patient—a description of the representative’s authority to act for the patient.
• A statement allowing the patient the right to revoke the authorization in writing and a description of how the individual may revoke the authorization, as well as any exceptions.

The provider must supply the patient with a copy of the signed authorization and retain all signed authorization forms for six years from either the date of the form’s creation or the date when it was last in effect, whichever is later. For more resources on creating and verifying a valid authorization, see this HHS decision tool. And here is a sample authorization form you can use as an example for building your form. 

Question 5: Our patients love us! We want to post pictures of our patients and their testimonials on our website. Is a patient picture and name considered PHI? Does the patient have to give us permission first?

Answer: Pictures of patients’ faces and/or their names are considered PHI. And yes, you do need each patient’s written consent first before you post pictures and names on your website.

PHI used for marketing purposes and for purposes beyond what is allowed by the HIPAA Privacy Rule (i.e., treatment, payment, or healthcare operations) require the patient’s advance written authorization. A PT provider was fined $25,000 for using a patient’s PHI for marketing without consent. The provider was not only fined for posting PHI on the clinic's website without authorization, but also for failing to reasonably safeguard PHI and implement written policies protecting PHI.

That brings me to my final—and arguably, most important—point: Performing a comprehensive, enterprise-wide risk assessment is your failsafe approach to ensuring compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The risk assessment helps you understand what HIPAA regulations require of you, as well as identify the gaps in your practice that create risk of unauthorized use and disclosure of PHI. For example, are you missing crucial policies and procedures? Do you have a knowledge gap about the requirements? Has your staff been trained on the rules?

SunHawk Consulting’s sample HIPAA Uses and Disclosures Policy details the HIPAA Privacy Rule as it pertains to uses and disclosures of PHI. This policy is included with the HIPAA Check™ risk assessment tool, which is customized for WebPT Members and available on the WebPT Marketplace. Our HIPAA Check™ risk assessment tool, which is also available on our website for non-WebPT users, can help you project-manage your risk assessment and remediation plan. In the end, you will feel more confident about the deadlines for fulfilling patient records requests, as well as the authorizations required for releasing PHI to third parties.