Journal Feature Story Three

A simple records request is referred to as a Right of Access request within HIPAA regulations and is used when your own patient is coming to you directly and asking for a one-time copy of their record (or a portion of it). The patient/individual may ask you to send the record directly to himself or herself or indicate that you should send it to a third party. The Department of Health and Human Services has indicated that you should not impose an authorization form on a patient who is coming to you directly and just wants a one-time copy under their right of access.

Authorizations are required for disclosures made for purposes other than treatment, payment, or health care operations, for a purpose not listed on your Notice of Privacy Practices. The following guidance from HHS will help to clarify when disclosures can be made without an authorization:

“‘Treatment’ generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.

“‘Payment’ encompasses the various activities of health care providers to obtain payment or be reimbursed for their services, and of a health plan to obtain premiums, to fulfill their coverage responsibilities, and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

“In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:

“Determining eligibility or coverage under a plan and adjudicating claims.

“Risk adjustments.

“Billing and collection activities.

“Reviewing health care services for medical necessity, coverage, justification of charges, and the like.

“Utilization review activities.

“Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

“‘Health care operations’ are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of ‘health care operations’ at 45 CFR 164.501, include:

“Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination.

“Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities.

“Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims.

“Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs.

“Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity.

“Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. General Provisions at 45 CFR 164.506.

“A covered entity may, without the individual’s authorization:

“Use or disclose protected health information for its own treatment, payment, and health care operations activities. For example: A health care provider may disclose protected health information about an individual as part of a claim for payment to a health plan.

“A covered entity may disclose protected health information for the treatment activities of any health care provider (including providers not covered by the Privacy Rule). For example: A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual.

“A covered entity may disclose protected health information to another covered entity or a health care provider (including providers not covered by the Privacy Rule) for the payment activities of the entity that receives the information. For example: A physician may send an individual’s health plan coverage information to a laboratory who needs the information to bill for services it provided to the physician with respect to the individual.

“A covered entity may disclose protected health information to another covered entity for certain health care operation activities of the entity that receives the information if:

• “Each entity either has or had a relationship with the individual who is the subject of the information, and the protected health information pertains to the relationship; and
• “The disclosure is for a quality-related health care operations activity (i.e., the activities listed in paragraphs (1) and (2) of the definition of “health care operations” at 45 CFR 164.501) or for the purpose of health care fraud and abuse detection or compliance. For example: A health care provider may disclose protected health information to a health plan for the plan’s Health Plan Employer Data and Information Set (HEDIS) purposes, provided that the health plan has or had a relationship with the individual who is the subject of the information.”

Some common examples

Situations that require an authorization:

• A patient wants a friend or family member to be able to contact your practice and obtain information about them on an ongoing basis. The patient identifies the level of access that the person they’ve named will have. Some might allow only access to billing information, appointment schedules, or some may want to grant the person access to all of their clinical information.
• A third party such as an attorney’s office, employer, or life insurance company contacts you for information on a patient. An authorization is required unless there is a court-ordered subpoena or warrant and you’ve reviewed a copy of that subpoena to ensure the disclosure is permissible, or you’ve received documentation from an attorney that they notified the patient of the request for PHI, they’ve given the patient an opportunity to object to the disclosure, that period has now passed, and no objection was raised.
• You want to disclose PHI to a third party for marketing purposes. Written authorization from the patient is required.
• You want to disclose PHI for research purposes. Patient authorization is required unless you’ve received an Institutional Review Board waiver.

Required elements
For situations when you’ve determined that an authorization is required, there are specific elements that must be present on a HIPAA-compliant authorization form. You may receive an authorization from a third party who is requesting information on a patient of yours. You should check such authorizations to ensure they contain the required elements prior to making the disclosure. In addition, you can check your own authorization form against the list of required elements below:

• A description of the information to be used or disclosed.
• The individual or entity to whom the information may be disclosed.
• Who is to make the disclosure (your organization).
• An expiration date or expiration event.
• A statement of the patient’s right to revoke the authorization.
• A non-conditioning statement (e.g., signing the form is not a condition for receiving treatment).
• A redisclosure statement (e.g., once disclosed, the covered entity does not have control over the recipient disclosing the PHI to others).

About the Author

Jennifer Cosey is president of Eagle Associates, which is endorsed by the MDA to provide HIPAA, OSHA, and Office of the Inspector General compliance assistance to member dental offices. Cosey has also been featured as a speaker at various MDA continuing education events. Contact her at [email protected].