Experts reveal how to respond to non-patient PHI requests
All requests are created equal, right? Wrong. The privacy rule outlines what - and how much - information you have to disclose to those who request your patients' PHI. Follow these steps to help your organization avoid a PHI blowout.
SEARCH FOR CLUES
"Scrutinize any requests for patients' information for clues about how much PHI they really need," advises Diann Brown, Director of Health Information Services at Harris Methodist Fort Worth Methodist Hospital in Fort Worth, Texas.
The general rule of thumb is that you always disclose as little information as you can get away with, says Ann Bittinger, an attorney with Jacksonville, FL's Bittinger Law. Some common phrases to look for that can narrow your disclosure boundaries are:
Once you see these terms, you should zero in on them, "cull through the patient's record and pull out that specific information" to send to the requester, Brown counsels.
CRAFT A SKILLED TEAM
"We trained a group of specialists to deal with requests," Brown shares. And within that group, "each release-of-information specialist handles a certain type of request." Example: One team member handles all the insurance requests, while another grapples with subpoenas, she clarifies.
As specialists become proficient in their assigned duties, they can quickly narrow in on what the requester is asking for. They can also quickly spot trouble and pull that request out for further investigation rather than simply respond to it, Brown points out.
ROOT OUT THE BAD APPLES
Responding to an invalid request can put you in the hot seat with your patients - even if you only supplied the minimum amount of information necessary, Bittinger warns.
Good idea: Train your team to do some legwork if they think a request is fishy, Bittinger recommends. "We compare signatures, check ages and dates and ask for more information if a request doesn't seem legitimate," Brown says.
Sometimes the problem lies with the requester, Brown notes. Be prepared to question them about what they want, she advises. Example: A patient's authorization to disclose her information is accompanied by a cover letter. The cover letter asks for the entire medical record; the authorization is for the patient's treatment records following a car crash. "You can only supply what the patient authorized," Brown emphasizes.
THE BOTTOM LINE
Minimum necessary disclosures, like all releases of a patients' information, must be included in an accounting of disclosures, Bittinger notes. And be sure that your staff sticks all requests for information - and your responses - in the appropriate patient file for record keeping, she adds.