3 steps help you avoid violating HIPAA laws in these situations. Picture this:
Absolutely not. First, you must ensure that the attorney has authorization from the patient to release the personal health information (PHI), or has other legal documentation proving that you can send the information.
"Covered entities and business associates should exercise great caution when responding to such requests," advises Abner E. Weintraub, president of The HIPAA Group, Inc., a HIPAA training and consulting firm. "The best advice here is to take your time, investigate, and be sure of what you are doing," he says. "Law firms are often intentionally intimidating in their phone or written requests for documents and data," Weintraub says. "And while it may feel awkward NOT to respond immediately with the requested information, disclosing PHI to a law firm or attorney unlawfully can itself be a costly HIPAA violation. With the recently increased HIPAA penalties instituted by the HITECH Act, the consequences for unlawful disclosures can be devastating," he reminds practices.
The following steps can help you determine when you should -- and shouldn't -- comply with an attorney's request for medical records.
Step 1: Check for Patient Release
Once an outside party asks you for access to a patient's records, you should check the patient's HIPAA release form to determine whether she has authorized you to share the records with the requesting party. In many cases, a patient will only authorize you to share her medical records with her spouse, children, or caregiver, and not any outside parties. In the absence of such a form, ask the requesting attorney if he has a signed HIPAA release form on hand.
"If the law firm represents itself as being the patient's law firm, it should provide the practice with a HIPAA compliant authorization for the release of medical records executed by the patient," advises South Florida-based health care attorney Deborah A. Green, Esq. "Just to make extra sure, I would recommend contacting the patient to find out whether it is actually the patient's signature. If so, keep the authorization in the patient's file and send the records."
Step 2: Determine Whether A Court Order Exists
If you don't have a release form from a patient, you should then find out whether the records request falls under a court order. "HIPAA imposes restrictions on the circumstances in which records can be released in a legal proceeding," says Heather Cook Skelton, Esq., a health care attorney in Charlotte, N.C.
"A release is permitted if (1) it is pursuant to a court order and the practice only discloses what is specifically included in the order or (2) in response to a subpoena or discovery request that is not accompanied by an order if the practice receives 'satisfactory assurances' from the party seeking the information that reasonable efforts have been made to inform the patient of the request," Skelton says.
What that means:
"'Satisfactory assurances' is defined as written confirmation that the requesting party has made a good faith attempt to notify the patient in writing, which should contain an explanation of the proceeding and a description of the protected health information that has been requested in enough time for the patient or his or her legal representative to object," Skelton says.In absence of such satisfactory assurances, if a subpoena is coupled with a qualified protective order (QPO) that has been agreed to and presented to the court, or has been requested from the court by the attorneys seeking the records, then the attorney has the right to request the patient's records, Weintraub says.
Step 3: Only Disclose The "Minimum Necessary" PHI
Even if an attorney has the legal authorization to request a patient's PHI, he may not have legal access to the entire patient record, Weintraub says. When creating the HIPAA laws, the Department of Health and Human Services wrote, "A covered entity making a disclosure...may of course disclose only that protected health information that is within the scope of the permitted disclosure." If a court order does not specify which parts of a patient's records you should send to the attorney, you must "make reasonable efforts to limit the information disclosed to that which is reasonably necessary to fulfill the request," the law states.
For instance, if an attorney requests information about a patient's bleeding episode that followed a hip replacement, you would most likely not need to also send the law firm information on a facial lesion that the patient had removed the prior year.
One last tip:
If you have grounds to refuse to provide the attorney with medical records, you should also refuse any verbal requests that they might make. One practice manager tells Part B Insider that after she refused to send a patient's medical records to an attorney, the lawyer asked her, "Well then can you just tell me if there is anything in the record about alcohol abuse?""Releasing PHI verbally is also a violation of HIPAA," says Michael F. Schaff, Esq., with Wilentz, Goldman and Spitzer in Woodbridge, N.J., "Any disclosure of PHI which is unauthorized is a violation of HIPAA, even if a lawyer says it's part of a lawsuit," Schaff asserts. "You'd need written authorization before you could release the information verbally, in writing, electronically, or otherwise," he says.