IOD Client In-Service

Release of Information - Basics2

LAWS – Protected Health Information

Protected Health Information is covered under HIPAA which is a Federal Law (CFR 45 Part 160).

In Washington State PHI is covered under RCW 70.02 and is also known as the Uniform Healthcare Information Act

Federal law supersedes State law in most cases, however, per HIPAA the law that applies is that which is most stringent

Definitions• TPO: Stands for Treatment, Payment and Operations. Words used within HIPAA to describe releasing

records without a patient’s authorization.• Treatment (part of TPO): The provision, coordination, or management of healthcare services by one or

more healthcare providers who consult regarding a patient, or refers a patient to each other.• Payment (Part of TPO): The activities undertaken by the healthcare provider to obtain reimbursement

for the provision of healthcare.• Healthcare Operations (Part of TPO): 1.) Conducting quality assessment and improvement activities. 2.)

Reviewing the competence or qualifications of healthcare professionals, or training of employees. 3.) Conducting medical reviews, auditing functions, including fraud and abuse protection. 4.) Business planning and development. 5.) Business management and general administrative activities of the entity.

• Disclosure: The release of information to anyone outside of the entity holding the information.• Covered Entity (CE): A healthcare provider who maintains any form of PHI• Business Associate (BA): A company that provides a function or activity involving the use or disclosure of

PHI on behalf of the covered entity.• Designated Record Set (DRS): A group of medical records or billing information that is maintained by the

CE and has been determined to be what they consider their legal record for patients.• Protected Health Information (PHI): Individually identifiable information that is created for an individual

for health purposes.• HIPAA: Health Insurance Portability Accountability Act: Federally mandated laws created to: 1.) Protect

PHI by setting standards for it’s privacy and security. 2.) Combat waste, fraud and abuse in health insurance and healthcare delivery. 3.) Improve Portability and continuity of health insurance coverage. 4.) Provide patients with quality care and unburdened access to their PHI. 5.) Reduce costs and administrative burdens by standardizing electronic transmission of administrative and financial transactions.

Security - ConfidentialitySecurity and confidentiality is everyone’s responsibility.

• Help safeguard PHI by:– Closing charts or turning over PHI when you leave your work area.– Minimizing programs with PHI when not in use.– Locking your work station or logging out of your work station if you leave your work

area.– Keeping conversations limited and quiet when discussing patients in areas where

individuals who are not involved can overhear.– De-identifying PHI that is used for training purposes.– Limiting phone discussions to non-identifying information regarding PHI and

specific patients.– Protecting your work area from unauthorized individuals.– Ensuring emails do not contain PHI or information on specific patients.– Ensuring that any faxed PHI is sent to the appropriate fax number and verifying that

the receiving fax machine is located in a secure area prior to sending.– Limit staff that has access to both hard copy and electronically stored information

to only those who need access to do their work.– Train staff on all laws that pertain to their work and the PHI they come in contact

with.– Protect PHI by using secure shredding services appropriately.

Patient’s Rights

• It’s important to always remember that the patient’s rights should always come first. So it’s important to know the following:– The Medical Records are property of the Covered Entity that

maintains the record. However, the patient has the right to review, receive a copy of, or request changes be made to that record.

– Patients must be given the Privacy Practices of the Covered Entity. This document gives them information on how, where, when, their personal information is stored or shared. It also gives them resources on who to contact for any concerns they have.

Penalties• Offense —

A person who knowingly and in violation of this part—– uses or causes to be used a unique health identifier; – obtains individually identifiable health information relating to an

individual; or – discloses individually identifiable health information to another person,

shall be punished as provided below:• Penalties —

A person described in subsection (a) shall—– be fined, imprisoned not more than 1 year, or both; – if the offense is committed under false pretenses, be fined, imprisoned

not more than 5 years, or both; and – if the offense is committed with intent to sell, transfer, or use individually

identifiable health information for commercial advantage, personal gain, or malicious harm, be fined, imprisoned not more than 10 years, or both.

Authorization not needed

HIPAA clarifies that patient authorization is not needed for TPO.

Treatment = releasing records to healthcare professionals for care

Payment = releasing to insurance companies for payment of bills

Operations = for internal uses within the organization

Releasing PHI Required by law

• In any instance where a covered entity is required to disclose records by law, HIPAA clarifies this can still be allowed without the patient’s authorization. – Examples: Department of Health for reporting of

diseases, DSHS CPS for reporting abuse, Police for injuries from gunshot wounds, among others.

Valid Patient Authorization

In order to be HIPAA compliant an authorization must contain all the core elements and the required statements listed in 45cfr 164.508.

Core Elements

• Must be dated and signed by the patient or the patient’s authorized representative.

• State the name or class of persons the information is to be disclosed from.

• State the name of the entity who is to receive the information.• A specific description of the information to be released.• A description of the purpose of the disclosure.• An expiration date or event.

Required Statements

• Must have a statement of the patient’s right to revoke the authorization and how the patient can do so.

• Must inform the patient that once the information is disclosed to the recipient, that the information may then be re-disclosed and no longer protected under privacy law.

• For Covered Entities only: Must contain a statement that treatment, payment, enrollment, or eligibility for benefits can or cannot be denied if the authorization is not signed.

Invalid Authorizations

Any of the following will render an authorization invalid:– One or more of the Core Elements or Required Statements are

missing.– Expiration date or event has passed.– The Covered Entity is aware that information in the

authorization is not true.– The authorization is known to have been revoked.

Minors – Special Situations

Parents of minors should always sign consent forms if the child is under 18 and there is no sensitive information in the medical records (and the child has not been legally emancipated). However, in special circumstances the parents rights have been removed, they are deceased, or there has been an appointed guardian other than the legal parents.

In such cases, there should always be legal documentation regarding legal custody, a copy of these legal documents should accompany any signed releases of information.

Examples:Deceased parents/removal of parental rights: In cases of removal of parental rights or deceased parents, the court will appoint a guardian who will be legal responsible for the minor child. These documents can include: Guardianship paperwork, Guardian at litem paperwork, or adoption paperwork, and in the case of removal of parental rights, you may also see court orders ordering the removal of parental rights, with the appointment ship of the guardian.

14

Minors – Sensitive Information

• If there is sensitive information in the child’s chart, the child must sign if they are:– STD, AIDS: Age 14– Mental Health: 13– Drug/Alcohol treatment: 13– Reproductive rights (birth control, abortion): Any ageNote: if the patient has been determined to be capable by the covered entity

to consent for their own care, then they must sign the release for those records.

Note: If the child has been legally emancipated (will have court papers showing this), then the child must be treated under laws as if they were 18 years.

Deceased Patient’s

The following may sign on behalf of a deceased patient (and in the following order):

1. Personal Representative/Executer of the Estate2. Whomever was appointed Power of Attorney for

healthcare decisions prior to death3. Spouse or Registered Domestic Partner4. Adult Children5. Surviving Parent6. Adult Siblings

RCW 70.02.140

Durable/Power of Attorney

• Power of Attorney: A legal document that gives another person the control over your finances and/or decision-making at your discretion.

• Durable Power of Attorney: Same as a POA, however, the document only becomes valid if the principle (person giving authority) becomes incapacitated.

Compulsory Process

All subpoenas must follow the Compulsory Process in Washington state. – There must be advanced notice of the legal intent to obtain

records without the patient’s authorization.– This notice must be in writing and at least 14 calendar days

prior to the issuance of the subpoena.– This notice must be sent to all the providers from whom the

records are being subpoenaed as well as the patient or the patient’s attorney.

This notice is to allow the patient to obtain a protective order to quash the subpoena.

Subpoenas Basics

• Subpoena: A legal document issued by an Attorney, Judge, Justice of the Peace, Commissioner, Referee or other officer of the court, that compels the release of documents.

• Subpoena Duces Tecum: A subpoena that requires the recipient to produce certain documents when appearing before a court, at a hearing, a trial, or at a deposition.

• Court Order: An order signed by a judge compelling the release of documents to the court or attorneys. A court order supersedes a subpoena.

• Stipulations: A legal document that all parties involved have noted their agreements with regards to the release of records. This must include or encompass the HIPAA compliant patient authorization.

Subpoena “Do’s” and “Don’ts”

• Always respond to a subpoena. You can either respond with the records, or if you may give them a verbal notification if there will be a delay in the release of the records. A non-response to a subpoena can result in contempt of court.

• Subpoenas are not sufficient to release sensitive information. You must have a court order or patient’s authorization.

• Subpoenas for Worker’s Compensation cases do not have to follow the compulsory process. You may fulfill these requests w/o the NOI, as records can be sent to the requester without a subpoena or patient authorization.

Worker’s CompensationMedical records of a worker claiming benefits under

Worker’s compensation laws can be released without the worker’s signature to L&I, the Attorney General, the employee’s employer or the employer’s representative.

Note: Covered Entities should develop a policy that encompasses how/when/if sensitive information will be released and whether or not dates of services will be limited to accident related only. I

IOD’s Policy: IOD releases all information requested on a patient who has filed for L&I benefits, including records regarding STD, HIV/AIDS, and mental health regardless of how the information is related to the claim. We do not however release any information regarding to past, current or future treatment for Drug and alcohol abuse.

Law Enforcement

Law Enforcement may have access to PHI w/o a patient’s authorization:

• If they are investigating the abuse of a child.• If they have brought or caused an individual to be brought to the

facility for involvement in criminal activity including injuries that pertain to gunshot wounds, stabbings, or other injuries believed to have been intentionally inflicted on the individual. – The information released must be limited to the patient's name, residence,

sex, age, occupation, condition, diagnosis, estimated or actual discharge date, or extent and location of injuries as determined by a physician, and whether the patient was conscious when admitted.

• If they provide a search warrant.• In the event there has been criminal activity on the grounds of

the facility and the records are needed to investigate the crime. An Example: identity theft.

Patient Access FeesPatient’s have the right to have access to their records, which includes a copy of

the that record. However, HIPAA clarifies that only cost based per page fees may be charged for those copies. Patient’s can not be charged any fee based on retrieval or clerical work.

Washington State Per Page fees*:

$1.02 – Per page for pages 1-30$.78 – Per page for each page thereafter

In addition to the per page fee, a provider may also charge: Actual postageSales Tax

These rates are re-addressed bi-annually (rates as of 6/11)Please note: Some facilities may chose to designate a different set of fees to their patients, please see

your administrator for final determination on how much to charge a patient.*Washington State rates are based on the pricing index for the Greater Seattle area. They have been argued to be

considered cost based, however the law states that these are the maximum allowable and it has been argued that legally less can/should be charged if there is no proof of the cost for the maximum allowable. Each CE should determine their rates based on their cost.

Sensitive InformationDrug/Alcohol Treatment records, Mental Health, HIV/AIDS,

and Sexually Transmitted Diseases are all covered under their own laws.

If a chart contains any of the sensitive items, you must obtain a HIPAA compliant authorization that encompasses the information before it can be released with a few exceptions:– Sensitive information can be shared with another healthcare provider if

the information is needed to provide healthcare to the patient.– Upon receiving a court order – To L&I, Self Insured, or employer/representative– For TPO.– There may be other situations depending on the requesting party and the

information in the chart, when in doubt contact your Risk Manager.

Verbal Release• Verbal information should be extremely limited and think twice before you give

any information over the phone!

• An HIM department should develop a policy that directly relates to verbal release.

• According to HIPAA a patient has the right to “opt out” of a facility’s directory. This means that a caller may not be informed that a patient is in the hospital.

This can be a very difficult to manage. Review your facilities policy before giving information over the phone.

• If your have not been informed that you can release specific information to a caller, it is always best to ask for a written request for the information and route

that request to the appropriate department or individual. This helps to eliminate a potential breach of information.

• Always respond to any time sensitive requests that could impact patient care immediately.

• When in doubt speak with your immediate manager.

Faxing• It is best practice to only fax PHI for urgent patient care. • Whenever possible use the mail as the delivery method for PHI. • Covered Entities should have a set faxing procedure.

Extra precaution should always be taken:– Verify with the requester that the fax number that they have given is located in a

secure location.– Once you have been given the fax number, read it back to the caller slowly to

double check for error.– When you fax information, fan through the pages verifying that you have only the

patient you intend to fax in the stack.– When compiling the information, you should only send information that is needed

to provide the immediate care. If the doctor is requesting all information then the minimum necessary rule should apply, and the information should be limited.

– Type the telephone number carefully, double checking the read out to see that it matches what you have written.

– Always use a cover sheet that includes verbiage that informs the recipient that the information is confidential and should be kept as such. It should also inform the recipient of who to call if they have received the fax in error.

Accounting of Disclosures

HIPAA introduced the patient’s right for an accounting of all individuals/entities that have received the patient’s records.

Accountings must be made for disclosures for all disclosures regardless of type (change due to HITECH) including for the use of TPO (if the CE maintains an EHR)

The accounting must inform the patient of who the information was released to, a specific description of the information disclosed and the date of the disclosure.

Amendments

• Patients have the right to request an amendment of their record• CE’s have the right to accept or deny the request• Once a request is denied the patient then has the right to send in

a rebuttal in writing• Regardless of whether the amendment has been accepted, all

documentation regarding the request (the denial, and rebuttal) must accompany the document in question for all future disclosures

• If the facility chooses to accept the amendment, they are then required to send the amended information to anyone the patient requests, as well as to anyone the incorrect information was sent to in the past, if the facility feels the information was used to make a decision about the patient.

Minimum Necessary

• Definition: When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

Minimum necessary does not apply to:– Disclosures to the patient themselves– Disclosures pursuant to a patient’s authorization– Disclosures that are required by law– Disclosures for Treatment*

*The minimum necessary requirement applies to CE’s, however it is the requesting CE’s responsibility to only request that information which is needed to fulfill their needs.

Helpful Websites

• American Health Information Management Association: www.ahima.org

• Washington State Health Information Management Association: www.wshima.org

• Revised Code of Washington (RCW): http://apps.leg.wa.gov/rcw/

• Code of Federal Register (CFR): http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr164_07.html

HITECH

HITECH: Health Information Technology for Economic and Clinical Health and was part of Obama’s stimulus package.

HITECH is a recently passed act that came into law in 2009. This act added additional security methods and new requirements to CE’s across the board. Different pieces of this law have effective dates that spread out over time. There is also some determination needed by CE’s to determine how the laws apply to them as some of the new laws pertain to EHR‘s and the length of time the EHR has been in use.

31

HITECH Changes

• Key to acronyms• BA = business associate• CE = covered entity

HHS = Department of Health & Human ServicesHIE = health information exchange1The "conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated"

• 2Public health activities; research; treatment; services rendered by a BA; or "the sale, transfer, merger, or consolidation of all or part of a CE"

32

Issue HIPAA HITECH Act

Is a BA a CE? No Yes -- subject to HIPAA Privacy and HIPAA Security rules

Data breach enforcement Collaborative investigation involving HHS and CE

HHS investigation to determine willful neglect1; expanded to include individual employees at CE and BA

Data breach penalties Minimum of $100, maximum of $25,000 $100 to $50,000 per violation, with yearly maximum of $25,000 to $1.5 million and mandatory penalties for willful neglect

Sale of PHI Allowed Prohibited by CEs and BAs without valid authorization, save for certain conditions2

Dissemination of PHI to patients electronically

Only if readily available Must be provided, fee cannot exceed labor cost

Patient Requesting EHR Electronically• The HITECH law also gives patients the ability to obtain a copy of their

electronically stored healthcare record to be delivered to them electronically. – This affects any CE who stores health information electronically by certain dates (CE’s should

refer to the criterion for dates of creation to determine if they are required to meet this measure)

• What are the requirements:– If a patient requests their records to be sent to them for their own use and

to be delivered electronically:• The CE has 3 days to return the electronically stored information in an

electronic format (CD, Patient Portal, External device).– This only applies:

» to the electronically stored information» when the patient is requesting the copies for their own use and to be sent to

them directly» to a subset of the electronically stored information (does not cover each and

every page)

– The CE can only charge a cost based fee (IOD charges $7.50)

33

Overview - Good FaithWhen releasing records it’s always better to error on the side of caution. It is our

responsibility to protect the patient’s rights, even if that seems inconvenient at times. It’s important to take all factors into consideration including the emergent needs of the patient.

Washington State law: RCW 70.02.050• Disclosure without patient's authorization.• (1) A health care provider or health care facility may disclose health care information about a patient

without the patient's authorization to the extent a recipient needs to know the information, if the disclosure is:– (d) To any person if the health care provider or health care facility reasonably believes that

disclosure will avoid or minimize an imminent danger to the health or safety of the patient or any other individual, however there is no obligation under this chapter on the part of the provider or facility to so disclose;

– (e) To immediate family members of the patient, including a patient's state registered domestic partner, or any other individual with whom the patient is known to have a close personal relationship, if made in accordance with good medical or other professional practice, unless the patient has instructed the health care provider or health care facility in writing not to make the disclosure;

34

Questions?

35