It’s another busy day in your practice and your incoming mail includes requests for medical record copies for three of your patients. The first request is a hand-written note from a patient; the second is a demand from a copy service, asking on behalf of a worker compensation carrier who is handling a patient’s injury coverage; and the third is a three-page document from an attorney who indicates that their office represents another of your patients. None of these documents look alike; how do you know which ones to comply with, and exactly what information can you release? First, let’s address the question of whether to release records. The New Jersey Board of Medical Examiners’ regulations (13:35-6.5(c))[1] and the federal government’s HIPAA statute give patients the right to a copy of their own medical information, except in cases where the physician feels that subjective information contained in the record could cause the patient emotional or physical harm. Situations in which medical information could cause a patient to do harm to themselves, or suffer serious emotional trauma, are unusual; so in most cases your patient has a right to a copy of their records. You may offer to write a summary of the record for the requesting party. This is not done frequently because physicians rarely have the time to write this summary; and requestors usually want the actual record copy. However, it can be helpful in situations where the record covers many years of care, and copying would represent an excessive use of time and material resources. If the patient authorizes it, a copy of their record may also be given to their representative. This representative could be a family member, an attorney, or another person designated by the patient. How is a patient’s medical information appropriately released? HIPAA refers to the patient’s medical information as Personal Health Information, or PHI; and requires that each practice have specific policies and procedures on appropriate release of this PHI. All staff in the practice must, by HIPAA regulation, be trained in this release policy so that a patient’s confidentiality is not breached unintentionally or without authorization. There are situations when PHI may be released without obtaining the patient’s specific authorization: record information can be released for treatment purposes, as in sending copies to a physician you have asked to consult; information can be released to providers so that you may be paid for your services; and information may be used for the healthcare operation of your practice. Information used for the healthcare operation of your practice could be data extracted from records for quality management and similar studies. Some disclosure is also required by law. For instance, PHI may be released to a coroner for the purpose of identifying a decedent or determining the cause of death; a practitioner is required to report certain communicable diseases, gunshot wounds, or abuse (child and elder); and records are also released for peer review. Other release of PHI must be officially authorized by the patient or their surviving representative[2]; and HIPAA is clear in its description of valid authorizations. According to HIPAA regulations an authorization must: ·     Be in writing ·     Be in specific terms ·     Be in plain language ·     Include language which gives the authorizing party the right to revoke the authorization in writing at any time ·     Identify: §         who wishes the information disclosed §         to whom the information is to be disclosed §         the expiration date of the authorization[3] Authorization does not automatically free an office to release certain private information. Forms should have areas wherein the patient or representative can specify whether to release information on HIV, psychiatric issues, drug/alcohol issues, or sexually transmitted diseases. If these areas are not specifically referenced in the release form, the office should contact the patient to obtain explicit permission or denial for the release of any of this sensitive information. Occasionally, a patient or their representative family member may request record copies verbally. This request may come in a phone call or in person. To prepare for this situation, each office should have a HIPAA-compliant authorization form available for the requesting party to complete. As required by HIPAA statute and noted earlier, all office staff should be trained to understand the patient’s right to their records; training should also include staff awareness of the authorization form’s availability. A staff member’s comfort in this situation will help reassure patients of their right to their records, and assure them that the office will assist them willingly. If the record is requested by a member of the patient’s family, however, the office has both a right and a responsibility to ascertain whether this family member is the patient’s designated representative. If the patient is in charge of their own affairs then the patient must sign the authorization. [1]  New Jersey Office of the Attorney General, Division of Consumer Affairs, State Board of Medical Examiners, Statutes and Regulations, http://www.state.nj.us/lps/ca/bme/bmelaws.pdf, April 2006, page 182. [2] “What Do I Need to Know About Releasing Copies of Medical Records of Deceased Patients in My Practice?” Risk Review: a Publication of Princeton Insurance, Archives, Ask the Expert, January 2007. [3] U.S. Department of Health & Human Services, HHS.gov, Health Information Privacy, Summary of the HIPAA Privacy Rule, Authorized Uses and Disclosures, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.   Continue to pg. 2