Q&A: Mixing Clinical and Financial Data in the Patient Portal
Be sure finances have no bearing on the clinical basis supporting patient treatment.
by Michael D. Miscoe, JD, CPC, CASCC, CUC, CCPC, CPCO
Q: Our practice has been communicating with patients through a patient portal, and we have run into a possible legal issue.
Suppose a patient sends a message to the practice through the portal regarding a financial concern. The billing department (where I work) replies through the portal. Any message or question sent by the patient to the practice, or vice versa, is called a “patient case.” All patient cases are automatically saved into the chart, unless manually deleted.
Our concern is that financial records are supposed to be separate from the medical record. Our practice manager has addressed this with the electronic health record vendor, but the vendor is unsure of what can be done to prevent the financial records from going into the medical record. Some of the “patient cases” have been manually deleted, but that raises the question, “Why are things being deleted from the chart?” What do you advise?
A: Based on the limited information provided, any obligation to retain patient communications regarding financial issues would most likely arise through the provider’s state licensure regulations. HIPAA is largely irrelevant to the premise of your question because it creates no duty to create health information. Once created, however, financial records/communications pertaining to patient care are included within the definition of health information, individually identifiable health information, and protected health information (see 45 C.F.R. §160.103), and are subject to the rule. There are also requirements under the security rule to preserve electronically stored heath information after it has been created.
Ultimately, look for a way to keep the financial communications separate from the clinical data in the patient chart, especially since they likely have no relevance to the necessity of provided services. That does not mean I advocate deleting those records. Perhaps your vendor can allow you to tag communications through the portal in a way your system recognizes them as “admin” or financial records, thereby triggering automatic storage in a separate part of the chart. This would preclude improper disclosure during routine printing of clinical notations. When such segregation is not possible and you are asked to provide records to a health plan, you’ll need to determine if the financial records are within the scope of those records necessary to serve the purpose of the carrier’s request. If not, you must prevent disclosure of those records consistent with your obligations under the minimum necessary disclosure rule. Because such communications are not usually relevant to a carrier’s pre- and/or post-payment coverage analysis, separate storage would prevent accidental disclosure.
I am concerned about your ability to delete records in your system. Be certain to only use this function consistent with your state licensure and HIPAA record retention obligations. Where a deletion is permissible, it’s also good practice to keep a log of what was deleted, and why.
Michael D. Miscoe, JD, CPC, CASCC, CUC, CCPC, CPCO, serves on the AAPC’s National Advisory Board (NAB) and Legal Advisory Board (LAB), and also is AAPC Ethics Committee chair. He has over 20 years of experience in healthcare coding and over 16years as a compliance expert, forensic coding expert, and consultant. He has provided expert analysis and testimony on coding and compliance issues in civil and criminal cases and his law practice concentrates on representing healthcare providers in post-payment audits and with responding to HIPAA OCR issues. He speaks on a national level, and is published in national publications on a variety of coding, compliance, and health law topics. He is a member of the Johnstown, Pennsylvania local chapter.