Health Information Compliance Alert

Published on Thu Jan 03, 2013 PDF

Not sure when to secure patient authorizations? You’re in luck, because we had an expert show us the ropes when dealing with authorizations and the HIPAA privacy rule:

Scenario #1: An adoption agency has contacted your office seeking the medical records of a patient who is applying to be an adoptive parent. The patient even calls in and tells you that it’s fine to send the records to the agency.

Is a written authorization still required before releasing this protected health information? Absolutely, according to Bill Sarraille of Washington- based Arent Fox Kintner Plotkin & Kahn, who walks us through a few hypothetical examples dealing with authorizations and the HIPAA privacy rules. It’s an uncommon request that falls outside HIPAA’s authorization-exempt categories of treatment, payment or health care operations, as well as the required and permitted disclosures without patient permission. “It doesn’t matter that the patient gave oral consent here, and therefore a written authorization will be required,” he explains.

Scenario #2: A patient moves from one city to another, and immediately finds herself a new primary care physician. A receptionist at the new doctor’s office calls her old physician’s office and asks for some x-rays to be sent. Can the old doctor’s office send them, or is authorization needed?

The consensus for this situation is that no authorization is required, opines Sarraille, “because they’re both treatment providers and there seems under the final rule to be a significant opportunity for  treatment providers to share information with one another even where an authorization is not present.”

Sarraille, however, urges covered entities to familiarize themselves with state privacy laws for such a scenario. Even after HIPAA standards go into effect, a more protective state law demanding written consent for PHI transfers will trump federal law, he stresses. And, by the way, the fact that the receptionist makes the request rather than the physician doesn’t change things. Because the receptionist is acting as a member of the physician’s workforce, she is entitled to request, send and receive PHI on the doctor’s behalf, notes Sarraille.

Scenario #3: An elderly patient’s guardian calls your office seeking medical records. Is it ok to send them over or should you obtain an authorization first? The question in this case, says Sarraille, is what  exactly is the legal role of the guardian in relation to the patient’s health information? “A person can be a guardian for any number of purposes,” which may or may not include health care information  rights, he says. As a matter of process, he counsels, “you’d want to investigate what the authority of the individual was” and ask for documentation which evinces their guardianship status. If the guardian is the legal representative of the patient for health care information purposes, however, you can provide the information to the guardian without an authorization.

Scenario #4: A life insurance company writes your office to request medical records of one of your patients. Enclosed with their request is a consent form, signed by the patient, which agrees to release all  health care information to the insurance company. Is it ok, then, to release the records? This situation is very similar to the adoption agency request of Scenario #1, says Sarraille, because this is “not one of  the permitted or required disclosures without patient permission, and it is not for treatment, not for payment, and not for health care operations.”

As a result, your office should require a written authorization from the patient that complies with the HIPAA authorization requirements. The insurance company’s own consent form may or may not comply with those requirements.

One alternative solution that Sarraille suggests is “to simply give the records to the patient and have the patient then send them on wherever they want to send them.” The only possible snag here, he cautions, would be if the ultimate requestor of the PHI (i.e., the life insurance company or the adoption agency) doesn’t want the information “to go through someone else’s hands because they want the chain of custody of the documents to be clear” and “they don’t want anyone to have had the chance to have manipulated the information.” Barring these objections, however, sending the PHI on to the patient may be the simplest answer for everyone.

Scenario #5: A parent calls up your office and insists on a copy of his minor daughter’s medical records, which includes information relating to a recent abortion. Must you provide this PHI to the father or will you need an authorization from the minor? In the case of minors and their health information rights, it’s essential that covered entities turn to their state privacy laws, explains Sarraille.

“Federal standards by and large don’t change the system very much,” Saraille says, maintaining that state law determines whether or not a parent has access to a child’s medical records, even when such records contain PHI relating to pregnancies or STDs.

Despite the importance of HIPAA, the intersection of parental rights and minors’ PHI is “a place where state law remains paramount,” Sarraille reports.

Scenario #6: A patient walks into your neurology clinic, where it is determined that he fits the criteria for one of your clinical research studies. You then march directly over to the hospital’s institutional review board to secure a research authorization waiver.

Will you get the waiver to use the patient’s PHI for research purposes or will you need his written authorization? Clearly, you’re going to need to get the patient’s authorization to use his PHI for this study, insists Sarraille.

Any human subject enrollment that occurs after April 14, 2003 will require a patient authorization, unless the researcher is able to secure a waiver from the IRB or a privacy board.

In order to obtain a waiver, however, the researcher must be able to demonstrate that it is impractical to secure a written authorization. Since the patient in this scenario has a current or ongoing relationship with the clinic, then authorization will surely be required under HIPAA, states Sarraille.