Health Information Compliance Alert

Tip: Get a grip on Right of Access rules.

Even if your staff aces HIPAA Privacy Rule compliance, they may still get confused over permissible protected health information (PHI) disclosures. In fact, many practices are quick to deny disclosure requests before they know the details and whether that particular request is allowable under HIPAA.

Warning: Not following through on a permissible disclosure can get you into just as much trouble as making a prohibited one.

Check out four common myths on PHI disclosures under HIPAA with tips on when it’s OK to disclose — and when it’s not.

Yes, Treatment-Related Disclosures are OK

Myth 1: HIPAA prevents or limits healthcare providers from sharing PHI between each other to provide care for a patient.

Reality: This is not true. HIPAA allows the disclosure of health information for treatment purposes. In addition, HIPAA does not require a business associate agreement (BAA) in order for a provider to share health information for the purpose of treating a patient.

In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between healthcare providers AND the “coordination or management of health care” by a provider and a third party, HHS Office for Civil Rights (OCR) guidance indicates.

Provide Broad Access to Your Patients

Myth 2: Patients do not have an unfettered right to access their entire medical record.

Reality: If you (like other providers) feel that your practice, not the patient, has ownership of the patient’s PHI and you have no obligation to give the patient unrestricted access, you’re wrong. And this opinion has led to more than one federal investigation. In fact, the current tally of Right of Access cases stands at 19 since OCR instituted its Right of Access Initiative in 2019.

You must allow individuals to request access to their own records, for a reasonable cost-based fee, and you only have 30 days of turnaround time to get patients their data.

Plus: Under the Right of Access provision, you must provide individuals’ access to their records in a designated record set (DRS). For example, if your patient asks for a copy of his records, you would give him a copy of whatever is in his DRS, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. And if the patient wants to amend his records, you would amend whatever records exist in the DRS.

Additionally, you must also furnish laboratory information to the patient or his authorized representative. HIPAA gives patients broad rights to access their health information and healthcare providers are required to honor patient requests. Denial of such access could constitute a HIPAA violation. Patients are also not required to fill out an Authorization for Release of Records when requesting their own healthcare information.

Caveat: There are a few exceptions to patient access rights under HIPAA. These include exceptions for psychotherapy notes, as well as health information for civil, criminal or administrative proceedings.

Keep Public Health and Safety Threats in Mind

Myth 3: HIPAA prohibits disclosure of PHI, even if that disclosure might minimize a threat to health or safety.

Reality: HIPAA allows the disclosure of health information to minimize an imminent threat to health or safety of an individual or of the public. You can disclose PHI to persons reasonably able to prevent or lessen the threat.

HIPAA also permits CEs to disclose PHI to law enforcement authorities to identify or apprehend an individual where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody. Additionally, you can disclose PHI to law enforcement when an individual makes a statement admitting participation in a violent crime. In cases like these, the CE must reasonably believe that serious physical harm to the victim would result without the disclosure.