Health Information Compliance Alert

Published on Fri Jul 23, 2010 PDF

Granting restriction requests could be disastrous for both you and your patients.

Do you know how to respond to a patient who asks you to keep her test results under wraps? While the privacy rule doesn't require you to grant requests for restrictions on how you use or disclose patients' PHI, it does oblige you to consider such requests. Our experts will help you make an informed decision.

You can't grant every request that comes your way, says attorney Karen Owen Dunlop of Sidley Austin Wood & Brown in Chicago. As with all privacy rule demands, you have to figure out "what you can do based on your size and resources," she notes.

If your organization can't identify, track and follow through on a patient's request, then you shouldn't grant it, experts agree. Example: "A patient may not want the world to know he's an alcoholic, but an anesthesiologist has to know that before she puts him under," explains Gaye Thomas, CCO for Williamson Medical Center in Franklin, TN.

"To grant that request, you have to filter the medical record every time another provider requests it," Thomas notes. Warning: And if the patient were to have an accident that directly results from the problem you found, your office could be held medically negligent for not making other caretakers aware of the test's outcome, she says.

You don't have to grant a restriction to ensure patients' privacy, experts concur. Try these methods instead:

Build confidentiality into your system. Rather than agreeing to a restriction promise she can't keep, Thomas says she finds other ways to protect patients' privacy. Example: Thomas applies "extra confidentiality to sensitive issues" like STDs, psychiatry notes and drug test results, she says.

Try this: Flag records that contain sensitive information so that getting into that file requires special permission, Thomas advises. Staffers then have to get permission before they access the flagged accounts -- and that keeps unauthorized disclosures at bay, she explains.

Change the payment method. "We restrict the information we give insurance companies when patients do self-pay," says Wendy Reynolds, director of the privacy program for Eastern Virginia Medical School in Norfolk. That way, the medical record never has to leave your office -- seriously diminishing the chances of a privacy breach, she explains.

Put physicians in charge. Your physicians should drive the restriction process because "they know how to deal with the medical information," Reynolds says. And most patients "won't write a letter to the privacy officer -- they'll ask their doctor" to restrict the information, she notes.

Put the rest of the privacy rule to use. "You can use authorization forms and confidential communications to restrict releases outside of treatment, payment and health operations," Reynolds asserts. Caution: It's "virtually impossible to restrict information inside your office" -- so don't agree to do that, she adds.