OASIS Alert

Published on Sat May 28, 2011 PDF

Being too helpful with patients' confidential information could be a HIPAA violation.

When an attorney calls your agency and demands that you turn over one of your patient's medical records for use in a court case, how quick are you to respond? If he follows up the call with a faxed order for the information, do you send it over immediately?

Slow down. Before you provide any information, you must ensure that the attorney has authorization from the patient to release the personal health information (PHI), or has other legal documentation proving that you can send the information.

"Covered entities and business associates should exercise great caution when responding to such requests," advises Abner Weintraub, president of The HIPAA Group Inc., a HIPAA training and consulting firm in Orlando, Fla. "The best advice here is to take your time, investigate, and be sure of what you are doing," he says.

"Law firms are often intentionally intimidating in their phone or written requests for documents and data," Weintraub says. "And while it may feel awkward not to respond immediately with the requested information, disclosing PHI to a law firm or attorney unlawfully can itself be a costly HIPAA violation. With the recently increased HIPAA penalties instituted by the HITECH Act, the consequences for unlawful disclosures can be devastating," he warns providers.

The following steps can help you determine when you should -- and shouldn't -- comply with an attorney's request for medical records:

Once an outside party asks you for access to a patient's records, you should check the patient's HIPAA release form to determine whether she has authorized you to share the records with the requesting party. In many cases, a patient will authorize you to share her medical records only with her spouse, children, or caregiver, and not any outside parties. In the absence of such a form, ask the requesting attorney if he has a signed HIPAA release form on hand.

"If the law firm represents itself as being the patient's law firm, it should provide [you] with a HIPAA-compliant authorization for the release of medical records executed by the patient," advises South Florida-based health care attorney Deborah Green. "Just to make extra sure, I would recommend contacting the patient to find out whether it is actually the patient's signature. If so, keep the authorization in the patient's file and send the records," Green says.

If you don't have a release form from a patient, you should then find out whether the records request falls under a court order. "HIPAA imposes restrictions on the circumstances in which records can be released in a legal proceeding," says Heather Cook Skelton, a health care attorney in Charlotte, N.C.

A release is permitted if (1) it is pursuant to a court order and the provider only discloses what is specifically included in the order or (2) in response to a subpoena or discovery request that is not accompanied by an order if the provider receives 'satisfactory assurances' from the party seeking the information that reasonable efforts have been made to inform the patient of the request, Skelton says.

What that means: "'Satisfactory assurances' is defined as written confirmation that the requesting party has made a good faith attempt to notify the patient in writing, which should contain an explanation of the proceeding and a description of the protected health information that has been requested in enough time for the patient or his or her legal representative to object," Skelton says.

In absence of such satisfactory assurances, if a subpoena is coupled with a qualified protective order (QPO) that has been agreed to and presented to the court, or has been requested from the court by the attorneys seeking the records, then the attorney has the right to request the patient's records, Weintraub says.

Even if an attorney has the legal authorization to request a patient's PHI, he may not have legal access to the entire patient record, Weintraub says. When creating the HIPAA laws, the Department of Health and Human Services wrote, "A covered entity making a disclosure ... may of course disclose only that protected health information that is within the scope of the permitted disclosure." If a court order does not specify which parts of a patient's records you should send to the attorney, you must "make reasonable efforts to limit the information disclosed to that which is reasonably necessary to fulfill the request," the law states.

One last tip: If you have grounds to refuse to provide the attorney with medical records, you should also refuse any verbal requests that they might make. One provider says after she refused to send a patient's medical records to an attorney, the lawyer asked her, "Well then can you just tell me if there is anything in the record about alcohol abuse?" "Releasing PHI verbally is also a violation of HIPAA," says attorney Michael Schaff with Wilentz, Goldman and Spitzer in Woodbridge, N.J. "Any disclosure of PHI which is unauthorized is a violation of HIPAA, even if a lawyer says it's part of a lawsuit," Schaff asserts.

Final say: "You'd need written authorization before you could release the information verbally, in writing, electronically, or otherwise," Schaff confirms.