With Cyber Security as such a hot button issue, it’s no wonder why everyone is trying to do their best to protect patient information. When threats exist beyond cyber we do our best to make sure there is no breach. Whether in person or on the web. However, many practices are unsure of the gray areas regarding releasing Medical Records and staying HIPAA compliant. It begs the question, is it ever okay to release medical records without patient consent?
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was designed as a standard for privacy in protecting patients’ medical records and related health information provided to doctors, hospitals and other healthcare providers. This standard enables patients the secure access to their medical records with more control over how their personal health information is used and disclosed.
HIPAA compliance involves fulfilling the act’s requirements along with its subsequent amendments, plus any related legislation. For instance, the Health Information Technology for Economic and Clinical Health (HITECH) Act.
You may be wondering, what the HIPAA compliance requirements are but it’s not as cut and dry. Depending upon where your practice is, the requirements may be intentionally vague. In order for HIPAA can be applied equally to every different type of Covered Entity or Business Associate that comes into contact with Protected Health Information (PHI). Adhering to the following:
- Implement Written Policies, Procedures & Standards of Conduct
- Designate a Compliance Officer & Compliance Committee
- Conduct Effective Training
- Develop Effective Lines of Communication
- Conduct Internal Monitoring & Audits
- Enforce Standards of Disciplinary Guidelines
- Prompt Responses with Corrective Action
Although the whole point of HIPAA is to keep what’s confidential and private, protected from anyone who’s not supposed to have access to said information. This relies heavily on the guidelines of consent and authorization before sharing medical records but there are some exceptions.
The main exception to specific authorization for the release of personal health information, is that medical care providers can release information to other providers and entities who are participating in the patient’s care, and to businesses that provide services for those providers.
Physicians do not need a specific authorization to share information with the specialty consultants they engage with. This includes labs performing medical tests, or billing services. However, companies that provide services to healthcare providers have to agree to protect the patient’s information in the same way that the provider must protect it. This agreement is documented in a HIPAA business association agreement. This agreement determines which outside businesses and consultants may share information.
Additionally, when necessary to identify a patient, HIPAA allows medical information to be released. This is especially important after traumatic accidents in which the patient is without identification after being struck by a car and brought into the hospital in a coma.
Generally, HIPAA allows the release of information without the patient’s authorization per the best judgement of the healthcare provider and it’s in the patient’s best interest.
We’ve noticed that many providers are reluctant to release information unless it is clearly allowed by HIPAA, per the calls we’ve received. In some cases, hospitals have refused all together to tell relatives whether or not a patient is in the hospital since it was believed to be a HIPAA violation.
We understand the confusion, but this will continue until the rules and regulations are presented with more specificity. Ultimately, use your best judgement.