Call Us Now Toll-FREE:
1-855-ALPHAJEN (257-4253)
The Integrated Healthcare Solution
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA), which was passed by Congress in 1996, specifies who can access or retrieve a patient’s medical records. This law set limits on the use and release of medical records, and established a series of privacy standards for health care providers. A provider’s security and privacy obligations under HIPAA are fundamentally unchanged by transitioning to an EMR system, but may require adjustments in practice.
Providers must inform patients of a their HIPAA privacy and security rights, and must outline the policies and procedures they undertake to meet these obligations. While a health care provider owns a patient’s medical records, the patient has a right to access and ask for copies of the original medical record. Providers may not charge patients for locating and providing access to these files, but may charge “reasonable fees” for making copies, if so requested. The limits of “reasonable fees” are set by state law and vary widely. HIPAA does not prohibit charging attorneys or insurers a search and retrieval fee in addition to any copying fees.
Note that HIPAA requires medical records to be retained by a provider for at least six years after either the later of the date of creation or the date when last in effect. State laws may require longer holding periods.
In the case of other providers who are covered entities, patient authorization is not required for disclosure to another health care provider for patient treatment or payment. Patient authorization is not required for health care operations if the receiving party also has a relationship with the patient and the information disclosed is used for performing care quality assessment, performance review or training, or for fraud detection.
In addition to specifying access rights for patients and limiting fees they may be charged, HIPAA also limits disclosure or release of patient medical records to third parties without patient authorization.
There are numerous special situations, but the most common involve requests for information regarding deceased individuals and minors. In the case records for deceased person, a death certificate and legal documentation appointing a valid representative of the estate are both required for any information release. In the case of a minor, which in most, but not all, cases is someone under age 18, written consent from the parent or other legal guardian is required for information release.
If you receive a subpoena, HIPAA requires a health care provider to obtain “satisfactory assurances” that the patient whose records are being requested has received notice of the subpoena or request, has had adequate time to consider it, and has not objected to it. However, so-called “super-confidential” information is protected by more stringent rules, which can complicate compliance efforts.
Super-confidential medical records containing drug and alcohol, mental health and HIV information are subject to more stringent federal and State laws. As a result, physician practices must determine if medical records contain superconfidential information before releasing them. Generally, a physician practice can release these superconfidential records only upon a court order or upon receipt of a HIPAA Authorization signed by the patient which explicitly acknowledges the the records contain drug and alcohol or mental health record information.
Another exception is made for information related to mental health treatment, and in many cases need not be released even at the patient’s request.
These provisions are complex, and its important to make sure that all personnel at your practice understand these compliance issues and that they have ready access to a manual outlining appropriate procedures. In addition, it is good practice to ask for written authorization from patient’s to release information when possible, regardless of the situation. While redundant in many situations, penalties for willful non-compliance or negligence in meeting HIPAA security and privacy rules can be substantial.
TAKEAWAYS
Patients have privacy and security rights under HIPAA.
Providers must inform patients of these rights and inform them of procedures and policies they use to meet these privacy and security standards.
Patients have the right to view their records, and to request copies. reasonable fees may be charged for copies.
Release of information is always exempted when shared with another HIPAA covered entity for purposes of patient care. There are other exceptions.
Rules are complex, and penalties can be substantial for noncompliance.
Staff need to be trained and written guidelines need to be circulated in order to ensure compliance.
Post-HIPAA, the best practice is to require the patient to sign an HIPAA Authorization requesting a copy of the medical record.
Let us help find the best EMR for your practice.
value. quality care. convenience.
