By Adler Giersch PS
This memo is intended to set the record straight on what is and is not required in medical authorizations under HIPAA. We also hope this article halts and reverses the trend we are observing among health care providers, facilities and hospitals to allege that only their own medical authorization form is HIPAA compliant. This assertion is not correct, and leads to wasted time, resources and costs for all involved in requesting and reproducing patient records.
HIPAA was intended to streamline the processing of protected information by making the system flow more smoothly while also providing greater privacy for the patients information. In the medical-legal arena, HIPAA sets forth standard “core requirements” that must be contained in a medical authorization to release patient information. This allows for health care providers and hospitals to continue accepting medical authorization forms from attorneys that contain those required elements without creating an overwhelming jungle of specific forms for each hospital or health care facility. Here is what HIPAA does and does not require:
1. There is nothing in the act, regulations or interpretation that supports a health care provider, facility or hospital requiring the patient and their attorney to use only that entities specific release of information authorization form.
2. An authorization for release of protected health information is valid when it contains the following core requirements:
a. A description of the information to be disclosed;
b. The name of the specific person or the class of persons authorized to make the disclosure.
c. The name of the person or class of persons to whom the disclosure may be made.
d. A description of each purpose of the requested disclosure. It is a sufficient description to state it is “at the request of the individual” when an individual initiated the authorization.
e. An expiration date or event for the authorization as it relates to the individual or the purpose of the authorized disclosure.
f. Signature of the authorizing individual and date.
g. The right of the individual to refuse to sign the authorization, to revoke any authorization given in writing and how to do so.
h. The potential for information disclosed under the authorization to be re-disclosed by the recipient and no longer protected by the act.
e. The authorization must be written in plain language.
There are no other elements that must be included for the release to be valid. The statement regarding providers inability to condition care on signing the authorization is not required to be included in a medical legal release. When an authorization that complies with the above list is received, the records must be disclosed and provided as requested!
3. There are additional items that may be included in the release- they are not required to be included for the release to be valid.
4. The handling and copy charge fees set by Washington law still apply to the information request and can be charged to the requestor.
5. A separate authorization is required for psychotherapy records that may not be combined with other authorizations.
6. Covered entities must disclose protected health information in judicial or administrative procedures in response to an order by the court or the administrative tribunal. Where the disclosure is made pursuant to law or court order, the minimum necessary requirement does not apply.
7. The disclosure may also be made in response to a Subpoena, Discovery Request, or other lawful process that is not accompanied by a court order. Where the disclosure is being made in response to lawful process such as a Subpoena without a court order, the request must contain certain assurances regarding notice to the individual or a protective order. This documentation must show that the party whose information is being requested is aware of the litigation or proceeding as well as the information request such that the individual can object or seek a protective order. If a protective order is agreed to an /or otherwise obtained a copy of that order must accompany the discovery or subpoena.
8. Where the individual whose information is requested is a minor, the individual’s “personal representative” has the same right to access and authorize the release of the records as the individual would. A personal representative is defined as a person legally authorized to make health case decisions on the individuals behalf or act for a deceased individual or estate. The parent is typically the personal representative for their minor child unless state law or other legal proceeding determines otherwise.
We hope this legal memorandum will be read and circulated throughout the area so that we can all work together in streamlining the medical record authorization and medical record reproduction process.