By Sara Goldstein, Esq.
HCPro’s HIM Briefings published its first release of information (ROI) benchmarking survey of 2017 last month. The survey, conducted in December 2016, explored health information management (HIM) and ROI professionals’ challenges, triumphs, and insights, covering U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) patient access guidance, hybridization of medical records, ROI staffing, billing and requests, and patient authorizations and logging.
Of special interest was the coverage of patient access. Forty-eight percent of respondents modified patient access fees after the OCR released its guidance. Some survey respondents experienced greater difficulty handling attorney requests as a result of the OCR guidance, specifically citing difficulty with requests from attorneys believing they are entitled to copies of protected health information (PHI) at the new OCR patient rate, or even for free. According to the OCR, further guidance related to patient access and third-party requests will be issued in the coming months.
Another topic of interest was patient authorizations and logging of disclosures in electronic health records (EHRs). When asked if physician offices need to provide patient authorizations when requesting copies of records for continuation of care, 33 percent of respondents said they do not if the requesting physician is on staff and/or is mentioned in the requested copies of records; 32 percent said they required patient authorizations if the requesting physician is not on staff; and 28 percent said that as long as a request is on the requesting physician’s letterhead, they release the copies of records.
Challenges of ROI
According to the survey, the most challenging aspect of ROI is record requests from adult children not noted as contacts or next of kin. Forty-one percent of survey respondents listed this as the most challenging aspect, which is consistent with the results from the 2014 (38 percent) and 2015 (41 percent) surveys.
Other challenges include requests from adult children for a deceased parent’s records (16 percent), requests from quality organizations (35 percent), and requests for a child’s records from divorced parents (28 percent).
These are certainly challenging aspects of ROI, and below are some brief guidelines for handling these difficult requests:
Adult children not noted as contacts or next of kin
Although HIPAA permits physicians to share certain medical information with caregivers, it is crucial that children responsible for care of their elderly parents obtain healthcare powers of attorney so they can make healthcare decisions for their parents if necessary.
Adult children of deceased parents
After a patient dies, his or her PHI cannot be disclosed unless authorized by his or her personal representative; however, there are a few exceptions. The HIPAA Privacy Rule permits healthcare providers to disclose any relevant PHI of a deceased patient to family members or other persons involved in the patient’s healthcare or payment of care prior to the patient’s death, unless doing so is inconsistent with any previously expressed preference of the deceased.
Additionally, the PHI of a deceased patient can be disclosed without the patient’s personal representative’s authorization in certain instances: a) law enforcement, in the event of suspicion that death resulted from criminal conduct; b) coroners, medical examiners, or funeral directors; c) researchers working solely on the PHI of deceased patients; and d) organ procurement organizations for the purpose of facilitating organ donation and transplantation.
Healthcare providers should familiarize themselves with the definition of “personal representative” under applicable state law to ensure that their policies and procedures are compliant.
The HIPAA Privacy Rule (45 CFR § 164.512(d)(1)) permits covered entities to disclose PHI to health oversight agencies for oversight activities authorized by law, including Quality Improvement Organizations (QIOs), which are nonprofit organizations contracted with the Centers for Medicaid & Medicare Services (CMS) to improve healthcare quality.
Divorced parents of minors
In most states, both parents, regardless of custody arrangement, are permitted to authorize the disclosure of their minor child’s PHI, provided that the requesting parent’s parental rights have not been terminated.
In conclusion, to best handle these and any challenges, healthcare providers should familiarize themselves with applicable state law to ensure that their current policies and procedures align with the law.
About the Author
Sara Goldstein, Esq. is an established author and speaker on health information privacy and security compliance. As general counsel for MRO, she is responsible for providing legal direction and guidance for the company and overseeing MRO’s compliance with HIPAA. She is also an adjunct professor of law at Drexel University, where she teaches a course on HIPAA and patient privacy.
Contact the Author
Comment on this Article