HIPAA Handling Patient Requests for Medical Record Restriction

September 26th, 2018 - BC Advantage
Categories:   HIPAA|PHI   Practice Management  
0 Votes - Sign in to vote or comment.

Healthcare compliance professionals frequently face confusing situations about sharing of protected health information (PHI).  The Health Insurance Portability and Accountability Act (HIPAA) supports the protection of privacy of medical records. However, even when a patient does not authorize sharing of his record, there are permitted uses and disclosures, such as for the purpose of treatment, payment, or healthcare operations (TPO). 

The U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) provide a series of topical fact sheets on HIPAA Permitted Uses and Disclosures with examples of when PHI can be exchanged under HIPAA without first requiring a specific authorization from the patient. Please note that state laws may also apply. 

Permitted Uses and Disclosures for Health Care Operations 

The ONC issued a useful fact sheet explaining Permitted Uses and Disclosures for Health Care Operations.  For activities that fall within HIPAA’s definition of “healthcare operations,” an entity covered by HIPAA (Covered Entity), such as a physician or hospital, can disclose PHI to another Covered Entity (or a contractor working for that covered entity, i.e., Business Associate). A Covered Entity (CE) can disclose PHI (orally, on paper, by fax, or electronically) to another CE or that CE’s Business Associate for the following subset of healthcare operations activities without needing patient consent or authorization:  

45 CFR 164.501; 45 CFR 164.506(c)(4). 

Three conditions must be met when sharing PHI for the purposes stated above: 

  1. Both CEs must have or have had a relationship with the patient (can be a past or present patient);
  2. The PHI requested must pertain to the relationship; and 
  3. The discloser must disclose only the minimum information necessary for the healthcare operation at hand.  

What is meant by the term “minimum necessary”? 

Covered entities are required to have reasonable minimum necessary policies and procedures to limit how much PHI is used, disclosed, and requested for certain purposes. Minimum necessary policies and procedures must also reasonably limit who within the entity has access to PHI, and under what conditions, based on job responsibilities and the nature of the business.  

For example, the minimum necessary standard requires that a CE limit who within the entity has access to PHI, based on who needs access to perform their job duties. If a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the employee to do his job, the hospital is not applying the minimum necessary standard. Therefore, any incidental use or disclosure that results from this practice, such as another worker overhearing the hospital employee’s conversation about a patient’s condition, would be an unlawful use or disclosure under the HIPAA Privacy Rule. 

Minimum necessary standard is not required among physicians discussing a patient’s medical chart for treatment purposes and does not apply to disclosures, including oral disclosures, among healthcare providers for treatment purposes. 

Permitted Uses and Disclosures for Treatment 

The fact sheet titled “Permitted Uses and Disclosures: Exchange for Treatment” explains how HIPAA supports sharing of PHI between and among healthcare providers in order to treat or coordinate care for their patients. CEs may disclose PHI (orally, on paper, by fax, or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization. 45 CFR 164.506(c)(2). Treatment is broadly defined to include: 

45 CFR 164.501. 

The disclosing CE is responsible for the PHI until recipient CE has received the information. HIPAA requires disclosing the PHI to the receiving CE in a permitted and secure manner, which includes sending the PHI securely and taking reasonable steps to send it to the right address. The receiving CE is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to subsequent uses or disclosures or any breaches that occur.  

Common HIPAA Questions  

How should we ensure that we’re staying compliant with HIPAA Privacy and Security Rules when sharing PHI for purposes of treatment or operations? 

Many issues are covered under HIPAA Privacy and Security.  Here are a few important reminders regarding permitted uses and disclosures:  

What are the reasonable safeguard requirements? 

Reasonable safeguards vary from CE to CE depending on factors, such as the size of the CE and the nature of its business. In implementing reasonable safeguards, CEs should analyze their own needs and circumstances, such as the nature of the PHI it holds, and assess the potential risks to patients’ privacy. CEs should also consider the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards. 

Consider the following examples of appropriate administrative, technical, and physical safeguards: 

To gain more HIPAA insight and practical tips, consider purchasing The Fundamentals, a user friendly, four-module course designed to help healthcare professionals understand the essential principles and practices of compliance.

Julie Sheppard, BSN, JD, CHC, is the president and founder of 1st Healthcare Compliance. With the increase in compliance challenges facing healthcare providers, Julie was inspired to create a practical, comprehensive healthcare compliance solution, and founded First Healthcare Compliance in 2012. Julie is a nurse, an attorney, and certified in Healthcare Compliance by the Compliance Certification Board. www.1sthcc.com


Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.

Latest articles:  (any category)

CMS and HHS Tighten Enrollment Rules and Increase Penalties
October 1st, 2019 - Wyn Staheli, Director of Research
This ruling impacts what providers and suppliers are required to disclose to be considered eligible to participate in Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The original proposed rule came out in 2016 and this final rule will go into effect on November 4, 2019. There have been known problems ...
Federal Workers Compensation Information
October 1st, 2019 - Wyn Staheli, Director of Research
When federal employees sustain work-related injuries, it does not go through state workers compensation insurance. You must be an enrolled provider to provide services or supplies. The following are some recommended links for additional information about this program. Division of Federal Employees' Compensation (DFEC) website Division of Federal Employees' Compensation (DFEC) provider ...
E-Health is a Big Deal in 2020
September 16th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
The new 2020 CPT codes are on the way! We are going to see 248 new codes, 71 deletions, and 75 revisions. Health monitoring and e-visits are getting attention; 6 new codes play a vital part in patients taking a part in their care from their own home. New patient-initiated ...
Chiropractic 2020 Codes Changes Are Here
September 9th, 2019 - Wyn Staheli, Director of Research
There are some interesting coding changes which chiropractic offices will want to know about. Are codes that you are billing changing?
Q/A: Is the Functional Rating Index by Evidence-Based Chiropractic Valid?
September 9th, 2019 - Wyn Staheli, Director of Research
Question Is the Functional Rating Index, from the Institute of Evidence-Based Chiropractic, valid and acceptable? Or do we have to use Oswestry and NDI? Answer You can use any outcome assessment questionnaire that has been normalized and vetted for the target population and can be scored so you can compare the results from ...
List of Cranial Nerves
September 3rd, 2019 - Find-A-Code
Cranial nerves are involved with some of our senses such as vision, hearing and taste, others control certain muscles in the head and neck. There are twelve pairs of cranial nerves that lead from the brain to the head, neck and trunk. Below is a list of Cranial Nerves and ...
So How Do I Get Paid for This? APC, OPPS, IPPS, DRG?
August 21st, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
You know how to find a procedure code and you may even know how to do the procedure, but where does the reimbursement come from?  It seems to be a mystery to many of us, so let's clear up some common confusion and review some of the main reimbursement systems.  One of the ...

About Codapedia by InnoviHealth Systems Contact Us Terms of Use Privacy Policy Advertise with Us

Codapedia™ by InnoviHealth Systems™ - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain) - Fax (801) 770-4428

Copyright © 2009-2019 Find A Code, LLC - CPT® copyright American Medical Association