HIPAA Handling Patient Requests for Medical Record Restriction

September 26th, 2018 - BC Advantage
Categories:   HIPAA|PHI   Practice Management  
0 Votes - Sign in to vote or comment.

Healthcare compliance professionals frequently face confusing situations about sharing of protected health information (PHI).  The Health Insurance Portability and Accountability Act (HIPAA) supports the protection of privacy of medical records. However, even when a patient does not authorize sharing of his record, there are permitted uses and disclosures, such as for the purpose of treatment, payment, or healthcare operations (TPO). 

The U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) provide a series of topical fact sheets on HIPAA Permitted Uses and Disclosures with examples of when PHI can be exchanged under HIPAA without first requiring a specific authorization from the patient. Please note that state laws may also apply. 

Permitted Uses and Disclosures for Health Care Operations 

The ONC issued a useful fact sheet explaining Permitted Uses and Disclosures for Health Care Operations.  For activities that fall within HIPAA’s definition of “healthcare operations,” an entity covered by HIPAA (Covered Entity), such as a physician or hospital, can disclose PHI to another Covered Entity (or a contractor working for that covered entity, i.e., Business Associate). A Covered Entity (CE) can disclose PHI (orally, on paper, by fax, or electronically) to another CE or that CE’s Business Associate for the following subset of healthcare operations activities without needing patient consent or authorization:  

45 CFR 164.501; 45 CFR 164.506(c)(4). 

Three conditions must be met when sharing PHI for the purposes stated above: 

  1. Both CEs must have or have had a relationship with the patient (can be a past or present patient);
  2. The PHI requested must pertain to the relationship; and 
  3. The discloser must disclose only the minimum information necessary for the healthcare operation at hand.  

What is meant by the term “minimum necessary”? 

Covered entities are required to have reasonable minimum necessary policies and procedures to limit how much PHI is used, disclosed, and requested for certain purposes. Minimum necessary policies and procedures must also reasonably limit who within the entity has access to PHI, and under what conditions, based on job responsibilities and the nature of the business.  

For example, the minimum necessary standard requires that a CE limit who within the entity has access to PHI, based on who needs access to perform their job duties. If a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the employee to do his job, the hospital is not applying the minimum necessary standard. Therefore, any incidental use or disclosure that results from this practice, such as another worker overhearing the hospital employee’s conversation about a patient’s condition, would be an unlawful use or disclosure under the HIPAA Privacy Rule. 

Minimum necessary standard is not required among physicians discussing a patient’s medical chart for treatment purposes and does not apply to disclosures, including oral disclosures, among healthcare providers for treatment purposes. 

Permitted Uses and Disclosures for Treatment 

The fact sheet titled “Permitted Uses and Disclosures: Exchange for Treatment” explains how HIPAA supports sharing of PHI between and among healthcare providers in order to treat or coordinate care for their patients. CEs may disclose PHI (orally, on paper, by fax, or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization. 45 CFR 164.506(c)(2). Treatment is broadly defined to include: 

45 CFR 164.501. 

The disclosing CE is responsible for the PHI until recipient CE has received the information. HIPAA requires disclosing the PHI to the receiving CE in a permitted and secure manner, which includes sending the PHI securely and taking reasonable steps to send it to the right address. The receiving CE is responsible for safeguarding the PHI and otherwise complying with HIPAA, including with respect to subsequent uses or disclosures or any breaches that occur.  

Common HIPAA Questions  

How should we ensure that we’re staying compliant with HIPAA Privacy and Security Rules when sharing PHI for purposes of treatment or operations? 

Many issues are covered under HIPAA Privacy and Security.  Here are a few important reminders regarding permitted uses and disclosures:  

What are the reasonable safeguard requirements? 

Reasonable safeguards vary from CE to CE depending on factors, such as the size of the CE and the nature of its business. In implementing reasonable safeguards, CEs should analyze their own needs and circumstances, such as the nature of the PHI it holds, and assess the potential risks to patients’ privacy. CEs should also consider the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards. 

Consider the following examples of appropriate administrative, technical, and physical safeguards: 

To gain more HIPAA insight and practical tips, consider purchasing The Fundamentals, a user friendly, four-module course designed to help healthcare professionals understand the essential principles and practices of compliance.

Julie Sheppard, BSN, JD, CHC, is the president and founder of 1st Healthcare Compliance. With the increase in compliance challenges facing healthcare providers, Julie was inspired to create a practical, comprehensive healthcare compliance solution, and founded First Healthcare Compliance in 2012. Julie is a nurse, an attorney, and certified in Healthcare Compliance by the Compliance Certification Board. www.1sthcc.com


Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.

Latest articles:  (any category)

Don't Let Your QPro Certification(s) Expire! Your Certifications Matter!
June 20th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
Hello QPro Members, Just a friendly reminder!                                                                                        ...
How to Properly Report Monitoring Patients Taking Blood-thinning Medications
June 18th, 2019 - Wyn Staheli, Director of Research
Codes 93792 and 93792, which were added effective January 1, 2019, have specific guidelines that need to be followed. This article provides some guidance and tips on properly reporting these services.
A United Approach
June 14th, 2019 - Namas
A United Approach As auditors, we all have a different perspective when evaluating documentation. It would be unreasonable to think that we all view things the same way. In my opinion, differing perspectives are what makes a great team because you can coalesce on a particular chart, work it through and ...
Documentation of E/M services for Neurology (Don't Forget the Cardiology Element)
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
According to Neurology Clinical Practice and NBIC, the neurologic exam is commonly lacking in documentation due to the extensive requirements needed to capture the appropriate revenue. With the lack of precise documentation, it results in a lower level of E/M than that which is more appropriate, which can cost a physician a lot ...
Medicare Now Reimburses for Remote Monitoring Services (G2010)
June 13th, 2019 - Aimee Wilcox, CPMA, CCS-P, CST, MA, MT, Director of Content
Medicare's 2019 Final Rule approved HCPCS code G2010 for reimbursement, which allows providers to be paid for remote evaluation of images or recorded video submitted to the provider (also known as "store and forward") to establish whether or not a visit is required. This allows providers to get paid for ...
Now is Your Chance to Speak Up! Tell CMS What You Think!
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
CMS is asking for your input, we all have ideas on how we would change healthcare documentation requirements and get rid of the burdensome requirements and regulations if it were up to us, so go ahead, speak up! Patients over Paperwork Initiative is being looked at to help significantly cut ...
Spotlight: Anatomy Images
June 13th, 2019 - Brittney Murdock, QCC, CMCS, CPC
When viewing CPT codes, Find-A-Code offers detailed anatomy images and tables to help with coding. For example 28445 offers a table with information to assist classification of gustilo fractures: Click on the image preview from the code information page to expand the image.

About Codapedia & Find-A-Code Contact Us Terms of Use Privacy Policy Advertise with Us

Codapedia™/Find-A-Code™ - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain) - Fax (801) 770-4428

Copyright © 2009-2019 Find A Code, LLC - CPT® copyright American Medical Association