The following information is from MariAnne Harper and was in her Dental Pearls Newsletter. The information reinforces that we must not just give patient information to patients or to another dental office, proper protocol must be followed and appropriate forms signed.
Release of Information
I was fortunate to attend a seminar this past week dealing with medical records law. This course was presented by Gail Bisbee of Confidential Records Management, Inc., of New Bern, N.C. Gail touched upon many areas dealing with medical records management but there was one area that I thought I would share with my newsletter readers. Release of information (ROI) is that area, and I believe that many practices are unsure about how to handle this as well as how to stay in compliance with the law.
According to Gail, release of information is the title of the process whereby a medical practice provides an individual or a covered entity access to a patient’s health information provided that the individual or covered entity is authorized to receive or view it. There are several aspects to ROI that must be considered in order to be compliant with the law. As you continue reading, I will give abbreviated information on the law.
Each practice must prepare in several ways. First we must realize that the entire staff needs to know and understand all the different levels of the law. Training is a must! New employees need to be trained within ninety days of employment. Secondly the practice must develop a plan for how to handle complaints and incident reporting. Thirdly, how will the practice respond? A system will need to be developed that deals with allegations and enforcement of the sanction policy. Lastly, the practice will need to create a plan to monitor and document compliance.
There are several regulations that govern ROI. One that we are all familiar with is HIPAA. However, the others are the Sarbanes Oxley Act, the Gramm Leach Billey Act, the Fifth and Fourteenth Amendments, and the Freedom of Information Act of 1966/Privacy Act of 1974. I will sum up these regulations below.
Minimum necessary – The law requires that covered entities (the dental practice) and business associates (those who have access to a practice’s PHI) need to limit the disclosure or access of PHI to the minimum necessary to accomplish the request.
Patients and other provider requests – This law does not apply to requests from other healthcare providers for treatment purposes or requests from the patient for access to their records.
Requests from any other source require authorizations from the patient or legal representative. The following are examples:
Attorneys
Disability determination departments
Friends or relatives who are not legally considered to be the patient’s representative
Medical researchers
Insurers that are not responsible for claim payment
These authorizations must include the following:
Patient name
Specific description of the information that will be disclosed
Identify who this information may be released to
Expiration date of the authorization
Signature of the patient or legal representative as well as the date
A statement that the signer has the right to revoke the authorization by written request
Any exceptions to the right to revoke along with a description of how the patient or legal representative can revoke the authorization and the extent of the process
The individual must be given a copy of the signed authorization
With regard to minors, parents or guardians may sign such authorizations provided that the following applies: patient is not emancipated or not emancipated by a court decree of emancipation, that the patient is not married, or that he/she is not serving in the military. Step parents are usually not allowed to authorize ROI unless the minor is legally adopted. Check with your state laws regarding this. Foster parents are allowed to authorize ROI if the government agency who they have been working with allows it. Areas where a minor has control over his/her ROI is when there is a situation involving STDs and communicable diseases, pregnancy, substance abuse, or physical abuse by a parent of guardian.
There are some situations where the patient cannot complete such an authorization. Therefore, guidelines must be in place on how to handle those situations. When the patient is not competent (either due to age or mental capacity), if there is a healthcare power of attorney in place, if the patient is deceased, or if the patient is incarcerated, then the practice needs to have guidelines in place to handle these situations.
There may be times when a law enforcement agency may request PHI. The rules regarding this type of situation are that ROI may occur when:
The patient agrees to the disclosure
It is required by law
There is a court order, warrant, summons, or subpoena
Limited information is needed for purposes of identifying or locating a suspect, fugitive, witness, or missing person
A death was caused by criminal activity
A crime occurred at the practice location
Emergency care was needed that may have been the result of a crime
There may be incidents where only a verbal authorization is possible. If this happens, it is acceptable provided that at least two staff members are present and they must sign a form that states that the consent was obtained verbally. The practice must obtain all of the information that the written authorization requires and the practice must be able to confirm the identity of the patient
Patients have rights regarding the content of their medical records. If they believe that any documentation is incorrect, they can request that the record be amended. Practices must create a plan to handle these types of situations. A copy of the amended documentation must be kept with the original portion of the patient’s record.
In addition, patients have rights to an accounting of the disclosures that have been made of their records. The law allows that they can obtain this information for a period of up to six years prior to the date of their request (except for disclosures prior to April 14, 2003).
That sums up the details on ROI for dental practices. It will be helpful to review all of this information with your entire staff so that everyone will be aware of what is required by the law and then develop your plan so that your practice is compliant with the law.