HIM 2200

1
HIM 2200

• Release of Information

2
Release of Information

• Release of Information (ROI) is the process of
  disclosing patient-identifiable information from
  the health record to another party.

3
Role of HIM with ROI

• HIM professionals have responsibility to in
  determining access to and release of information
  from patient health records.
• Most HIM departments have either professionals
  specifically trained to do ROI on a daily basis

4
ROI professional

• Responsible for verifying a ROI form and
  completing patients request per ROI form.
• For example, the ROI may take the form of a
  patients request to mail copies of his or her
  records to a healthcare provider.
• ROI professional require a request in written
  format, verifies patient signature on the ROI,
  and only then release the information requested.

5
ROI requests

• A completed authorization or request
• Information on request is stored in a computer
  database (for example, Softmed). Generally
  patient name, date of birth, health record
  number, name of requestor, address telephone of
  requester, and specific health information being
  requested is stored in database.
• State HIPAA laws govern release of health
  information. HIM professionals must be well aware
  of what information needs to be included on the
  authorization to be considered valid.

6
ROI requests cont.

• 4. If the request or authorization is valid, the
  specific information is copied and sent.
• 5. OR if the request is invalid, the problem with
  the request is noted in the computer, and the
  request is returned to the sender.

7
ROI log

• To comply with HIPAA standards, a healthcare
  facility must maintain a record that accounts for
  all disclosures from the health record.

8
Subpoena duces tecum

• Subpoena duces tecum judicial request for
  certain information or evidence.
• Similar to ROI requests the subpoena is
• 1.Logged on database
• 2. Verify the subpoena to be valid and the
  information can be released to the court in
  compliance with state federal law.

9
Subpoena duces tecum cont.

• 3. Check the health record. Is it complete? Are
  signatures identifiable?
• 4. Review the record for risk. If it is a
  potential malpractice case, notify
  administrator/facility attorney/physician.
• 5. Copy and certify.
• 6. Prepare an itemized list of the record
  contents which cab be used as a receipt if the
  record is retained by the court.
• 7. Record the information and number of pages in
  response to subpoena duces tecum
• 8. In response to a subponea duces tecum a HIM
  professional may appear in person in court or at
  a deposition and give sworn testimony to the
  health records authenticity.

10
Verifying a ROI request

• All requests must follow HIPAA unless a state law
  is more stringent.
• Give only minimum necessary
• Compare patients signature with one in record
• Check the date to ensure that the request was
  dated after the occurrence so that the patient
  was aware of what was being authorized for
  release.

11
Verifying a ROI request cont.

• 4. Verify the insurance company (if requester) as
  the one belonging to the patient
• 5. Review the request for what was wanted and
  whether the requestor was entitled to the
  information.

12
Ethical Issues in ROI

• need to know limit information given to only
  need to know.
• Privacy and confidential information are being
  protected. Be aware of possible redisclosures of
  health information.
• Misuse of blanket authorization. Patients sign
  a blanket authorization without understanding its
  implications. The requestor of the information
  then could use the authorization to receive
  health information for years. The patient may
  not be aware.

13
Defective authorizations

• The HIPAA Privacy rule declares the following
  authorizations invalid
• The expiration date or event has passed or
  occurred
• The authorization is missing one or more items of
  content
• The authorization is known to have been revoked
• The authorization violates a privacy rule
  standard or conditioning or compound
  authorizations.
• Material information in the authorization is
  known to be false.
• Handwritten, patient generated authorizations may
  often be invalid under HIPAA, as most do not
  contain an expiration date or a statement about
  the individuals right to revoke the
  authorization. (Encourage facility to post
  authorization on web)

14
Types of Authorizations (requests)

• Research authorization for use or disclosure of
  protected health information PHI for a research
  study.
• Psychotherapy notes authorization for the use or
  disclosure of psychotherapy notes may be combined
  with another authorization for the use or
  disclosure of psychotherapy notes. For example,
  an individual can complete an authorization that
  requests his psychotherapy notes be sent to his
  attornedy and a second mental health
  professional. An authorization for psychoterapy
  notes may not be combined, however, with an
  authorization for disclosure of general health
  information.

15
Types of Authorizations cont.

• General authorization for the disclosure of
  general health information may be combined with
  another authorization for the disclosure of
  general health information. However a general
  authorization that conditions treatment, payment,
  enrollment or eligibility for benefits on
  completion may not be combined with another
  authorization. For example, an insurance company
  may not combine an authorization they require as
  a condition of enrolling in their plan with
  another authorization.

16
ROI Fees

• If the individual requests a copy of the
  protected health information or agrees to a
  summary or explanation of information, the
  facility may impose a reasonable cost based fee,
  provided that the fee includes only the cost of
• -copying (cost of supplies labor)
• -postage
• -preparing an explanation or summary of
  information

17
ROI Questions

• Does HIPAA privacy rule allow us to release
  patient information over the telephone without an
  authorization?
• HIPAA now allows the release of health
  information without an authorization from the
  patient in certain situations
• Treatment
• Payment
• Healthcare operations (TPO)

18
ROI Questions

• Is faxing patient information legal under HIPAA?
• If the facility is permitted to release
  information for treatment purposes or by
  authorization, then using a fax machine is
  allowed. However safety steps should be ensured.

19
Faxing ROI safety precautions

• Notice of Information Practices uses and
  disclosures of individually identifiable health
  information.
• written authorization for any use or disclosure
  of individually identifiable health information 
  when not otherwise for TPO (treatment, payment,
  and healthcare operations)
• Reasonable steps to ensure the fax transmission
  is sent to the appropriate destination.  Ideas
  for doing this, preprogram fax numbers, Remind
  those who are frequent recipients of health
  information private
• Attach a confidentiality statement.  The
  following is an example
• The documents accompanying this transmission
  contain confidential health information that is
  legally privileged.  This information is intended
  only for the use of the individual or entity
  named above.  The authorized recipient of this
  information is prohibited from disclosing this
  information to any other party unless required to
  do so by law or regulation and is required to
  destroy the information after its stated need has
  been fulfilled. 

20
ROI Question

• What are a facilities legal responsibilities when
  a former employee breaches confidentiality of
  information gained during his or her employment
  period?
• A facility can fortify its defense position by
  ensuring and retaining clear evidence that a
  former employee was trained and expressed
  understanding of privacy and security policies
  and procedures. Thorough documentation of
  ongoing HIPAA training will demonstrated a
  facilities efforts during the employment period.
  Addressing postemployment responsibilities is
  also advised. If the employee is terminated,
  documentation of a signed statement stating
  understanding the confidentiality of patient
  information should be expressed. DOCUMENT!!!

21
ROI Question

• Who can act as a personal representative of a
  minor?
• Either parent (unless otherwise restricted by a
  court order), the legal guardian or the legal
  custodian appointed by a court may act as a
  minor's personal representative

22
ROI Question

• When can a minor (someone under 18) be considered
  as adult and therefore guardian not allowed to
  complete authorization or request for medical
  information?
• This varies state by state. Check with your
  state law. But the following is expressed under
  HIPAA Utah law.
• Minor is emancipated.
• Minor is married.
• Minor is pregnant, communicable disease, drug or
  alcohol abuse and only if being treated for this
  condition.

23
ROI question

• As a parent to I have the right to get and amend
  my childs record?
• Again, this varies state by state, as per Utah
  law HIPAA, the answer is No, if a healthcare
  provider reasonably believes there is neglect or
  abuse of child, then the parent does not have
  access to childs record.

24
ROI questions

• I am listed as my mothers power of attorney, do
  I have right to request an authorization and look
  at her medical information.
• Yes, if you are your mothers agent or power of
  attorney, under Utah HIPAA law you have this
  right.

25
ROI question

• My father died, to I have right to look at his
  records?
• Again varies state by state, but under Utah law
  HIPAA, the answer is yes. You usually have right
  to get a deceased persons medical record if you
  are the personal representative (adminstrator or
  executive). In Utah this includes deceased
  spouse or child.

26
Questions?

• Remember to check with HIPAA privacy rule, your
  state law, and facilities attorney in which how a
  scenario might be answered different.