Know when you can refuse to release medical records

1
Know When You can Refuse to Release Medical
Records

• Visit https//www.empowerelearning.com/

2

• The Health and Human Services has fined yet
  another healthcare provider for refusing to
  release medical records when requested by the
  patient.
• This is the tenth enforcement action of this type
  by the HHS this year. Last month, HHS imposed two
  fines of more than 100,000 for similar
  violations. SJHMC paid 160,000 and NY Spine paid
  a penalty of 100,000 for violating the patients
  right to access medical records.
• The HIPAA Privacy rule gives people a legal,
  enforceable right to access their medical
  records that are stored with providers and plans.
  People also have the right to receive a copy of
  their records upon request.
• Under the law, if a doctor or plan does not
  fulfill a patients request, the patient can file
  a complaint with the HHS. The department gives
  enforcement priority to such complaints.

3
Know when you can refuse to release medical
records

• At the same time, HIPAA gives entities the
  authority to refuse the access as well. Even so,
  there are procedures that the provider needs to
  follow. With this in mind, lets look at the
  latest HIPAA enforcement action.
• Last week, the HHS took its 10th enforcement
  action against a provider who refused to release
  medical records of a patient.
• As per the press brief, Riverside Psychiatric
  Medical Group, a group practice in Riverside,
  California would be paying 25,000 as penalty for
  the violation.
• RPMG also needs to resolve the problems exposed
  by the HHS investigation.

4

• The HHS investigation was the result of several
• complaints by an RPMG patient.
• The patient complained that the provider was not
• sharing her medical records with her.
• Upon receiving the first complaint, the HHS
  reached
• out to RPMG, and helped it to sort out the
  problems
• hindering it from sharing the records.
• In spite of the help, RPMG failed to respond to
  the
• patient request again.
• The patient, then, filed a second complaint
  against RPMG.
• This complaint, in turn, led to the HHS
  investigation.
• The investigation determined that RPMG
  was violating
• HIPAA by not sharing the PHI with the requester.
• In RPMGs defense, it claimed that the requested
  records
• included psychotherapy notes. So, they did not
  have to comply
• with the patient request.

5
Circumstances when you can refuse to release
medical records

• To clarify the RPMGs position, as
• per HIPAA guidance on the
• matter of 45 CFR 164.524,
• or Access of individuals to PHI, a
• covered entity can refuse
• requests for protected health
• information under certain
• circumstances.

6
To put them briefly, a healthcare provider can
refuse access if

• The request is for psychotherapy notes.
• The person is asking for the set of information
  compiled for legal purposes.
• The request is by a prison inmate, and fulfilling
  the request could compromise the custody, health,
  rehabilitation, safety, or security of the inmate
  or other people.
• The request is for records that are a part of an
  ongoing research study.
• The requested records are considered as protected
  records under the Privacy Act.

7

• The PHI was obtained under a promise of
  confidentiality.
• The requested PHI might endanger the life or
  safety of the person or other people.
• The disclosure might harm a person referenced in
  the PHI.
• The request is by a personal representative of
  the patient, and the disclosure might cause harm
  to the patient or someone else.

8

• But, some of these circumstances are considered
  as reviewable grounds for denial. Patients can
  request for a review of the denial under these
  conditions. The reviewing official needs to
  review-
• If the disclosure might endanger the life or
  safety of people.
• If the disclosure might harm a person referenced
  in the records.
• Except for these circumstances, others are
  considered as unreviewable grounds of denial.
  Covered entities can refuse to release medical
  records under the circumstances.

9
Important steps to take when refusing to release
medical records
10

• Even so, the healthcare provider needs to
• provide the denial in writing to the
• requester.
• This should happen within 30 days of
• receiving the request. The letter should
• explain the grounds of denial, and how
• they can submit a complaint against the
• decision to the HHS.

11

• Along with this, if the grounds of denial are
  reviewable, then the requester needs to be
  informed of the same.
• RPMG failed to follow this procedure. The patient
  did not receive the denial in writing. Besides
  this, RPMG did not give her access to any of her
  PHI.
• Under HIPAA, you need to respond to patient
  requests in a timely fashion. If there is ground
  for refusing to release medical records, then
  exclude them, and disclose the rest of the
  records.
• RPMG didnt do that either. They should have
  shared the requested records, excluding the
  psychotherapy notes.
• By the same token, the complexity to segregate
  the two PHI shouldnt hinder the covered entity
  from fulfilling the request either. They can
  always extend the 30-day window to 60 days, but
  they need to notify the requester about the
  delay.

12

• Under the corrective action plan, RPMG needs to
  review and revise their policies and procedures
  that relate to CFR 164.524 (Access of individuals
  to protected health information). The changes
  should ensure a timely response to all requests,
  including those for which they have a ground for
  denial.
• Moreover, RPM needs to train its workforce as
  well. It must ensure that everyone is trained in
  handling requests for PHI. The training should
  cover relevant HIPAA provisions and related
  company policies and procedures. RPMG also needs
  to keep a record of the training completion
  certificates.

13
Errors to avoid when refusing to release medical
records
14
Regarding the right to access initiative, this
enforcement is the 10th such action by the HHS.
Others resulted from the following behaviors by
the covered entities.

• The provider gave only some of the documents
  requested by the patient.
• The personal representative put many requests,
  but the covered entity did not comply.
• The provider did not fulfill the patients
  request to share medical records with a
  third-party.
• Requests were not fulfilled in a timely fashion.
• The requester was charged an unreasonable fee
  against the request.
• The provider refused to give a copy of the PHI
• The requester wasnt allowed to inspect her
  records.

15

• That said, non-compliance can lead to extremely
  steep penalties. For instance, Korunda Medical
  was fined 85,000 for failing to send medical
  records to a third party in a timely fashion.
  Similarly, SJHMC paid a penalty of 160,000 for
  not sharing medical records with the personal
  representative of a patient.
• Likewise, the majority of the corrective action
  plans show that the providers did not have proper
  policies and procedures in place. Besides this,
  the staff were in need of training as well.

16

• With this in mind, compliance officers should
  review their compliance training programs. HIPAA
  Awareness sessions are good educational tools,
  but holding in-depth training is important as
  well workers should know when they can refuse
  access to medical records and when they cannot.
• What are your views about the HIPAA right to
  access provision? How do you handle patient
  requests for PHI? If you have tips on how our
  readers can improve their HIPAA right to access
  processes, do share them in the comments below.

17
Visit https//www.empowerelearning.com/Phone
No. 502 400 9994 (US) 8128123650 (IND) Email
info_at_empowerelearning.com Address 12806,
Townepark way, Louisville USA Kentucky 40243