Releasing Protected Health Information

Kenda Collier

HCR/210

August 24, 2010

Donna DeGrio
 Established by the U.S. Congress in 1996 and made effective July 1, 1997, the

Health Insurance Portability and Accountability Act (HIPAA) is a group of regulations

working against abuse and fraud in health insurance and the delivery of health care.

HIPAA’s purpose also includes improving the health care system’s effectiveness and

efficiency, providing for the continuation of health insurance coverage, and delivering

consequences for organizations and individuals who do not comply with HIPAA

regulations (Highmark, 2007). Different representatives and agencies can request, with or

without patients’ consent, patients’ protected health information (PHI). PHI is

information that is connected to an individual and includes name, telephone number,

address, date of birth, social security number, name of employer, and/or Medicaid

identification number (Green and Bowie, 2005).

Many situations arise when the government has the legal obligation or right to a

patient’s medical records. For example, state agencies are required to keep records of

deaths and births. They must also maintain registries of people who have received a

diagnosis of a serious illness like cancer. Disclosures of such information to the

government typically do not require an individual’s authorization (Highmark, 2007).

Medicaid, Medicare, veteran’s activities, national security and intelligence

activities, the military, armed forces personnel, correctional institutions and presidential
protective services do not require authorization—all may receive protected health

information without the consent of the individual. Some government agencies, such as

the Bureau of Disability Determination and the Department of Social Services, have to

receive the individual’s authorization prior to receiving his or her PHI (Green and Bowie,

2005).

Attorneys almost always have to obtain the individual’s authorization for the

release of PHI. The exception is if a health care provider’s attorney requests it and the

information is released during normal business. Employers also have to get authorization

from the individual but not in cases of work-related injuries or illnesses (the reporting of

them). Health care providers are also obligated to get authorization from patients for the

release of PHI, except for caregivers who are directly involved in the patients’ care. The

IRS, or Internal Revenue Service, along with law enforcement agencies, has to receive

consent from the patient for the disclosure of PHI. The patient or his or her representative

has to obtain authorization to release PHI unless it is a situation where no authorization is

required by HIPAA. Patient authorization must also be obtained by third-party payers

except in the cases of treatment, payment, and any health care operations.

The majority of providers allow medical professionals who are working on

clinical research access to patients’ records. They may also exchange such information

with other researchers. If activities have been approved of by an Institutional Review

Board, PHI can be received by a research group without the individual’s authorization. If

research includes actually treating the patient, authorization is required, unless the person

is involved in the patient’s direct care.

Patients do have the right to access their PHI for verification of information and
keeping a personal copy, unless there is information that has been compiled for use in

criminal, administrative, or civil action. Information that includes psychotherapy notes

and PHI that is kept by any covered entity subject to the Clinical Laboratory

Improvements Amendments of 1988 is also restricted (Green and Bowie, 2005).

Usually, the only person who can authorize the release of medical records is that

specific patient. Naturally, though, exceptions to the rule exist. Legal guardians, parents,

or agents of a minor child are able to give this authorization. The confidentiality of

medical records is maintained except for certain instances where they can be released

without the consent of the patient. Records can be released, in certain circumstances, to

health care workers who require the information to provide care to a patient.

Organizations that are qualified and are undertaking approved research can also receive

records, and as previously mentioned, certain government authorities also have that right.

However, in general strict rules apply for people who receive such medical information.

The privacy of the patient must be kept (Lectric Law Library’s, 2002). Safeguards that

are in place must be kept for the release of the patient’s PHI. Each facility has the

obligation to make sure that all patient information is kept safe from tampering, loss,

theft, unauthorized access, or damage. Research groups, government agencies, and legal

agencies have guidelines that have to be followed for them to receive a patient’s PHI. The

privacy of records must be maintained no matter who receives them.

HIPAA regulations affect everyone: patients, hospitals, health insurers, doctors,

employers that provide health insurance, health care organizations, public health

authorities, and life insurers. When a facility releases a copy of a patient’s PHI, it must
keep a release of information log on order for patients to receive an accounting of

information disclosures for six years prior to their request. Whether consent is required or

not, facilities must keep individuals’ records confidential (Green and Bowie, 2005).
 References

Green, M.A., and Bowie, M. J. (2005). Essentials of health information

management

Principles and practices. Clifton Park, NJ: Thomson.

Highmark (2007). HIPAA Overview.

http://www.highmark.com/hmk2/about/hipaa/hipaaMain.shtml

Lectric Law Library’s (2002). Medical Records.

http://www.lectlaw.com/filesh/qf102.htm