Before you release records, you should always confirm the release is HIPAA Compliant. Many releases are not compliant and therefore, if you release the information, you could be at risk of an alleged privacy breach.

Posted in Malpractice Insurance on Wednesday, August 30, 2017

Your dental office has just received a request to release a patient’s medical records.  The request appears to be from the patient or a “legally authorized representative” of the patient.  At first glance, the release appears to be in order, stating the patient’s name with their signature and to whom the records should be released.  However, this is not enough information to confirm the record release form is HIPAA compliant.

Before you release records, you should always confirm the release is HIPAA Compliant. (Please note: reporting to your malpractice insurer is an acceptable disclosure.) Many releases are not compliant and therefore, if you release the information, you could be at risk of an alleged privacy breach.  As recently published in our March 2017 edition of Physician Connection, an authorization for release of medical record information should include the following elements:

• A specific description of the information/records that may be disclosed 
• The name of the person who may disclose the information (your name or the name of your practice)
• The name of the person who may receive the records (for example, the patient’s attorney)
• A description of the purpose of the disclosure or the statement, “at the request of the individual”
• An expiration date or expiration event for the authorization
• The signature of the patient or the patient’s authorized representative.
  • If the patient’s authorized representative is signing the authorization, then there also must be a description of the representative’s authority (for example, healthcare agent, executor of estate)
• The date the authorization was signed
• The following statements or substantially similar statements:
  • “I, the undersigned, understand that I have the right to revoke this authorization. I understand the revocation must be in writing and bear my signature. My revocation must be submitted to the above healthcare provider. I understand that if I do revoke this authorization, my revocation will not affect any prior actions taken in reliance on this authorization.”
  •  “I understand that if the person or entity that receives the described records/information is not subject to federal privacy regulations or other laws, the records/information may be re-disclosed and no longer protected by those regulations.”
  •  “I understand that the healthcare provider may not condition treatment, payment, enrollment or eligibility for benefits on whether I sign this authorization. I may refuse to sign this authorization.”

If you determine the request is not compliant you should inform the requesting party in writing using plain language.  Always focus on the patient’s best interest. When denying a request, you might want to consider reiterating your commitment to maintaining your patient’s privacy as the reason for your refusal, pointing out that the form does not meet the requirements as set forth by the U.S. Department of Health and Human Services. Information on the privacy rule can be viewed on the U.S. Department of Health and Human Services website. A sample form is also available from Dentistry IQ.

Your state laws may also have specific information regarding the release of records thus it is important you understand those requirements.  Check with your local professional association and/or your attorney for more information regarding your specific state obligations.