It is crucial that all members of staff at a HIPAA governed entity are completely aware of their obligations under the data privacy legislation – if not it could lead to financial penalties for the organization and other ramifications for the individual responsible for the breach. One of the main areas where mistakes can be made is the release of patient information without authorization.
In order to properly release patient information to individuals or organizations a signed HIPAA release form must be obtained from a patient in question. There are some exceptions to this such as with routine disclosures for treatment, payment or healthcare operations permitted by the HIPAA Privacy Rule. However, all other instances of sharing medical records without the correct authorisation form will be regards as a HIPAA breach. For this reason is it vital that every individual in a HIPAA covered organization is given the best possible HIPAA training. By providing the chances that a HIPAA breach will occur are greatly reduced.
To release patient information in a HIPAA-compliant manner a release form must be completed and provided by the patient in question. This must be done prior to the protected health information is shared for any reason other than those listed in 45 CFR §164.506, we have summarized them here:
- Before PHI is used for any marketing or fundraising campaigns
- Before PHI is shared to a third party for anything not related to the provision of medical treatment, payment or other standard healthcare procedure – e.g. sharing patient information to an insurance underwriter
- Before the sharing of psychotherapy notes
- Before PHI is transferred for financial gain or profit
- Before PHI is made available for research projects
There are a range of very important elements to a HIPAA release form which must be completed correctly. This should be outlined to all members of staff during HIPAA training sessions and reinforced during refresher sessions. The following elements must be included:
- The identity of the individual whose PHI be released
- An outline of what PHI will be used/released
- What the PHI will be use for
- A stated expiration date or expiration event when consent to use/release the PHI comes to an end
- The individual’s dated signature or that of the individual’s representative. If a representative is completing the form, the relationship with the patient must be described along with a description of the representative’s authority to act on behalf of the patient.
Additionally the individual completing the HIPAA release form must also be shown/provided with statements that advise them that:
- They are entitled to revoke their authorization
- If there are any exceptions in place for the individual’s right to revoke the authorization
- How the process works for revoking authorization
- That the HIPAA covered entity may not may the completion of the HIPAA Release form a condition for the provision of treatment, payment, enrollment or eligibility for benefits
- That it is possible for PHI to be shared as per the terms of the authorization to be re-shared by the recipient and no longer protected by 45 CFR Part 164, Subpart E
Sadly, completing the correct HIPAA compliant procedure for releasing Patient Information is one of the most common HIPAA breaches witnessed. Due to this is it one of the most importants areas to be covered in HIPAA training and appointing staff members that are aware of all the requirements will greatly reduce the chances of a breach occurring.
Most Common HIPAA Breaches Involving Releasing Patient Information & How to Avoid Them
- Releasing Patient Information to an Unauthorized Individual. Avoid this by:
- Completing an authorization form must be with the patient before any of their PHI is shared
- Stop the sharing of PHI for non-treatment reasons be authorization is provided.
- Double checks by healthcare workers to make sure authorization has been obtained from the patient
- Make one final check to make sure that the patient signed the completed form
- Releasing Patient Information Without Authorization. Avoid this by:
- Use extreme caution in relation to the sort of information that is shared with third parties, even when authorization has been provided
- Make sure the authorization form includes the range of information have been authorized to be released
- Do not allow the sharing of any information that is not detailed on the authorization form
- Disclosures of PHI to Third Parties After the Expiry of an Authorization. Avoid this by:
- See to it that every HIPAA authorization form includes who is authorized to receive PHI, the range of PHI being released and why this is necessary
- Include an authorization expiry date.
- Do not allow PHI to be shared after the expiry date has passed under any circumstances
- Impermissible Disclosures of Patient Health Records. Avoid this by:
- Ensure that patients can obtain a copy of their health records on request or have their records provided to a nominated third party
- If a nominated third party is collecting this make sure that have been included on HIPAA authorization form before they are given the records
Examples of HIPAA Breaches Involving the Release of Patient Information
- Former Member of Staff Causes HIPAA Breach at Northwestern Memorial Hospital
- $48.2 Million in HIPAA Penalties Paid by Anthem to Settles State Attorneys General Data Breach Investigations
- Several Employees of Washington Health System Suspended for HIPAA Breaches
- Patients PHI Exposed in Two Separate HIPAA Breaches
- Consequences of Veteran Affairs and Sutter Health HIPAA Breaches Revealed
The easiest way to avoid the improper disclosure of patient information is to ensure that all members of staff within you organization are being provided with HIPAA training on an ongoing basis. Without this there is a real chance that your group, or a member of staff, could end up on the wrong end of a HIPAA fine, penalty or criminal conviction.