Among the most confusing issues for release of information (ROI) professionals is understanding how to respond to the many different types of requests for information from patients, their personal representatives, or from third parties. The lack of consistent forms accompanying these requests makes it difficult to determine if records requests should be approved or denied.
To help address these concerns AHIMA has developed a “Patient Request for Health Information Model Form,” that offers a standardized way to submit ROI requests.
The form was reviewed by a number of AHIMA’s trusted partners, including Adam Greene, JD, MPH, a partner at the law firm Davis Wright Tremaine LLC. Greene presented a special webinar on Thursday titled “HIPAA Individual Right of Access or Why Your ROI Process May Not Be Compliant with HIPAA.” This webinar is the first in a planned series to address the “individual right of access” in the Health Insurance Portability and Accountability Act (HIPAA).
Greene’s webinar addressed three of the thorniest ROI areas of confusion:
- The difference between patient requests and third party requests for information
- The difference between patient request forms and authorization forms
- The difference in required responses to patient requests and third party requests for information
Difference between a Patient Request and a Third Party Request
Greene explained that ROI officials at HIPAA-covered entities (CEs) like hospitals, understandably, struggle in determining how and when to release records and/or assess fees for record requests when it’s unclear from the form submitted who is requesting the records. In particular, CEs face headaches when requests are forwarded by third parties. Greene says the Department of Health and Human Services’ Office for Civil Rights (OCR) has received a lot of feedback on this and guidance is expected in the future.
To better understand what to do, it’s important to understand the difference between a request from a patient, a patient’s personal representative, and a third party—such as an attorney or another healthcare provider. For HIPAA’s purposes, a personal representative is someone who, according to Greene, “can stand in the shoes of the patient” and has healthcare decision making authority. An example of a personal representative is a parent of a minor, or a legal guardian. Another way to look at this is if a person is authorized to terminate care at the end of another’s life, then they are considered a personal representative. Typically, this person is not the patient’s attorney, unless for some reason the attorney has been given medical power of attorney.
Due to the lack of standardization in ROI request forms, covered entities can be uncertain how to proceed. Greene points to OCR guidance that states:
“Where it is unclear to a covered entity, based on the form of a request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party. OCR is open to engaging with the community on ways that technology could easily convey this information.”
“I know nobody wants to hear this, but picking up the phone and calling the patient may make the most sense here, because you don’t want to get this wrong,” Greene said.
Calling a patient to verify they sent a request can be construed as violating a patient’s right to access, according to Greene. But if a provider is acting in good faith, Greene believes OCR is likely to view the CE’s actions in a favorable light. In some cases where providers have called the patient, they have learned the patient hasn’t authorized the request at all. When in doubt, Greene advises CEs to check with their own legal counsel.
“I’m not going to pretend that everything is black and white,” Greene said. “There will always be gray areas. OCR indicates they’ll put out guidance. I expect it to be helpful but it won’t solve all problems. We will continue to see third parties like attorneys using patient right of access more and more instead of patient authorizations.”
The other challenge for covered entities is how to assess fees for records requests. Again, Greene pointed to OCR guidance, which states:
“[HIPAA fee limits apply] regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual (such as by an app being used by the individual). … as described above, where the third party is forwarding—on behalf and at the direction of the individual—the individual’s access request for a covered entity to direct a copy of the individual’s PHI to the third party, the fee limitations apply.”
AHIMA to Release Patient Request for Health Information Model Form
AHIMA’s new Patient Request for Health Information Model Form is intended to provide a plain language tool that provides patients a standardized mechanism to access their health information from a provider or organization. It is exclusively for access to the patient’s health information by the patient or their designated representative, and is meant to streamline the request to assist providers in complying with the 30-day timeframe for patient access addressed by OCR guidance.
The form was developed by two AHIMA’s Practice Councils and has been reviewed by officials at the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC), OCR, and by Greene. The form will be officially unveiled at this year’s CSA Leadership Symposium on July 14, and then uploaded for public use on the AHIMA.org website.
A recording of Greene’s webinar and the accompanying slides have been posted for AHIMA members on Engage.
Update: this article previously included reference to an upcoming webinar series from AHIMA to accompany the form’s release on July 14, which has been removed. AHIMA is planning additional HIPAA-related webinars for this year that will focus on topics such as privacy and security and cybersecurity, but not as an ROI-focused series.