Access to Medical Records In, and Prior to, Legal ProceedingsHealthcare Training Resource
July 1, 2013 — 1,072 views
Though the federal government's medical privacy legislation, widely known as HIPAA, has been in place since 1996, recent changes to the law make compliance with its regulations even more important. That's because, for the first time since the "Privacy Rule" segment of the legislation was enforced universally in 2003, the government is moving away from compliance-based enforcement of the law and toward a new system of audits, checks, and balances.
This new method of enforcing HIPAA regulations will have a direct impact on those medical practices that are working within legal proceedings, or those that have done so in the past. For this reason, those who work in medical records departments, and even law offices, need to make sure that they're following the law's guidelines for medical records releases in an exact fashion.
Medical Records Releases: When the Practice is Deemed Acceptable Under HIPAA
Perhaps the first thing to understand about releasing a patient's medical records for use in legal proceedings is simply to understand when and how the government deems this to be an acceptable practice. Under the 1996 "Privacy Rule" section of the HIPAA law, medical practices are permitted to disclose patient records and medical treatment information only when it is required under the law and authorized by the patient whose information is being requested. Authorization itself is heavily regulated, and medical practices can only claim they have full and acceptable patient authorization when the following conditions have been met:
1. The authorization must be written in what the HIPAA law calls "plain language," without rhetorical or grammatical flourishes.
2. The authorization needs to be inclusive of certain "core elements" that make it valid in the eyes of federal regulators. These core elements include the following:
- A description of any information that should be disclosed by the medical - practice
- The name of the person who will receive the disclosed information
- The name of the person who is authorized to disclose that information
- The purpose of all information disclosed
- The expiration date of that disclosure request
- The patient's signature, or their representative's signature, alongside the current date
Without any and all of these core elements, an authorization is deemed invalid a patient's information cannot be released.
3. Statements pertaining to the disclosure of the information, including:
- Language about the patient's right to revoke the authorization
- Any factors related to the authorization or disclosure that may affect the medical practice's ability to treat the patient in the future
- Any consequences associated with disclosure or re-disclosure by the recipient of the information
Acceptable Recipients of Disclosed Patient Information Under HIPAA
In addition to a valid authorization, government auditors will be looking to ensure that all information was transmitted by the medical practice to an acceptable third-party recipient. In the case of legal proceedings, medical practices are within their rights to disclose the information to the patient or their representative, an attorney representing the patient, or a third party that is involved in the legal action but may not be representing the patient.
Under the law, parties receiving patient information must make a reasonable attempt to limit the uses and requirements of patient records during legal proceedings. This determination is up to the medical practice. With these concerns addressed and the authorization certified, release of medical records can be pursued within full compliance of HIPAA laws and regulations, and without the specter of legal consequences and fines during a potential audit.