HIPAA: Releases of Information v. Authorization
by Kim Stanger
Healthcare providers are often confused by or misunderstand the rules governing the release of a patient’s information at the patient’s request. HIPAA allows certain disclosures without the patient’s written authorization, including disclosures to other providers or third party payers for purposes of treatment, payment, or healthcare operations; to family members or others involved in the patient’s care or payment if certain conditions are met; or for certain government or public safety concerns if regulatory requirements are satisfied. (45 CFR 164.502, 164.506, 164.510 and 164.512). Other disclosures generally require the patient’s consent or written authorization. (45 CFR 164.502). The rules for such written releases of information (“ROI’s”) differ depending on who is requesting the records and to whom the disclosure will be made.
1. Disclosures to the Patient or Personal Representatives. Under HIPAA and subject to limited exceptions, a patient or the patient’s personal representative1 generally has a right to obtain a copy of the patient’s protected health information maintained in the patient’s designated record set.2 (45 CFR 164.524(a)(1)). If the provider chooses, the provider may require such requests to be in writing so long as the provider informs the individual of the requirement. (45 CFR 164.524(b)(1)). The provider must produce the records in the form or format requested (e.g., paper or electronic format) if readily producible. (45 CFR 164.524(c)(2)). It is usually a good idea to require written requests to document the date, scope, and format of the request. Once received, the provider has 30 days to respond to the request. (45 CFR 164.524(b)(2)). Although the provider may respond immediately, it is usually a good idea to take some time to collect and review the requested records before responding, thereby ensuring that the records provided are accurate, complete, and do not contain inappropriate information. Providers may charge the patients or personal representatives a reasonable cost-based fee for the records. (45 CFR 164.524(c)(4); see article at https://www.hollandhart.com/charging-patients-for-copies-of-their-records-ocr-guidance). The patient’s right to access information generally includes all information in their designated record set, including records created by or received from other providers. (OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, hereafter “OCR Guide” available here).
HIPAA does not specify any requirements for a patient’s written request to access information, but a good form would typically include: (i) the patient’s identifying and contact information; (ii) a specific description of the records requested (including the date range and type of records requested); (iii) the format in which the records are requested; (iv) the date of the request; (v) the address to which the records should be sent, if applicable; (vi) notice of any charges for the record; (vii) the patient’s or personal representative’s signature; and (viii) in the case of the personal representative, a description of the personal representative’s authority. The provider’s form or method for requesting access must not create a barrier to or unreasonably delay the individual from gaining access. For example, the provider may allow but may not require an individual:
- to physically come to the doctor’s office to request access and provide proof of identity;
- use a web portal to request access or obtain the records; or
- mail the request to access the record.
(OCR Guide). Covered entities are expected to be able to mail or e-mail the requested records to the patient, and may not require that the patient pick up the records in person. (Id.). For more information concerning disclosing records to the patient or the personal representative, see the OCR Guide.
2. Disclosures to Third Parties. The patient or personal representative may also request or authorize disclosures to third parties. In the wake of the HIPAA omnibus rule, the form of release differs depending on the nature of the request.
- Releasing Information at the Direction of the Patient. If the patient or personal representative directs the provider to transmit a copy of protected health information directly to another person or entity designated by the patient or personal representative, the provider must transmit the copy as directed; failure to do so would violate the patient’s right of access and subject the provider to HIPAA penalties. (45 CFR 164.524(c)(3)(ii)). The patient need not execute a formal HIPAA authorization as described below; instead, the patient’s request need only: (i) be in writing; (ii) signed by the patient or personal representative; (iii) clearly identify the recipient(s); and (iv) state where the records are to be sent. (45 CFR 164.524(c)(3)(ii)). Such requests initiated by the patient or personal representative are extensions of disclosures to the patient, and therefore, the rules for disclosures to the patient apply: the provider has 30 days to respond; must transmit the records in the form requested by the patient if readily producible; may only charge a reasonable cost-based fee; and may not impose barriers or unreasonably delay production. (OCR Guide)
- HIPAA Authorizations to Disclose to Third Parties. If the request for records is initiated by a person other than the patient or the patient’s personal representative, HIPAA generally requires a valid HIPAA authorization unless an exception applies. (45 CFR 164.502(a) and 164.508(a)). Unlike written requests initiated by a patient, HIPAA authorizations may not be combined with any other documents and must contain specified elements, including: (i) a description of the information to be disclosed; (ii) the name or description of the person(s) or entity authorized to make the disclosure; (iii) the name or description of the person(s) or entity to whom disclosure may be made; (iv) the purpose of the disclosure; (v) an expiration date or event; (vi) the patient or representative’s signature; and (vii) in the case of the personal representative, the authority of the personal representative. (45 CFR 164.508(c)(1)). In addition, the HIPAA authorization must contain certain required statements, including: (i) the individual’s right to revoke the authorization; (ii) limits on the provider’s ability to condition treatment on the authorization; and (iii) the potential for redisclosure and any subsequent loss of protection. (45 CFR 164.508(c)(2)). HIPAA authorizations originated by third parties are generally not subject to the same requirements as requests initiated by the patient, e.g., providers are not required to respond to such authorizations; are not required to respond within a set time; are not required to respond in the format requested; and may charge appropriate fees so long as such fees do not constitute the sale of protected health information. (OCR Guide)The differences between patient requests and HIPAA authorizations are summarized in the following table from the OCR Guide:
HIPAA Authorization Right of Access Permits, but does not require, a covered entity to disclose PHI. Requires a covered entity to disclose PHI, except where an exception applies. Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization. Must be in writing, signed by the individual, and clearly identify the designated person and where to the send the PHI. No timeliness requirement for disclosing the PHI Reasonable safeguards apply (e.g., PHI must be sent securely). Covered entity must act on request no later than 30 days after the request is received. Reasonable safeguards apply (e.g., PHI must be sent securely). Reasonable safeguards apply, including a requirement to send securely; however, individual can request transmission by unsecure medium. No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration. Fees limited as provided in 45 CFR 164.524(c)(4).
Next Steps. Providers should review their forms and processes for responding to patient requests to disclose information to ensure they comply with the HIPAA rules. If they have not done so, providers should review the OCR Guide, which addresses many nuances and arguably expands patient rights and provider responsibilities as set forth in the regulations. Finally, to the extent there is a more restrictive state or federal law, the provider should comply with the more restrictive law.
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
1Under HIPAA, a “personal representative” is the person who has authority to make healthcare decisions for the patient under applicable state law. (45 CFR 164.502(g)(2)-(3)). A personal representative generally has the right to access or authorize disclosures of information just like the patient. (45 CFR 164.502(g)(1)).
2“Designated record set” is defined as a group of records maintained by or for a covered entity that is:
- The medical records and billing records about individuals maintained by or for a covered health care provider;
- The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(45 CFR 164.501).