June 18, 2020
We get it, the struggle is real. The moans and groans with HIPAA always seem to get louder when medical practices are faced with figuring out to whom and how sensitive data can be shared. Contrary to what many believe, HIPAA is all about properly sharing protected health information (PHI) – not preventing it entirely. Sometimes, lacking confidence that internal policies are in alignment with best practices on sharing PHI securely can cause a practice to hesitate to (or altogether not) send PHI to other parties requesting it, including other providers. Unfortunately, not acting in a timely manner and failing to comply with the request to share PHI with another provider can be a costly one. Proper disclosure of PHI is highly regulated under HIPAA when it comes to sharing or receiving patient records from another practice, and there are consequences to both sharing too much information – or not enough.
First, the HIPAA Privacy Rule does in fact permit a health care provider to share patient information for treatment and healthcare operation purposes without needing written patient authorization as long as the reasonable safeguards to protect the information are used. To clarify what the U.S. Department of Health and Human Services (HHS) considers as treatment and operation purposes, “Treatment means the provision, coordination, or management of healthcare and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”
Some key notes on sharing PHI between providers:
- Both providers must have a treatment or consultative role with the patient – whether past or present.
- The PHI requested or provided must pertain only to the relationship of the provider and patient.
- The disclosure must contain only the minimum information necessary and both practices involved in the exchange must implement the required technical safeguards when sharing electronically.
- The practice does not need written authorization from the patient to share records with the practice requesting records, as long as it is for treatment of the patient.
- A practice is permitted to disclose records that were created by another doctor – for instance, if one of your patients had records transferred to your office from their previous doctor, you are able to then transfer these records over to another doctor as part of their complete medical record.
Additionally, if a patient is the one requesting their records to be sent to another provider:
- HIPAA law requires the practice to fulfill this request under a reasonable timeframe – typically, within 30 days of the request. Failure to provide this information within the timeframe is a violation of the Patient Right of Access Law and cost one covered entity in Florida an $85,000 fine.
- There might be state regulations regarding provider-to-provider disclosures and timeframes that may be more restrictive than HIPAA law.
- If a patient asks for a copy of their records, your practice should accept the request both in writing as well as electronically, especially during this transition of social distancing following COVID-19.
- The practice can take steps to reasonably verify the identity of the patient making the request, but must not create an unreasonable delay in the disclosing process.
It’s time for providers to change their perspective on HIPAA – which is widely considered a restrictive set of laws and regulations. HIPAA is meant to be a guideline on how to securely and efficiently share sensitive and valuable data. Not a barrier or inhibitor as so many see it now. Being able to do so will have positive effects on the healthcare industry as a whole and improve patient care for years and years. Don’t let the unknowns of HIPAA keep data from those who have lawful access to them such as other providers or patients. If so, it is just as much of a HIPAA violation as sharing sensitive data with the wrong people.