« Many Health Systems Are Adopting Strict Policies on Vendor Gifts to Physicians | Main | Getting off physician call rotation »

January 31, 2008

Third party request to release patient information - HIPAA

The following question and answer was rececently published in HcPro's HIPAA Weekly Advisor, a free, weekly e-mail newsletter brought to you by HcPro's premium monthly newsletter Briefings on HIPAA:

Q: If a third party, such as an insurance company, requests that we release patient information, should we deny sending patient records if the request doesn't include the following statement required by HIPAA?

"I understand that I may refuse to sign this authorization and that my refusal to sign will not affect my ability to obtain treatment or payment, enrollment, or my eligibility for benefits."

A: Authorization is not necessary if you are releasing information to an insurance company that is paying for the individual's healthcare.

The privacy rule permits disclosure of PHI for treatment, payment, and healthcare operations without authorization.

If you are disclosing information for other purposes, a valid authorization is necessary, unless the disclosure is required by law. For example, if a life insurance company requests information, HIPAA requires authorization, because the life insurance company does not pay for healthcare services.

To be valid under the privacy rule, an authorization must contain at least the following core elements:

  • The name of the institution/individual authorized to release the information
  • The name of the institution/individual authorized to receive the information
  • A description of the information to be disclosed that identifies the information in a specific and meaningful fashion, including dates of treatment
  • A description of each purpose for the requested use or disclosure
  • An expiration date, or an expiration event, that relates to the patient or the purpose of the request
  • The signature of the patient (or his or her personal representative) and the date signed
  • A description of the representative's authority to act on the patient's behalf (if the patient's personal representative signs the authorization)

In addition to these core elements, a valid authorization also must contain the following:

  • Statement of the patient's right to revoke the authorization in writing and exceptions to the right to revoke, together with a description of how the patient may revoke the authorization
  • Statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on whether the individual signs the authorization
  • Statement that the information disclosed may be subject to redisclosure by the recipient and no longer be protected by state or federal law or regulations

Editor's note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451b7e869e200e550193bae8834

Listed below are links to weblogs that reference Third party request to release patient information - HIPAA:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.