While they may be the primary handlers of the data and the patient within it, medical records are never the exclusive property of any practice to do with as they will. For circumstances that require the release of a patient’s medical records to another party (may it be family members, legal counsel, or even other healthcare practices) an “authorization” is required. In its most common and legally binding form, this is called a medical release form.
So what are the essentials that every medical practice should remember when dealing with medical record authorizations, and what is a common pitfall that you can avoid so you remain compliant with regulations? In essence, the crucial thing that a medical practice has to remember is that a medical release form has to be signed and released following HIPAA laws, though there are situations where the laws of the state may supersede these rulings.
Releasing a patient’s medical records without their approval to another party can result in extensive litigation under the Health Insurance Portability and Accountability Act and the Patient Protection and Affordable Care Act. Both of these stipulate that any mishandling of patient information, a breach of patient confidentiality, and overall carelessness with the handling of a patient’s medical records can come with steep fines, consequences, and legal liabilities.
That is why a medical record authorization for the release of information is necessary: it protects a healthcare provider from litigation, gives express approval for the receiving party to do with the information what they will, and it provides a public record that the patient, the healthcare provider, and the third party have access to that information. If you are ever asked for medical information about your patient by anyone or any organization, you should never release it without authorization.
As the primary purpose of a medical record authorization is to protect the patient’s privacy and you against any litigation, any medical record that you accept or have your patient sign must contain the necessary parts that can hold up in court.
Here are seven essentials of a medical record authorization for release of information:
Above all else, it’s important to clarify why exactly this information is being released. Being clear about why the patient needs to share their information is essential for all parties to be on the same page about what their expectations are from each other. This also helps keep patient-practice confidentiality, as it clearly delineates who exactly should have access to this information, with the additional capability of tracing any possible leaks if they happen.
The next item should be everything about the patient (and the one signing on creating the form on their behalf, if applicable) that can be useful to both the receiver and the sender of the medical records. This is included, but not limited to:
Basically, anything you can use to identify the patient should be listed here. Keep in mind that some state laws may forbid the release of specific identifying information, so check with your local regulations before requesting or adding these identifiers.
This section should list all the specific information that the receiving party has requested from the patient’s medical records. These usually take the form of test results, though depending on the patient’s condition or the requirements of the receiving parts, other information like scans, images, and doctor’s notes may also be requested. A patient may choose to limit the medical information they disclose in the form, though you should remind them that withholding essential information can also cause them to be held legally liable.
A patient may choose the parties who they approve to access their medical information, but you should be absolutely clear that they should put all pertinent identifiers and other information of the receiving party in the medical record authorization. The more specific the patient is, the better. If there are multiple receivers of the medical record, the patient should create different authorizations for each one.
This section informs the patient as to how their information will be used, their rights in controlling its usage and dissemination, and other actions they can take about their medical records. This is extremely helpful if your patient has a sensitive condition that can affect their career, such as HIV. Be clear to your patient that this section is crucial for them to understand since it gives them the agency to act on their information if they feel like it’s been misused, and retract approval of the release of their medical record whenever they see fit.
On the other hand, if the patient is fine with you and the receiving party in your use of their information, it’s still standard protocol to create an expiration date as to when the information in the medical record isn’t valid anymore. While this may mean that you’ll need your patient to create and sign more authorizations if they are needed in the future, this also ensures that the information stays confidential and you are no longer liable even if you are no longer the patient’s healthcare provider. If the patient declines to add a date, 90 days is usually the standard observed by the industry.
Finally, the signature and date are essential to establish the validity of the authorization. Keep in mind that your patient must be of sound mind and body before being allowed to sign off on the release of their medical records: if they cannot, it has to be someone authorized to sign on their behalf like their spouse or legally designated attorney. Always cross-check the signature they’ve used with the signatures that you have on hand, as medication can sometimes change how a person writes their signature.
While the specifics of each requirement may vary depending on your industry, the patient’s conditions, and the requirements of the receiving party, an authorization should always have all of these essential components to count as a legally viable and binding document.
You may wonder if HIPAA is the only regulation that matters with releasing a patient’s medical records. While it’s true that the core rules and regulations concerning patient privacy are detailed in the HIPAA, it’s not always the rule that you should follow when releasing medical records or going through authorizations. In cases where HIPAA does not have a ruling on an issue, state regulations apply. However, in cases where state regulations and HIPAA have a conflict, the rule to follow is generally the one detailed in the HIPAA.
The proper release of medical records always requires authorization to protect the patient’s privacy and to help keep you from being liable. While it may sound like plenty of paperwork, getting the proper authorization for the release of a medical record is an essential step in ensuring that your practice remains compliant with all the necessary regulations.
Calysta EMR specializes in providing practices with the tools that they need to keep patient data in one platform for easier access, security, and privacy. Contact us today to learn more about our services.