Release of information (ROI) is becoming an increasingly complicated and highly regulated process with consistent passage of new reforms, as well as privacy and security measures. The addition of new regulations is meant to protect the patient, but what if health information management (HIM) professionals don't quite have the time and/or resources to keep up with all of these changing rules?
Properly releasing copies of medical records is a multifaceted process, consisting of 32 specific steps that are further complicated by the use of multiple databases, varying state and federal regulations, specific laws around third-party requesters and patient privacy laws that those handling the ROI requests must address. If you are an HIM professional familiar with the rules of releasing medical records, I challenge you to answer the questions below and see how you do.
- You are working in a children's hospital. You have received a request from the mother of a 17-year-old married patient to release his medical records. The parents consented for the 17-year-old to marry and marriage is grounds for emancipation in the state. The mother wants the records to complete the personal health record she has compiled and wishes to give to her son. You:
- Copy the records for the mom because when the patient was a child, the mom was listed as the next of kin.
- Copy the records because the age of majority in the state is 18.
- Tell the mom that her son must sign the authorization now that he is an emancipated minor.
- Tell the mom that her son's wife must sign the authorization now that she is the next of kin.
- A "valid" authorization must contain specific elements including:
- A patient's right to revoke.
- A re-disclosure statement.
- Signed and dated by the patient or their representative.
- All of the above.
- The non-custodial parent requests a copy of their child's medical record. The parent provides documentation that she is indeed the child's parent. The non-custodial parent has a right to access the medical record.
(So, how did you do? Answers and explanations are provided below.)
The above answers are vital for every HIM specialist to know. Those questions came from the Certified Release of Information Specialist (CRIS) test, designed to certify those employed by a member of Association of Health Information Outsourcing Services (AHIOS) in the ROI profession to help them fully protect the confidentiality of patients' personal health information when that information is released to requesters. The CRIS test attempts to measure a broad working knowledge of situations that affect how protected health information (PHI) is released to others, including questions that directly relate to the privacy provisions within HIPAA.
The full test encompasses the volume of information that an HIM professional should know, and is therefore a very valuable tool in helping ROI professionals be prepared in handling medical record requests. Because health information is private and protected under state and federal laws, the test has been designed for the applicant/tester to answer 100 multiple choice and true/false questions. Given the wealth of information required for the ROI process with the liability of breaches so significant, many organizations choose to outsource this function to trained and certified third-party vendors. But remember, as hospitals outsource this process it is critical they use ROI experts who go through regular qualification programs similar to the CRIS certification.
Explanation: Each state has rules regarding how a minor can become emancipated. An emancipated minor essentially gets the rights of an adult, including the right to authorize the disclosure of PHI.
Explanation: An authorization must have certain components for it to be considered valid for the correct release of information (disclosure) under HIPAA. These are as follows:
- It must be written and identifiable
- The name of the patient or person authorized to sign it
- The reason for the release
- The specific information to be released
- The party to whom the information may be released
- The individual's right to revoke the authorization and how to revoke it
- An expiration date
- The signature of the patient or person authorizing the release
- The date the authorization was signed
- A statement about the inability / ability to condition treatment, payment, or health care decisions on whether the patient signs the releases
- A statement that the information may be re-disclosed and is no longer protected by HIPAA
Explanation: Not having custody does not mean parental rights are terminated. Parents have the right to access their minor child's PHI as the patient's representative. A court must sever parental rights to lose them.
For more information, visit the AHIOS Web site: www.ahios.org
Mariela Twiggs is CEO of MTT Enterprises, LLC & VELFILE, LLC. She is also CRIS Chair at the Association of Health Information Outsourcing Services (AHIOS).
For more on release of information, click here.