Release of medical forms under HIPAA

Release of medical forms under HIPAA

In regard to the release of medical records, does the patient still have to sign the form? If they do, when do we need to have them sign the form? Does the form only need to be signed when the patient is transfering to another practice, and we will no longer be treating them?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The answers to these questions vary depending upon what type of covered entity you are, specific details of your situation, etc. I can answer this from a high-level, but I still recommend that you obtain outside HIPAA expertise from an attorney or HIPAA consultant. The August 2002 updates to the Privacy Rule includes that consents from patients are no longer required. However, authorizations for use and disclosure of protected health information must be obtained from patients, except in the following cases:

  • use and disclosure during healthcare treatment, payment and operations
  • those allowing opportunity to agree or object
  • if use or disclosure is exempted under the rule
  • if use or disclosure is required under the rule (for example, to the individual, to the DHHS Secretary, etc.)

There are many other factors to consider, such as whether or not you already have a relationship (e.g., business associate or healthcare services) with the other practice along with what type of service is being transferred (e.g., psychotherapy notes, general healthcare information, etc.) There's a chance that you will not need to have another authorization signed unless the patient's new provider is performing activities (e.g., marketing, research, etc.) that specifically require an authorization for which you did not previously perform.

Bottom line, the Privacy Rule is quite complicated and only outside expertise can get involved and understand your particular situation well enough to make sure you're doing things correctly. It may be expensive in the short-term, but outside expertise will provide value and will save you time, effort and money in the long-term.

I would like to express my deep appreciation to Becky Herold, Senior Security Architect at QinetiQ Trusted Information Management, Inc., for her expertise on this particular issue.

For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: HIPAA privacy changes trickle down to IT
News & Analysis: Experts answer users' HIPAA questions
Best Web Links: Securing healthcare/health services


This was first published in October 2002