Agency regulations can be a jungle of legal language, and physicians who are not aware of regulations may find themselves in an administrative conundrum. The most notable regulations facing Texas physicians are the federal regulations created to implement HIPAA. In this monthly feature , the TMA Office of General Counsel discusses practical steps on how to begin the process of complying with those regulations
Declining to Release Medical Information and Independent Review
By Lee Spangler, JD, TMA Office of General Counsel
Physician practices must comply with the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations by April 14, 2003. Many office procedures will have to be modified to comply. One of them will be how a practice refuses to release medical records. Under current Texas law, a physician may refuse to release medical information to a patient if he or she determines that access to that information would be harmful to the physical, mental, or emotional health of the patient. Also, the physician may redact confidential information about another patient or family member of the patient who has not consented to the release before making copies or a narrative of the records available. This determination is made by the physician unilaterally and must be communicated to the patient in writing.
HIPAA, however, introduces a new threshold for refusing to disclose information, as well as new office procedures that must be followed. Before HIPAA, patients' access to their medical information was generally a function of state, not federal, law. The regulations adopted by the U.S. Department of Health and Human Services (HHS) grant a new federal privilege to patients that gives them access to their Protected Health Information (PHI) in the Designated Record Set (DRS). HHS characterizes this new privilege as a "right" and places limitations on a physician's ability to unilaterally determine whether medical information should be kept from a patient.
A physician may unilaterally deny access or review of the PHI if that information is the patient's psychotherapy notes, if it has been compiled in anticipation of litigation, or if the Clinical Laboratory Improvement Amendments of 1988 prohibit access by an individual patient. Also, a physician may unilaterally deny the patient access to the information if the physician obtains the information from another person after promising confidentiality, and permitting access to the information would likely reveal the source. A physician also may refuse access to information if it is gathered during research and if the individual has agreed to the denial of access when consenting to participate. It should be pointed out, however, that the right of access must be reinstated when the research is completed.
Access to information may be prevented in two other unusual situations. Access to the PHI may be denied if the physician is working within a correctional institution and an inmate's access to a copy of his or her PHI would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of any officer, employee, or other person at the correctional institution. Also, an individual's access to PHI in records subject to the Federal Privacy Act may be unilaterally denied.
The privacy regulations require physicians to designate a licensed health care professional to review their decision to deny access to medical information in certain circumstances. That person must not be directly involved in the decision to deny access. Upon the patient's request, the physician must quickly refer the patient's "appeal" to the designated person. The reviewer must then decide within a reasonable time whether access should be denied. The decision of the reviewer is final and binding upon the physician. There must be written notice to the individual of the reviewer's decision.
There are three situations in which a physician's denial of access must be reviewed:
- When the physician has determined that it is reasonably likely to endanger the life or physical safety of the individual or another person;
- When the PHI refers to another person (unless he or she is a health care professional) and the physician has determined that access is reasonably likely to cause substantial harm to that person; and
- If the information is requested by a patient's personal representative and the physician determines that granting access to the representative is reasonably likely to cause substantial harm to the individual or another person.
Any denials must be written in plain language and include the basis for the denial and information on how the physician's decision may be reviewed, if applicable. Also, the communication must describe how the patient can file a complaint with the physician's office, including the name and telephone number of the practice's privacy officer.
Outside of the circumstances listed above, in regard to both reviewable and unreviewable denials, a physician must give the patient access to the information or risk violating the HIPAA privacy regulations. Furthermore, the physician must provide access to any other PHI requested, after excluding the PHI for which the physician has a ground to exclude access.
Protected Health Information
Individually identifiable health information transmitted by electronic media, maintained in any medium meeting the definition of electronic media, or transmitted or maintained in any other form or medium.
Individually Identifiable Health Information
Information created or received by a health care professional, health plan, employer, or health care clearinghouse that relates to a patient's past, present, or future physical or mental health; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to a patient. The information must also identify an individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Includes the Internet, Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media.
Designated Record Set
A group of records maintained by an entity that must comply with HIPAA that are the medical or billing records about an individual used, in whole or in part, by the entity to make decisions about individuals.
Notes maintained by a mental health care professional who is documenting or analyzing the contents of conversation during a private counseling session or group, joint, or family counseling session, and that are separated from the rest of the individual's medical record. This excludes medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.