Medical release of information procedures and compliance

Release of Information Properly

The review and analysis for the topic "The Ramifications of Releasing Protected Health Information (PHI) improperly" was extracted from a facility that does not wish to be identified in this paper. Therefore, this facility shall be referred to as the "Fix-Me" facility. The Health Information Management Service at the Fix-Me facility was evaluated for its ability to release information to patients and other third parties effectively, for the accuracy of the delivery process, for its process when a notification of deficiency was received and for its total effectiveness. One model used in the evaluation was developed from the Service's current release of information (ROI) practices and another model was developed from government regulations, polices and best practices literature review. A new supervision practice was piloted to evaluate the effectiveness of this study. It is recommended that Fix-Me utilize the new model for ROI processing to meet the legal and government compliance rules, regulations and policies.

Chapter 1: Introduction and Problem Statement

Privacy and security with respect to patient's sensitive information is a critical issue in the healthcare industry today. In addition to the personal sensitivity of such information, there is significant concern regarding identity theft and medical identity theft. The conversion of paper medical records (chart copy) to Electronic Health Records (EHR) has led to the development of new security rules and procedures. The legal standards regarding patient privacy and EHRs are laid out in the Health Insurance Portability and Accountability Act (HIPAA; 45 CFR 160-164) and the Privacy Act (5 CFR; 552a). HIPAA and the Privacy Act both have compliance and accountability sections built into them and it is up to each facility to achieve an acceptable level. If an acceptable level is not maintained, the facility may be culpable under the law. The objectives of handling Protected Health Information (PHI) and Personally-Identifiable Information (PII) correctly are manifold: to maintain accurate and reliable health information; to ensure privacy and confidentiality of PHI; and to suppress medical identity theft.

The law (45 CFR) specifies numerous criteria for the proper release of PHI to which the facility must adhere:

The request must be in writing.

The request must be specific.

The request must have an expiration date.

The request must be authorized / signed by the person to whom the data pertains too, or their legal representative.

Verification of identity of the person making the request.

The request must be dated.

A statement that the authorization may be revoked at their written request.

Must have a method of "accounting of disclosures."

The Fix-Me facility honors all mail-in, fax, and hand-delivery of medical PHI and PII release of information (ROI) requests; they do not accept e-mail requests. Although the Fix-Me facility appears to be compliant with all of the Federal laws, there are a few flaws in their ROI system such as:

Potential faxing of protected information to the wrong addressee.

Potential mailing of the data from patient "A" to patient "B" improperly.

Upon execution of the ROI request; taking the data for patient "A" from the printer and, without verifying that it actually belongs to patient "A," giving the data to a person other than the requester.

Not verifying the identity of the caller on phone telephone requests

Releasing patient PHI / PII and then updating the wrong patient in the accounting of disclosure software.

Releasing sensitive information (psychological, HIV, etc.) without consulting the physician prior to the release of the data. This could have a detrimental impact of the patient's well being.

Not meeting the thirty day HIPAA ROI timeline. The clerks are rushed and send the requested ROI data and end up sending the data to the wrong patient / address.

The ROI supervisor and management were aware of a few of the issues discovered in the pilot assessment, yet they were not aware of the majority of these issues. Therefore, the pilot study was accepted by the Fix-Me facility. The Fix-Me facility was pleased with the concept, proposal and outcome of this study, from the managerial, efficiency, effectiveness, and legal liability standpoints.

Chapter 2: Literature Review

The release of Protected Health Information (PHI) and Personally-Identifiable Information (PII), either in paper chart form or in Electronic Health Record (EHR) form is an issue of significant concern for health care providers and their patients. For the institution, the risks are high since there are legal consequences for the mishandled release of information. For the patient, there are equally negative consequences, such as medical identity theft, financial loss and potential damage to their health. Medical identity theft can result in erroneous entries to the patient's health care records, which can affect the patient's medical and financial records for a long time (Federal Trade Commission, 2003 & 2007). In each medical facility, there is a need for trained professionals who can properly process Release of Information (ROI) requests. These individuals must also be able to make properly disclosures of request to first and third parties for the preservation of the integrity of the data and the privacy of the PHI. Moreover, these trained professionals cannot become complacent or corrupt, as this can lead to loss of privacy and security of the PHI (Littleton Police Department, 2004).

The Health Insurance Portability and Accountability Act (HIPAA) was an attempt by Congress in 1996 to reform the health care system. HIPAA applies to health care providers, health plans and health care clearinghouses that utilize EHRs. HIPAA is enforced by the Department of Health and Human Services (DHHS). All facilities are required to use HIPAA as the basis of their action plans regarding the handling of PHI and PII. Parts of several other pieces of legislation also apply, including the E-Government Act; the Electronic Communications Privacy Act (ECPA); the Freedom of Information Act (FOIA) and the Privacy Act.

These laws have been enacted to deal with an increase in crimes related to health care information. Approximately half a million Americans have been victims of a medical identity theft crime. In large part, these crimes have been the result of poor handling of sensitive information by medical clerks, patients and disposal personnel. As a result, patients are increasingly hesitant to request information from their own records. There is reason to believe that some patients harbor a distrust of the entities that are maintaining and protecting their PHI and PII data. One of the causes for this fear is the reality that although victims have enforceable rights, those rights can only be enforced if the error is identified and corrected (Government Accountability Office (GAO), 2005).

Patients are the primary stakeholder with regards to PHI and PII issues. They have the most to lose from improper handling of their sensitive information. From the patient's perspective, the desired outcomes for EHR and ROI are handling are integrity, accuracy, timeliness of release, confidentiality, privacy and security. Each of these topics has been subject to many articles and training manuals. They are the focal point of EHR and ROI training programs and are the most important principles to which health care providers must adhere for the protection of PHI and PII (American Health Information Management Association (AHIMA), 2007).