Check Request Status610-994-7500

PHI disclosure legal issues, Part 2: Obtaining deceased patients’ records

Sara's Blog 2

After a loved one dies, there are numerous situations where families might need copies of the deceased patient’s medical records. For example, records are needed when the family submits a life insurance death claim or if they plan to file any sort of lawsuit related to the patient’s death.

But after a patient dies, HIPAA and state laws can complicate the process of obtaining these records, especially if the patient dies without a will, which is called “intestate.” Given the myriad of state and federal laws related to disclosure of deceased patients’ Protected Health Information (PHI), it is important that healthcare providers and their HIM staff establish a policy for what type of documentation must be provided by a requester in order to disclose their PHI. For example, unless an authorization signed by the deceased patient’s “Personal Representative” is provided, HIPAA prohibits the disclosure of PHI belonging to a deceased patient (decedent).

The person who qualifies as the Personal Representative under HIPAA changes when the patient dies. Durable healthcare powers of attorney, for instance, are revoked upon a patient’s death, meaning that without other documentation, the durable healthcare power of attorney is no longer the decedent’s Personal Representative. Adding to the complexity, while some states have adopted HIPAA’s definition of Personal Representative, many state laws list other people, such as family members, who can be identified as the decedent’s Personal Representative, if there is no will.

Complying with all applicable state and federal laws is certainly essential, but many healthcare providers adopt policies that are even more stringent. While state law may only require a copy of the decedent’s will, healthcare providers in that state may choose to require additional documentation proving executorship, such as Letters Testamentary. In other cases, if a patient died intestate, a hospital may require the person claiming to be the Personal Representative to petition the court to obtain Letters of Administration, a laborious process that can be made even more complicated if the decedent’s spouse, children, or another interested party objects to that appointment.

Rest assured, MRO staff who work at our clients’ facilities are trained on how to disclose deceased patients’ PHI according to the applicable federal and state laws and facility policies to ensure legal compliance.

To learn more about how MRO’s highly trained employees protect their clients through their PHI disclosure expertise and support, check out our clients’ experiences.

This is the second of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

Information Governance was the buzz at AHIMA

Mariela Blog 2 - Lock

The 87th Annual AHIMA Convention and Exhibit in New Orleans was a resounding success, despite the coinciding industry-wide transition to ICD-10, which occurred just a day after the event ended on October 1.

Not surprisingly, ICD-10 was a major topic of discussion during the conference. Other topics addressed were emerging issues surrounding data privacy and security including confidentiality, integrity and availability; interoperability; Release of Information (ROI); health information exchanges (HIEs); cyber security; and the Department of Health and Human Services’ Office for Civil Rights audit readiness, as we approach the launch of desk audits.

Information Governance (IG), however, was the most covered topic at the event. AHIMA defines IG as “an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”

To help navigate this increasingly complex issue, AHIMA released an IG tool kit that urges HIM professionals to take leadership in data sharing, budget allocation and collaboration with other departments for an IG plan. To ensure this collaboration is successful, HIM needs to delegate some IG responsibilities to other departments, which can be difficult, but allows the opportunity for HIM to integrate and oversee data silos it wouldn’t have had access to in years past.

This is just one of the emerging IG challenges that our chief technology officer, David Borden, discussed during the educational session he co-presented at AHIMA with Susan Carey, MHI, RHIT, PMP, the system director of HIM for Norton Healthcare in Louisville, Ky., a not-for-profit system comprised of five hospitals, 19 outpatient centers and 140 practice sites. In their session, Borden and Carey urged HIM professionals to “get in the HIE boat” to ensure their voice is heard and considered during HIE planning.

HIM professionals, who are typically the Protected Health Information (PHI) privacy and HIPAA experts within healthcare organizations, need to be integral in this planning because HIE was not created with HIPAA in mind, and has not been updated since. Organizational compliance has taken a backseat to the technical requirements of HIE, as David also told in a dual interview with Susan at AHIMA. This means that without the proper policies, procedures and safeguards, breaches can occur on a larger scale and much easier than in the past — with only a few keystrokes and mouse clicks — which exponentially increases risk and liability for healthcare organizations.

“Very often, it’s not well understood that security and privacy are two very distinct knowledge domains,” David told the publication, as well as AHIMA attendees. “IT is very good at security, and sometimes they may think that means they’re also good at privacy, without realizing that’s just as naïve as someone who’s trained in privacy thinking they understand all the ins and outs of security.”

As David and Susan’s presentation discussed, with the growth of electronic HIE, patient-identity matching is becoming a growing patient safety issue and workflow challenge that usually requires HIM to design a solution, but one that requires IT input and assistance. Patient identity is also one of the many data integrity issues that organizations face including accurately and reliably integrating PHI from other providers into the legal record.

Other emerging issues that David and Susan explored in their presentation include sharing of sensitive and “super-protected information”, such as mental health, AIDS/HIV and substance abuse information; patient consent management, such as opt-in, opt-out, and patient education; and managing the minimum necessary standard requirements for payers in a query-based HIE.

As HIEs expand and connect with other information networks, the rules-of-the-road may change without sufficient input from participants, which is why HIM needs to be ever vigilant in having its voice heard. “I feel like we’re in a good place with HIEs, but there’s a lot more work to be done,” Susan told “…[K]eeping those avenues open between IT and HIM is really want you want to strive for. We have to understand the roles we all play and what the use cases are.”

For information on these important IG issues that are impacting healthcare organizations, please download the slides from David and Susan’s AHIMA educational session by clicking here.

Sign Up for Future Blog Posts

Read More

Reducing PHI breach risk essential for physician groups

For many physician groups, Protected Health Information (PHI) disclosure policies and procedures can vary greatly between practice locations. This variability and limited administrative oversight increases the risk of a PHI breach, which can be costly in terms of reputational damage and financial consequences.

Transitioning a physician group from multiple different Release of Information (ROI) processes to a single ROI technology platform, with the help of an experienced and knowledgeable PHI disclosure management partner, can help identify errors before records are released and avoid these costly breaches. A standardized process across any size practice through a single platform ensures that consistent and compliant ROI policies and procedures are enforced and safeguards are established to prevent a breach.

Practices face same improper disclosure liability as hospitals

Physician practices carry the same PHI disclosure liability as hospitals, although many groups lack the resources of a large health system to recover from a significant breach. HIPAA financial penalties can be as much as $50,000 per breach or $1.5 million annually for repeated occurrences. In addition to such penalties, there are soft costs associated with each breach, ranging from $8,000 to $300,000, according to the results of an American National Standards Institute (ANSI) survey of organizations that had been affected by a PHI breach. Those figures do not include the HIPAA violation civil penalties, but rather costs such as credit or identity-theft monitoring for breach victims, forensic and legal fees, and reputational harm, including loss of goodwill and of business, according to survey respondents. In addition, the reputational harm suffered by practices due a breach may be more significant than a hospital due to the group’s more narrow patient population.

Just because practices typically have fewer overall ROI requests than hospitals or health systems doesn’t mean a breach is any less likely. MRO’s research shows there are more than 100 error types found across ROI authorizations and that 20 to 30 percent of authorizations are initially invalid. Plus, the PHI disclosure processes that many practices follow are highly susceptible to human error. These errors could include disclosing the wrong patient records due to co-mingled records, which affect at least 0.7 percent of releases.

Practices may not even be aware of how many unauthorized ROI requests are approved, or have tools to identify and prevent the release of comingled records. And without safeguards to mitigate risk, practices may facing the matter of “when” rather than “if” a breach will occur.

Reduce risk, increase efficiency

Standardizing PHI disclosure across physician practices with a centralized ROI solution can help reduce this risk by ensuring consistently enforced policies and procedures. With a single technology platform and an experienced, knowledgeable PHI disclosure management team than can offer best practices and tools, a physician group’s procedures can become compliant faster while reliving practice staff of the burdens of ROI, including Quality Assurance and billing.

Best of all, centralizing and standardizing ROI processes through an outsourced partner can give practices more time and resources to concentrate on revenue-generating activities, and most importantly, focus on patient care. The liability of establishing safeguards to mitigate breach risk should be a business partner’s concern so practice staff can focus on what truly matters: patients and their care.

To learn more how your group can reduce breach risk and increase efficiency, please read about Lehigh Valley Physician Group’s experience with centralizing their PHI disclosure here.

Sign Up for Future Blog Posts

Read More