Legal and Legislative Updates
By Deana Johnson, JD
Posted on January 14, 2009 – It happens weekly: a client calls, reports that someone is requesting records, mentions there is a patient release, and seeks approval for the release of the requested information. The lawyer’s response is always the same…. We need to review the release.
Although the caller may be too polite to say it, the natural question is “why?” The answer, and purpose of this article, is that certain categories of information require very specific releases, and what is given by the requestor very rarely complies. Therefore, if the provider releases the requested information, he can be liable for violations of federal and/or state law, many of which contain strict penalty provisions.
There has been much written and even more complaining about HIPAA, a federal law governing confidentiality of patient records. The reality, however, is that most states had laws protecting this same information long before HIPAA was first debated by the legislature. Specifically, information about mental health treatment and infectious diseases has long been recognized as highly sensitive, requiring more than the garden variety release from the patient. HIPAA did not change those preexisting state laws; instead, it supplemented them. Thus, both before and after HIPAA, release of mental health or infectious disease information mandates a specific, knowing and timely release by the patient.
A True Story
An investigator from a parole board wanted to review mental health treatment records of a parolee to determine if he was meeting the conditions of his parole. The investigator sent a release to the treating facility and repeatedly called, asking to expedite the request. A call such as the one described in the first paragraph was placed to our law office. Upon a quick review, it was apparent that the release signed by the patient (almost a year prior) applied to telephone service providers, not health care providers. If the institution had relied on that release and provided confidential mental health information about the patient, both HIPAA and state law would have been violated.
Did the investigator knowingly provide the wrong type of release? Probably not. Releases have become so common, people are asked to sign very general forms well before information is actually needed. These contain no expiration date and no parameters on the type of information being released. Do not let a requestor bully you into believing such a general release protects you.
Instead, the first question always to ask is what specific information is being requested. The only way to answer that and protect yourself is to require the request be made in writing. Even an informal email suffices to put necessary parameters on the request.
The second question examines whether the patient release specifically covers the type of information requested. In order to answer this second question, you must see the release. Who is it addressed to? When was it dated? What information does it cover? A phrase such as “all medical information” or “all information in your possession” is insufficient to allow release of mental health or infectious disease information.
In order to comply with HIPAA and many state laws, a release for mental health or infectious disease information must specifically state that is the type of information being released. In addition, the release must contain reasonable time parameters. While the specifics of these items vary depending upon state law, a general rule to follow is that the release be limited to one year from date of execution and include separate lines for release of mental health or infectious disease information that are separately initialed by the patient. That way, the patient is clearly aware he or she is releasing this very specific type of information. If you are uncomfortable with the release provided, insist that the requestor use your institution’s form. Most hospitals and correctional facilities have form releases that the legal staff has reviewed and approved.
One final area to address is when the requestor does not seek copies of records, but instead or in addition, wishes to interview the providers. Such requests arise in the context of lawsuits, challenges to sentences, parole hearings, etc. Most of the time, the requestor sends the same release that he would use if seeking records. If you go back to the second question above—the type of information requested, you can find the answer to whether an interview is permissible. If the release is for mental health records, for instance, the patient has not permitted you to release protected health information other than in record form. You would not be permitted to discuss the care and treatment with the requestor.
Again, the safest course is to require a specific release for the interview requested. If parole officer John Doe wants to interview Dr. X and mental health caseworker Y, then the patient’s release needs to state: “I authorize Dr. X and mental health caseworker Y to meet with parole officer John Doe and discuss my protected health information, including but not limited to my mental health conditions, diagnoses and treatment.” With this specific patient release, you can be confident that the patient understands and authorizes the meetings.
While this may seem cumbersome for the requestor, your obligation is not to the requestor, but to the patient. The natural desire to assist and provide information cannot get in the way of necessary legal protections, designed not just to protect the patient, but to protect the health care provider as well.
So, when does a patient release actually protect you? Not until it specifies the entity or provider authorized to release the information, the exact type of protected health information to be released, whether it applies to written records, oral discussions of protected health information or both and when it contains reasonable time parameters.
Ms. Johnson is an attorney with Insley and Race, LLC, in Atlanta, Georgia. Readers may contact her at djohnson@insleyrace.com.
