Releasing_Protected_Health_Information

Releasing Protected Health Information Amanda Cantrell HCR 210 June 25, 2012 Kimberly Kirby-Bass Protected health information (PHI) is any kind of information that can identify a patient such as name, address, telephone number, date of birth, Medicaid number, social security number, medical record numbers, and the name of an employer (Green & Bowie, 2005). Anytime someone asks for any of this information, a consent form must be filled out and signed by the patient. HIPAA has established specific guidelines for this type of authorization form (Green & Bowie, 2005). Also, all covered entities are required to talk to the patient and inform them of how they will disclose their information. Any individual has the right to decline any authorization except for when the information has already been released or when a health insurance agency is requesting the information (Green & Bowie, 2005). When it comes to different agencies or groups, HIPAA has different uses and discloses and whether you need consent or not for the information is in the privacy law. Legal agencies and representatives can acquire different kinds of information without having any kind of authorization to do so. Some of these include court orders and subpoenas. A protective order can only be issued to the person at hand and once it has been delivered, all copies must be returned to the covered entity and destroyed once the matter is over (Green & Bowie, 2005). When HIPAA enforces authorization to be obtained, then covered entities have to make sure they obtain the consent so that they are able to get in contact with the correct attorneys and they can request the information. Attorneys have several reasons that they would have to request information with consent and one of those is if they were going into a medical malpractice lawsuit. In this case, the facility’s risk manager must be notified to determine if the record needs to be reviewed before it is released (Green & Bowie, 2005). The only thing is that when conducting a review of the chart, all incident reports have to be pulled out if any were filed. Incident reports are not supposed to be filed in charts because they allow the people called to testify to review the events prior to the testimony (Green & Bowie, 2005). This is inappropriate because they should be able to remember things without having to look back at paper work and you will be able to tell if they lie or not. Covered entities must obtain authorization from patients to disclose information to certain government agencies. For instance, in order for the Department of Social Services to obtain any of your or your child’s medical records, they have to have your permission to do this. Another organization that has to obtain consent is the Bureau of Disability Determination. In my opinion, disability agencies should not have to require consent because the purpose of filing for disability and qualifying for it depends on your medical history. If you do not give consent to disclose this information, then how are they going to determine whether you qualify or not. I think that this should fall under the category of not having to have authorization to disclose protected health information. Covered entities can access your Medicaid or Medicare, military and veterans activities, armed forces personnel and correctional institutions for inmates and personnel without having authorization. “A covered entity may use or disclose PHI without obtaining written authorization of the individual for activities and purposes associated with research that has been approved by an Institutional Review Board (IRB)” (Green & Bowie, 2005). This is because HIPAA does not consider research to be treatment, payment, or health care operations. Authorizations are necessary for research purposes unless an exception applies (Tilden, 2002). All actual treatments that are given or performed during research require consent of authorization. It does not matter if you are a government agency, law enforcement agency, another healthcare facility that is requesting information, or if you are a parent or guardian, all facilities have to have some kind of HIPAA policy and disclosure paper for the patient to fill out and sign. I feel that privacy safeguards are adequate and up to date for most places. Every facility must ensure that confidentiality is maintained throughout every department in their practice. Although there are some times when records are released without consents, confidentiality still should remain in place for everyone. References Green, M. & Bowie, M.J. (2005). Essentials of Health Information Management: Principles and Practices. Health Care Delivery Systems. Clifton Park, NY: Thomson Delmar Learning. Tilden, S. (2002). Research Health Information and the HIPAA Privacy Rule. Retrieved from www.law.uh.edu on June 25, 2012. Pudget Sound Blood Center. (2003). Patient Care-HIPAA Regulations. Retrieved from www.psbc.org on June 25, 2012. U.S. Department of Health and Human Services. (2012). Summary of the HIPAA Privacy Rule. Retrieved from www.hhs.gov on June 25, 2012.