It's critical to understand the practicalities and pitfalls of non-HIM department release of PHI.
HIPAA's privacy rule has been in effect for 15 years, but this rule is worth reiterating at your healthcare organization to avoid expensive errors.
Just ask Fresenius Medical Care North America, for example, which in February agreed to pay $3.5 million to the U.S. Department of Health and Human Services Office for Civil Rights for potential violations of HIPAA rules, or 21st Century Oncology, Inc., which in December agreed to pay $2.3 million in lieu of potential civil money penalties due to its failure of protecting health records.
It's important to continually ensure safe and compliant enterprise-wide release of protected health information. That's the topic of an article in the April issue of the Journal of AHIMA, the publication of the American Health Information Management Association.
In an ideal world, all PHI disclosure requests would be handled by HIM departments, says Dawn Paulson, MJ, RHIA, director of informatics at AHIMA. A patient would submit a request in writing, and that request would be processed by HIM.
"I think every HIM department prefers that it be conducted in the department," she tells HealthLeaders Media.
But that's not always realistic, and "there are some cases that it makes sense for release to occur outside of HIM," Paulson says. Plus, EHRs make it easy to simply print out a record and hand it off.
"Where it gets really sticky is knowing whether an authorization is required or not," she says.
Paulson says it's up to individual organizations to set policies and thresholds about non-HIM departments releasing information.
"As an HIM person, I would set that threshold quite high," she says. "I would say that you can release to the patient or their legally authorized representative. I would be hesitant to allow them to release to anybody else."
She adds that, "I think between healthcare organizations for continued care is appropriate … I would limit it to that."
That's because non-HIM staff, including clinicians, typically don't know all the ins and outs of PHI disclosure rules.
"There's always exceptions within the regulations and they're not in a position to know them," Paulson says.
Still, it's important to train staff regularly, and include everyone that has contact with patients in that training, from clinicians to receptionists.
By setting strict limits for non-HIM staff, "then your training can be targeted to what is approved for them to release," she says.
She says training is required annually for an effective compliance program, but typically, such training doesn't include enough information to guide clinicians and others about releasing PHI.
That's why additional outreach is needed.
Paulson points to her former role as assistant director of HIM at UW Health, where the HIM team attended clinician staff meetings, conducted clinical site lunch-and-learn sessions, and recorded webinars that were built into orientation requirements for new hires. They could also direct their efforts toward specific questions and struggles of non-HIM professionals.
"This was a high priority for us, and our HIM department did significant training with our clinical folks," Paulson says. "I believe it's really built into the culture."
She notes several examples of tricky issues that often come up in PHI release requests, such as subpoenas and court orders, which often get served to clinical areas.
Workers' compensation carriers might call asking for status updates or records.
Paulson says that the most important takeaway is this: If there's anything they're not absolutely sure of, non-HIM departments should not handle request themselves. When in doubt, send the request to HIM.
"I think the fundamental privacy and security of PHI should be on everybody's radar," she says.
Alexandra Wilson Pecci is an editor for HealthLeaders.