At DataFile, we are often asked to moderate discussions about Release of Information. While there are certainly many gray areas of conversation to be enjoyed on this topic, one of the frequent questions we receive is the following:
“Can we release medical records from ‘outside’ providers in response to a request for medical records?”
The above question usually is more complex than simply answering “can we”, and leads to many scenarios for which we must determine that the extended question really is: Should we? Do we have to? Can we choose not to? Are we ALLOWED? Are we OBLIGATED?
I’ll start with the least helpful, most irritating answer to the question and expand from there: IT DEPENDS!
The answer DEPENDS on how you define your Designated Medical Record Set (DRS). Better yet, the answer DEPENDS on how your documented HIPAA policies define your DRS (Designated Record Set).
45 CFR 164.501 states a Designated Record Set is:
“a group of records maintained by or for a covered entity that is:
i) the medical records and billing records about individuals maintained by or for a covered health care provider;
ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
iii) used, in whole or in part, by or for the covered entity to make decisions about individuals.”
If you have a special “Outside Correspondence” section in your medical record chart, and your HIPAA policy states that your organization does not use this information for any of the above (3) items, then you are NOT OBLIGATED to release this information. However, should you have a properly authorized request that would include requesting this information, for instance a specific date range, then you are ALLOWED to release this information. Furthermore, because you’ve chosen to retain the information, should you be served a properly executed court order subpoena, you would be OBLIGATED to release this information.
However, additional concerns come into play when/if the “Outside Correspondence” section is accessed and any of the information in that section is “used in whole or in part by or for the covered entity to make decision about individuals.” (iii) from the above 45 CFR 164.501. That information now needs to become part of the DRS and be moved outside this section and into a section of patient chart that is part of the DRS. We’ve seen situations where this is not understood or policed properly, especially in an EMR setting.
Often a patient will hand deliver information to you from another provider. It is advised that you determine exactly which of this information you will keep and add to your DRS and which information you will not. For the information you are not incorporating into your DRS, it is suggested that you give the information back to the patient and not retain it at all. It is not recommended that you accept the information and discard (meaning you do not add it to your DRS) without alerting the patient, because it could be assumed by the patient that you kept the information and incorporated the information for their future care.
Correspondence that you receive in response to your referrals or orders should be part of your designated medical record set and therefore you would be OBLIGATED to release with a properly executed request for medical records. We have often heard practices misinterpret their obligation to release records from other providers. In most situations the ethical and legal obligation of reconciling referrals and orders would naturally place this information in your DRS, therefore, you are OBLIGATED to release this information.
Finally, if you have information in a patient chart and you cannot locate current properly executed HIPAA compliant documentation that clearly states this information is NOT a part of your DRS, OR you cannot determine with absolute certainty that this information was NOT used in one of the (3) manners defined by 45 CFR 164.501, then you must consider it part of your DRS, which in turn ALLOWS you to release the information and furthermore OBLIGATES you to release the information.
Have a specific release of information question? Contact the experts at DataFile, and you may see the answer featured on our blog! Don’t forget to check out our other release of information resources and electronic release of information services on our website.