HIPAA Privacy & Security: How Can Providers Legally Share Children’s PHI?

As summer begins, those healthcare providers caring for the pediatric population can expect to see more of this patient cohort as schools close and extended playtime begins. Subsequently, clinicians will also find themselves being asked for the release (ie, disclosure) of protected health information (PHI) associated with a minor. Now is a good time to review who may request disclosures of PHI, what is to be included in such disclosures, how to respond to record requests, what kind of records should be maintained in advance of these requests, and what restrictions can be put on these disclosures.

Who May Request Disclosures? 

A “personal representative,” defined as one with authority under state law to make healthcare decisions for an individual, may request disclosure of patient records. For minor patients, this typically means a parent, a guardian, or another person acting in place of the parent (eg, when the state has custody). The HIPAA Privacy Rule allows a covered entity (CE [ie, healthcare provider]) to disclose PHI to the personal representative, though state laws address the issue of access to health information of minors. State law must be consulted to determine the authority of the representative to have access to a minor’s health information. The HIPAA Privacy Rule specifies circumstances in which the parent does not have access to the health information of a child. First, if a minor can access services without parental consent under state law, the parent does not control the PHI related to that care. Second, if a parent agrees that a child may have a confidential relationship with a provider, the parent does not have access to records related to that care. When a provider believes the unemancipated minor has been subject to domestic violence, abuse, or neglect by the personal representative, or if treating a person as an individual’s personal representative could endanger the minor, the provider may choose not to treat the person as the personal representative.  

What’s Included in the Disclosure? 

The patient or his/her personal representative has access to health records in the designated record set (DRS), a group of records maintained by or for a CE that includes: 

• medical records such as the medical file, clinical lab test results, medical images (eg, X-rays), and clinical case notes;
• other records that are used, in whole or in part, by or for the CE to make decisions about individuals;
• billing records; and
• enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan.

Patients or their personal representatives do not have access to information that’s not part of the DRS, as it is not used to make treatment decisions. Examples of this include quality assessment or improvement records; patient safety records; and business planning, development, and management records that are used for business decisions rather than to make decisions about individuals. Additionally, patients or their personal representatives do not have access to psychotherapy notes (as defined by the regulations), or information compiled in reasonable anticipation of a civil or criminal proceeding or other administrative action. This includes the right to inspect the PHI, obtain a copy, or both. Patients and their personal representatives also have the ability to request that a provider transmit this information to a person or entity of their choice. They have the right of access to this PHI for as long as the information is maintained by a CE or a business associate,¹ regardless of when it was created or how it is stored.   

What is the Time frame to Respond to Record Requests?  

A CE must provide access to the requested PHI no later than 30 days of receiving the individual’s request, though sooner if possible. To extend the time, a CE must, within the first 30 days, inform the individual in writing of any delay and the date by which they will be provided access. Only one extension of time is permitted. State law may also specify a time frame; the shorter time frame applies.  

What Type of Request is Needed?  

A CE may require individuals to request access in writing. CEs may also offer individuals the option of using electronic means to make records requests, such as by email or secure web portal. One may require individuals to use his/her own records-request form as long as it does not create a barrier or delay to access. State law may have specifications regarding release of information requests.  

How do I Verify the Identity of Who is Gaining Access?  

A CE is required to take steps to verify the identity of an individual making request for access to records, but there are no mandates as to how to do this. The CE may request to see proof of a driver’s license, date of birth, home address, etc., as long as the method does not provide barriers or unreasonable delay. Note: CEs may not require an individual to physically come to the office to request access and provide proof of identity in person,² nor may they require use of a web portal. Requiring the mailing of an access request would be considered an unreasonable delay to access. 

How must I provide access?

CEs are required to provide the individual with access to PHI in the form and format requested, if it can be readily produced in that form and format. If not, a readable hard copy or other form and format can be agreed upon by the CE and individual. If a CE maintains electronic records and the individual requests access in a particular electronic form or format (and it is readily producible in that format), the CE should comply. If not, an agreeable alternative should be reached.  

May I Deny Access for Records?  

In some circumstances, a CE may deny access to all or a portion of records. Denial decisions regarding psychotherapy notes, some inmate requests, or a research project still in progress, or if the requested PHI was obtained by someone other than a healthcare provider under the promise of confidentiality, may not be appealed. However, when the CE believes divulging records may endanger the life or safety of an individual or another person, the CE may appeal grounds for denial. Individuals may not be compelled to reveal the reason for requesting access. Denials must be made in writing no later than within 30 days of the request.  

May I Re-disclose Records Received from Other Providers?  

If the records were made part of the original DRS, they may be disclosed. Check state law with regard to psychotherapy and alcohol/drug abuse records for any restrictions of this data. The CE may divulge this re-dislosed information utilizing the minimum necessary standard.  

May I Charge a Fee for Records?  

State medical records laws typically designate what a CE may charge for copies of records. HIPAA allows CEs to charge a “reasonable, cost-based fee” for materials, postage, and labor. CEs should charge whichever fee is lower.  

Must I Track Records I Release? 

HIPAA requires CEs to track disclosures of PHI and to provide individuals with an accounting of disclosures (AOD) to their records for the six years prior to the date of their request. The AOD must include the following information³:

• date of the disclosure;
• name of individual or entity receiving the information and their address, if known;
• brief description of the PHI disclosed; and
• brief statement of the purpose of disclosure (or a copy of the individual’s written authorization, or a copy of the individual’s written request for disclosure).

Multiple disclosures to the same party for a single purpose (or pursuant to a single authorization) may have a summary entry, which includes information for the first disclosure, the frequency with which disclosures were made, and the date of the last disclosure.

Information that is excluded from the AOD is any PHI:

• prior to April 14, 2003, or prior to the entity’s date of compliance with the privacy standards.
• to law enforcement or correctional institutions, as provided in state law.
• for facility directories.
• to the individual patient.
• for national security or intelligence purposes.
• to people involved in the patient’s care.
• for notification purposes, including identifying and locating a family member.
• for treatment, payment, and healthcare operations.
• provided pursuant to an individual’s authorization.

CEs may use computerized tracking systems that have the ability to sort by individual and/or date, or they may maintain manual disclosure logs. Some providers use copies of authorization forms to track the majority of their disclosures.^4,5 Any CE has 60 days to respond to the request for an AOD, with one 30-day extension allowed. The individual must be notified in writing of any delay, the reason for the delay, and the date that he/she may expect the accounting to be provided.  

On the surface, disclosing records to the appropriate party seems to be a simple matter. Unfortunately, as with many things related to HIPAA, what would appear to be simple can be fraught with complications. Making appropriate disclosures and correctly accounting for them is critical to staying on the “right” side of the Office for Civil Rights (OCR) in the event of either a breach or a random audit of one’s practice. Disclosures and accounting for disclosures is an area of HIPAA the OCR tends to focus on during investigations. The information presented here, if followed, will ensure a “passing grade” for those who may come under any regulatory scrutiny. 

Roger Shindell is chief executive of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. Shindell currently is chairman of the HIMSS Risk Assessment Work Group and a member of the American Health Information Management Association’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindel@carosh.com.

References

1. Shindell R. How to prepare for new HIPAA privacy & security regulations in 2016. TWC. 2016;1(1):28-32. 

2. Individuals’ Right Under HIPAA to Access Their Health Information. HHS. Accessed online: www.hhs.gov/hipaa/for-professionals/privacy/guidance/access

3. HIPAA COW. Accessed online: www.hipaacow.org

4. Dougherty M. Accounting and tracking disclosures of protected health information (AHIMA practice brief). AHIMA. 2001;72 (10):72E-H.

5. Hecker L. HIPAA Compliance for Mental Health Professionals. Crown Point, IN:Crown Point Press;2016.