Confidentiality, Privacy and Security

Hospital Policy: Do Not Mail Copy of Records to the Patient

  • 1.  Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-05-2019 10:57
    Hi all

    Looking for advice.

    My mother who is 94 had an Emergency Room visit about a week ago.  She asked me to get copies of the ER visit, including labs and radiology results sent to her.  My mother is of sound mind.  I am not her POA.  I do have a durable POA for healthcare (not in effect).

    I just contacted the hospital's HIM department.  At first, I was told she would have to come to the department to complete the request form.  I explained that she was 94 and this was not practical.   They then wanted to fax me the form.  I don't have access to a fax machine.  They did agree to send the request form to my email.

    I was told that they would not mail records to patients.  I have to come to the hospital with I.D. to pick them up.  This requires a 1.5 hour round trip ride for me. I would be willing to receive the records via email (also willing to accept the risk of a breach).   I didn't pursue this option.  It seemed that picking the records up was the only option.

    Honestly, I just want to get the records that my mom wants.  I don't want to make a big deal of this. The hospital is a division of a large health system.  So, technically, an electronic transmission is feasible.   Does the following seem to be a reasonable approach?

    When I send back the signed request form, I was going to ask to have the records emailed to me and  provide a link to the OCR FAQ "Do individuals have the right under HIPAA to have copies of their PHI transferred or transmitted to them in the manner they request, even if the requested mode of transfer or transmission is unsecure?, 2060-Do individuals have the right under HIPAA to have copies of their PHI transferred or transmitted to them in the manner they request, even if the requested mode of transfer or transmission is unsecure?

    Thanks in advance for any advice.
    Maggie 

    https://www.hhs.gov/hipaa/for-professionals/faq/2060/do-individuals-have-the-right-under-hipaa-to-have/index.html




    ------------------------------
    [Maggie] [Foley]
    [Associate Professor]
    [Temple University]
    ------------------------------


  • 2.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-05-2019 11:29
    Good Morning Maggie,
    Did anyone provide you with a page count, number of images or how large the file was?  That may be part of system limitations perhaps.  Or it could have been a misinformed employee/volunteer on the other end of the phone who does not know what the system could do and is following a prescribed script.  See the innocence and maybe speak to a department supervisor/manger or department director.  Let us know how it goes!

    ------------------------------
    Pamela Kring
    Assistant Director
    ------------------------------



  • 3.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-06-2019 08:37
    It is reasonable and aligned with HIPAA and a proper release to request an ID to validate this request. There were times when an elderly person was out in the parking lot and one of my staff members would go to the car to view and verify the identity of the patient, as well as the signature of the patient.
    There may be a patient portal at the facility and if so, this would be an easy, remote way of accessing these records. If the facility has an EHR, this is a reasonable request for them and approach that would meet everyone's requirements and needs.

    ------------------------------
    Denise Van Fleet, Program Coordinator, Bachelor Him Rasmussen College
    Former HIPAA Privacy Officer
    ------------------------------



  • 4.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-06-2019 08:42
    So then the question becomes,  what do you do if the patient lives a long distance away and CAN'T go into the office to show ID?

    ------------------------------
    Mary Walters
    Health Information Technician
    ------------------------------



  • 5.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-06-2019 08:49

    The facility must comply and follow HIPAA. A facility should not release records just to satiate a request for records if they must jeopardize their ability to comply fully with HIPAA. If the patient cannot get to the facility AND there is no patient portal to allow for an electronic viewing/access, then it may well be that the patient will not get their records.

     

    Denise VanFleet, MS, RHIA |Program Coordinator, HIM BS Program; Assistant Professor

    Rasmussen College - National Online

    Office: 630-366-2938

    Rasmussen.edu

     






  • 6.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-06-2019 09:07
    ​Good Morning,
    In our opinion at our facility this would be considered creating an unnecessary burden on the patient , which could be viewed as a violation of hipaa privacy rights and the right of patient access . Many of our patients are compromised and cannot get to our facility to retrieve records.   Compliance for release must be balanced , and if all other avenues are exhausted, i.e. comparison of signatures, asking clarifying questions based on demographic or other information, then alternatives including on site pickup may occur with an authorized representative, but not through a careful vetting process for a patient centric alternative.  Coaching registration staff to fully complete demographic information, including an accurate email address is key, along with other identifiers.  All of these key informational points can assist to satisfy release protocols.

    I would consider the approach to demand a patient or authorized representative to come physically to the facility an unnecessary burden unless you have well documented reasons for doing so.

    ------------------------------
    Karen Lawler
    Corporate Him and Privacy Director
    Hospital For Special Care
    ------------------------------



  • 7.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-07-2019 10:26
    Yes, this is responsible and creative input on being 'patient centric'. Thank you for these thoughts on this topic.

    ------------------------------
    Denise Van Fleet, Program Coordinator, Bachelor Him Rasmussen College
    Former HIPAA Privacy Officer
    ------------------------------



  • 8.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-07-2019 10:19





  • 9.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-06-2019 09:03

    I completely disagree with the statement that says "the patient may not get their records." That is completely unacceptable.

    When your mother was a patient, surely she was registered with her address. Why is it not possible for the hospital to accept her signature on the release form (compare it to when she was a patient) and then mail the records to her address?



    ------------------------------
    Kathryn Wood, RHIA
    Assist Dir of Information Systems/Privacy Officer
    War Memorial Hospital
    ------------------------------



  • 10.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-06-2019 09:08

    I certainly cannot go through or project all the possibilities of a release. That is for the facility and the patient to work through. I am saying, however, that a facility must be able to confidently comply with HIPAA.

     

    Denise VanFleet, MS, RHIA |Program Coordinator, HIM BS Program; Assistant Professor

    Rasmussen College - National Online

    Office: 630-366-2938

    Rasmussen.edu

     






  • 11.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-06-2019 09:28
    ​It is a balance, however offering no alternatives may be considered a barrier, I have redacted guidance from HHS:

    Verification

    The Privacy Rule requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access.  See 45 CFR 164.514(h).  The Rule does not mandate any particular form of verification (such as obtaining a copy of a driver's license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI, as described below. Verification may be done orally or in writing and, in many cases, the type of verification may depend on how the individual is requesting and/or receiving access – whether in person, by phone (if permitted by the covered entity), by faxing or e-mailing the request on the covered entity's supplied form, by secure web portal, or by other means.  For example, if the covered entity requires that access requests be made on its own supplied form, the form could ask for basic information about the individual that would enable the covered entity to verify that the person requesting access is the subject of the information requested or is the individual's personal representative. For those covered entities providing individuals with access to their PHI through web portals, those portals should already be set up with appropriate authentication controls, as required by 45 CFR 164.312(d) of the HIPAA Security Rule, to ensure that the person seeking access is the individual or the individual's personal representative.

    Unreasonable Measures

    While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:

    • Who wants a copy of her medical record mailed to her home address to physically come to the doctor's office to request access and provide proof of identity in person.
    • To use a web portal for requesting access, as not all individuals will have ready access to the portal.
    • To mail an access request, as this would unreasonably delay the covered entity's receipt of the request and thus, the individual's access.;

    While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.



    ------------------------------
    Karen Lawler
    Corporate Him and Privacy Director
    Hospital For Special Care
    ------------------------------



  • 12.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-07-2019 13:24
    You have a right to get the records emailed to you. The access to medical records should be easy for the patient. According to OCR a patient should not be asked to make a long trip to get the records. I would send the link to   their privacy officer. It is time for them to be educated. Unfortunately I have encountered same issues. Too many providers don't understand HIPAA.






  • 13.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-06-2019 10:14
    Depending on their EMR, they may not be able to email the records you requested, but there is no reason under HIPAA they can’t mail the records to you - I would call the supervisor and request they be mailed due to how far away you live and your mother being unable to pick them up.

    Sent from my iPad




  • 14.  RE: Hospital Policy: Do Not Mail Copy of Records to the Patient

    Posted 08-08-2019 21:15

    Hi all

     Thank you all for the advice, the link to the "Unreasonable Measures" information and for the reminder to "see the innocence".    

     I was originally speaking to the department receptionist.  I was forwarded to the staff member who handles ROI who explained what I originally shared.

     I would be surprised if this request exceeded a page limit.  It was a fairly routine ER visit with a few labs and radiology tests ordered.  

     I just sent a scanned copy of the completed authorization form with the message below.  I will let you all know how I made out.

    Dear
    Attached please find a completed authorization signed by my mother, XXXX.

    Ideally, my mother would like:

    1. record emailed to XXXX@gmail.com.    If this is not possible,
    2. mailed to her home address. If this is not possible,
    3. Picked up by family member. Family member will show I.D. at pick up.

    Please see the information at the following link from the Office of Civil rights which indicates that a patient has a right to request to receive a record via email. My mother would assume the risk of a breach of information. https://www.hhs.gov/hipaa/for-professionals/faq/2060/do-individuals-have-the-right-under-hipaa-to-have/index.html (The following is an excerpt from this link: "Thus, a covered entity may not require that an individual travel to the covered entity's physical location to pick up a copy of her PHI if the individual requests the copy be mailed or e-mailed.")

    Please also see the information at the following link for Office of Civil Rights Guidance which describes "Unreasonable Measures" that covered entities may not employ when providing a patient access to their records https://getmyhealthdata.org/ocr-guidance-requests/

    The following are excerpts:

    Unreasonable Measures

    While the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:

     -Who wants a copy of her medical record mailed to her home address to physically come to the doctor's office to request access and provide proof of identity in person.

    • To use a web portal for requesting access, as not all individuals will have ready access to the portal.
    • To mail an access request, as this would unreasonably delay the covered entity's receipt of the request and thus, the individual's access.;

    While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.

    I've added a notation onto the authorization, indicating that my mother authorizes the information to be mailed to her, picked up by either XXXX (son) or XXX (daughter) or to be mailed to my mother's home address. (This is the same address she used when she registered for the ER visit. I also believe my mom was seen a few years back at [Hospital Name] and would have used the same address at that time.)

    I think that my mother would have signed consent forms when she registered. So, her signature on the authorization form could be compared against her signature on consent.

    Thanks,

     



    ------------------------------
    [Maggie] [Foley]
    [Associate Professor]
    [Temple University]
    ------------------------------