Policy: Authorization to Release Patient Information | |
Policy Number: 501 | Policy Section: Health Information Management |
Owner: Trevor Purifoy | Approved By:David Katcher, COO |
Effective Date: 2/4/2022 | Date of Last Review: 12/20/24 |
SUD Specialty Group – CA, Mental Health Specialty Group, P.A., Mental Health Specialty Group NJ, PC, and Mental Health Specialty Group KS, P.A. (collectively, “Group”) contracts with Path, CCM, Inc. d/b/a Rula (“Rula”) for management and administrative support services. Each entity within the Group and Rula may be referenced herein as a Company and, collectively, as the Companies. This policy applies to all of the Companies.
Policy Statement
This policy outlines the process for the use and disclosure of protected health information (PHI) pursuant to a written authorization.
Applicability
This policy applies to all team members who have access to and are authorized to release patient-protected health information. For purposes of this policy, the Group’s and Rula’s team members include individuals who would be considered part of the workforce such as employees, independent contractors, business team members, and other persons whose work performance is under the direct purview of Rula or the Group’s business practices.
Definitions
Protected Health Information (PHI): is a subset (record or transmission) of health information, including demographic information collected from an individual.
Use: is the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within Rula, or by a Business Associate of Rula.
Disclosure is the release, transfer, provision of access to, or divulging in any manner of PHI to persons not employed by or working within Rula with a business need to know PHI
Qualified service organizations: an organization that provides services to a 42 CFR Part 2 program and has a written agreement with Part 2 program that acknowledges that the organization will uphold the 42 CFR Part 2 regulation and the organization agrees to assist with any judicial proceedings to gain access to patient records bound by 42 CFR Part 2.
Reproductive healthcare: healthcare that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.
Policy
- Release of Information (ROI) Authorization
- A written release of information form is required to be completed prior to the use and/or disclosure of PHI unless an exception exists or the use and disclosure is otherwise permitted pursuant to the Notice of Privacy Practices or required by law. The Privacy Officer can determine whether an authorization is needed prior to the release of information.
- ROIs must consider both HIPAA and 42 CFR Part 2. The Notice of Privacy Practices details when information can be released without an authorization.
- PHI may be disclosed without authorization when 42CFR Part 2 does not apply, if the disclosure is:
- Requested by the client and/or their personal representative.
- For the purposes of treatment, payment or operations. See HIPAA Patient Privacy and Confidentiality policy for more information.
- To the Secretary of Health and Human Services for the purpose of determining compliance with the HIPAA Privacy Rule
- Required by state or federal law
- In the event of an emergency
- Other public health interest activities
- When reporting child abuse or neglect when required by state law
- When 42 CFR Part 2 applies, the exceptions for releasing information without a signed authorization are as follows:
- Internal communications with those who need to know
- Pursuant to a court order
- Medical emergencies (disclosure must be documented), or when there is a declared natural or other major disaster
- To report a crime or threats against law enforcement
- To report child or elder abuse or neglect when required by state law
- Auditing activities related to Part 2 programs by the government, payers, or other lawful entities
- For research purposes
- To a qualified service organization
- PHI may be disclosed without authorization when 42CFR Part 2 does not apply, if the disclosure is:
B. Attestation for Release of Information Potentially Related to Reproductive Healthcare
- A separate attestation is required when a request is received for PHI potentially related to reproductive healthcare, and the request is related to one of the four types of uses/disclosures under the Privacy Rule: health oversight activities, certain law enforcement uses, judicial or administrative proceedings, or disclosures to coroners and medical examiners regarding decedents. Rula will request this attestation from each requestor, other than the patient.
- The requestor must attest that the request for PHI is not for any of the following prohibited purposes:
- to conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive healthcare.
- to impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive healthcare.
- to identify any person for any purpose described in a or b.
C. The provision of treatment is not conditioned on the receipt of an authorization or attestation except in the following limited circumstances:
- The provision of research-related treatment, or
- The provision of healthcare that is solely for the purpose of creating PHI for disclosure to a third party (i.e. performing an independent evaluation at the request of an insurer or other third party)
D. When a request to release information is received, the Privacy Officer, or authorized representative, will ensure that the authorization and attestation forms are necessary, valid, and complete (including necessary signatures).
- If the authorization and attestation forms, where required, are valid, records will be released within 30 days of the request. If more time is needed, the patient or requestor will be provided with written notification and the reason for the delay. Thirty (30) additional days can be taken to complete the request.
- If the authorization and/or attestation is not valid, the requestor will be notified of the missing elements.
- A new attestation is required for each specific use or disclosure request for reproductive healthcare PHI.
- Disclosure of the reproductive healthcare PHI may not be made if the requestor indicates that the PHI requested is for a prohibited purpose as described above unless the requestor supplies information that demonstrates a substantial factual basis that the reproductive healthcare was not lawful under the specific circumstances in which it was provided.
- If, during the course of using or disclosing reproductive healthcare PHI in reasonable reliance on a facially valid attestation, Rula discovers information reasonably showing that any representation made in the attestation was materially false, leading to a use or disclosure for a purpose prohibited under § 164.502(a)(5)(iii), Rula must cease the use or disclosure of that information.
- It is preferable, but not required, that the requester use the Rula Authorization for Release of Information form when requesting records be released.
- It is preferable, but not required, that the requester use the Rula Attestation for Release of Information Potentially Related to Reproductive Health form. If a non-Rula attestation is utilized, it must meet the requirements set forth in 45 CFR §164.509. The Privacy Officer or designee can determine whether a completed form is valid. The attestation must:
- Be written in plain language.
- Verify that the use or disclosure is not otherwise prohibited by 45 CFR §164.502(a)(5)(iii) related to the use and disclosure of reproductive healthcare PHI.
- Include the following elements:
- Description of the information requested that identifies the information in a specific fashion (name of individual or description of class of individuals),
- Name, class, or other specific identification of the person(s) who are requested to make the use or disclosure.
- Name, class, or other specific identification of the person(s) to whom the covered entity is to make the requested use or disclosure.
- Clear statement that the use or disclosure if not for a purpose prohibited under 45 CFR §164.502(a)(5)(iii).
- Statement that a person may be subject to criminal penalties pursuant to 42 USC 1320-d if that person knowingly and in violation of HIPAA obtains individually identifiable health information to another person.
- Signature of person requesting the PHI. If the attestation is signed by a representative of the person requesting the information, it must also contain a description of the representative’s authority to act for the person.
- An Authorization for Release of Information or Attestation for Release of Information Potentially Related to Reproductive Healthcare form cannot be modified after the patient or the patient’s authorized representative signs it.
- The Authorization for Release of Information form and Attestation for Release of Information Potentially Related to Reproductive Healthcare will be part of the patient’s designated record set.
- It is not permissible to request the patient sign a blank Authorization to Release Patient Information form to be filled out at a later time.
D. Revocation of Authorization for Release of Information
- A patient may revoke an authorization at any time in writing.
- Upon receipt of the written revocation, the Privacy Officer or authorized team member will write the effective date of the revocation on the original Release of Information form.
- Upon receipt of the written revocation, a patient’s PHI will no longer be used or disclosed pursuant to the authorization.
- The revocation will become part of the patient’s designated record set.
Attachments