The Medical Authorization Process Under HIPPA: Protection or Burden?
We will not accept the authorization for the release of medical records that you had your client complete; he must complete our authorization instead, because of HIPAA. “The patient must physically come to our office and sign our authorization in person in order for our office to release medical records to the patient or anyone else because of HIPAA. “I can’t talk to you at all about your client’s health condition because of HIPAA. These are common phrases I have heard from health care providers when trying to gather evidence for a client’s case.
The word “HIPAA” has become synonymous with patient privacy. This privacy concept comes from the Privacy Rule, which developed out of a Congressional mandate for the adoption of Federal privacy protections for individually identifiable health information. In the Administrative Simplification provisions, Sections 261-264, of the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, Public Law 104-191, Congress directed the Secretary of Health and Human Services to establish these Federal privacy protections.
The HIPAA Administrative Simplification provisions directed the Secretary of Health and Human Services to adopt national standards for electronic health care transactions. To ensure that this new information sharing would not jeopardize patient privacy, Section 264 of HIPAA directed the Secretary of Health and Human Services to establish Federal privacy protections for individually identifiable health information. Thus, the Secretary drafted the Privacy Rule and required compliance, for most covered entities, by April 14, 2003. Covered entities include health plans, health care clearinghouses, and health care providers.
According to the Privacy Rule, a valid authorization for the release of protected health information is required when an attorney is requesting his client’s medical information from a health care provider. See 45 C.F.R. § 164.508 (2003). The general requirements for a valid authorization include:
- a description of the protected health information to be used or disclosed
- the names of person(s) or class of persons authorized to make requested use or disclosure
- the names of person(s) or class of persons to whom the covered entity may make the requested use or disclosure
- a description of each purpose of the requested use or disclosure
- an expiration date or expiration event
- the patient’s signature and date
- notification to the patient of his right to revoke, how to exercise that right, and the exceptions to the right to revoke
- notification of the ability or inability to condition treatment, payment, or enrollment for benefits on signing the authorization
- an explanation of the potential for the information to be disclosed to another by the recipient and no longer be protected
Although these authorization rules may be followed by an attorney’s office, it does not guarantee cooperation from health care providers. Any attorney, or support staff, who has attempted to gather a client’s medical documentation to prove his case has undoubtedly heard the phrase “HIPAA” countless times, as a rebuttal to providing documentation.
Some may say that the Privacy Rule has empowered patients to have more control over their health information. However, the way the Privacy Rule functions in the attorney-client context is anything but empowering, because clients who want their attorneys to have unlimited access to their health information are burdened by the barriers their health providers place on the collection of this important information. Fear of penalties, misunderstanding of the Privacy Rule, and possibly a general dislike of the legal profession may all contribute to the apprehensiveness or unwillingness of certain health care providers to assist a law office with the development of a client/patient’s case. Whatever the rationale may be, this lack of cooperation can disadvantage a client’s case by delaying the receipt of essential evidence.
One example of how this lack of cooperation can disadvantage a client’s case occurred when our office was attempting to gather medical records from a hospital for a Social Security Disability case. These records illustrated when and how our client began suffering from auditory hallucinations, paranoia, and depression. The client spent a week at the hospital in an attempt to stabilize her psychiatric symptoms. These records were imperative for proving to the administrative law judge that this client was no longer able to work due to the onset of her mental conditions.
Our office went through the standard process of calling the hospital to inquire as to where to send a request for medical records. We prepared a detailed request and sent it to the medical records department along with a HIPAA compliant authorization that we had our client review and sign. In response to this request, the medical records department refused to accept our authorization and informed us that a hospital authorization would need to be completed by the patient (even though it is extremely difficult to even get this client to answer her telephone, let alone fill out more paperwork). The client also had a disability advocate, who in the meantime hand delivered a request for medical records. When she followed up with her request, she was informed that there was no record of such a request.
Our office continued to attempt to receive these much-needed records. We made sure all of the requested paperwork was completed and sent another request for medical records to the medical records department. We called their office daily to ensure that our second request was received and responded to. When we finally were told that it was received, we were informed that we were missing the required hospital authorization. We explained that the requested authorization was enclosed and that now the hearing was quickly approaching, so we needed their assistance with this matter. We spoke with the supervisor who could not assist us further because of “HIPAA”. The department would not expedite the process in any way and their only suggestion was to resend everything again and then wait to see what happens.
Since we had our client’s interest in mind and wanted to make sure the judge had ample time to review these important medical records prior to the hearing, we were forced to go beyond the medical records staff and talk to hospital administration. After several telephone calls and letters, we were able to set up a time to pick up these medical records. We were glad we went through all of the trouble of obtaining this documentation because we ultimately won the case for the client and these records assisted us in proving the elements of her case. However, our office was forced to spend a great amount of time and energy conducting the seemingly simple task of gathering a client’s medical records. This type of delay obviously can have a negative financial impact on a client and could be extremely detrimental to a client’s case. Unfortunately, this hospital staff’s behavior is just one example of how some health care providers function under the guise of protecting patient privacy.
Although it would be ideal for patients to be able to gather their medical information without the assistance of an attorney, often times it is necessary for an attorney to handle this part of the legal process on behalf of their clients (e.g., handling disability cases where a client has difficulty remembering tasks or physically visiting a doctor’s office).
Attorneys are required to provide diligent representation to their clients and need the cooperation of health care providers to meet this obligation. Although the protection of patient privacy is clearly an important goal, in practice it appears that the real world application of HIPAA’s Privacy Rule is more of a burden on clients and their counsel than a protection of clients’ rights.
By: Samantha Bogin, Esquire and published on July 10, 2006 in The Legal Intelligencer.