Releasing Protected Health Information

Samantha Starkey
September 17, 2016
HCR/210
Instructor Burkey

Security and privacy are one of the biggest concerns when it comes to medical records.
There is personal information in medical records and patients have the authority to consent to or
to not consent to anyone seeing those medical records, with a few exceptions. Patients also have
the right receive a Notice of Privacy Practice (NPP). Which describes how the provider or
health plan are going to use or disclose your personal, protected health information (PHI). The
HIPAA Privacy rule uses the term consent and authorization which are two terms that are
similar but describe very different degrees of patient control. Authorization is much more
formal than consent and involves a patient granting signed permission. For example, a covered
entity may, but doesnt have to, get authorization for the patients health information (PHI) for
treatment, payment, and health care operations. When it comes to obtaining consent, covered
entities have a lot of discretion, and even if the covered entity chooses to obtain consent, it may
be very formal (HIPPA,1969). So it is important that patients are aware of exactly what to do
and to be assured their information is private, especially if they do not give consent for the
release of their medical records.
Protected health information, also known as PHI, is information that identifies the patient
such as the patients name, address, birthdate, etc. In most cases, covered entities are required to
obtain an individuals authorization prior to disclosing their health information, and HIPPA
established specific requirements for an authorization form. According to HIPPA privacy and
security provisions, patients have the right to an expectation of privacy regarding their privileged
communication, which means information cannot be disclosed without authorization. As well as
security safeguards that must be implemented to ensure facilities, equipment, and patient
information are safe from damage, loss, tampering, thief or unauthorized access (Green &

Bowie, 2005). HIPPA stands for Health Insurance Portability and Accountability Act and it
protects patients from fraud or abuse when it comes to health insurance or the delivery of health
care. This Act was passed by Congress in 1996 and became effective July 1, 1997.
There are certain people who can access medical records and other information without
the patients consent such as military, national security, correctional institutes and a few other
government agencies, but the patient should still be made aware of how and why their
information is being used. State and federal government agencies that process claims related to
medical records may request someones records for the purpose of verifying that persons claims.
This includes insurance companies, employers, banks and financial institutions, researchers, and
if an individual is involved in a court case, then health records can be subpoenaed and case
available to the public. Some government agencies are able to access records without consent
especially if the patient receives Medicare, Medicaid, SCHIP, SSI, workers compensation or
local, state, or federal assistance. And also, the Office of Civil Rights (OCR) of The United
States Department of Health and Human Services (HHS) has access to medical records if they
are part of a claim being investigated (PRCH, 2012). On the other hand, agencies like the
Department of Social Services and The Bureau of Disability Determination, do have to receive
the patients authorization before they can access their medical records or any personal
information.
There are certain exceptions that allow legal agencies and representatives to access
medical records without getting patients consent first. Medical records can be released if
ordered by court, health agencies, or by law enforcement agencies with a valid subpoena or legal
order, and may be required in certain situations (PRCH, 2012). An employer can access medical
records without authorization but only if it is work related, for example a work related injury or

illness, otherwise they have to have consent. Even health care providers have to request
authorization of a PHI, and the only person that has an exception to that is, the patients direct
care giver. Law agencies are allowed access to a persons PHI, only in the situation of abuse,
neglect, domestic violence, or if the patient is involved in a court case. And again, the patient
must be informed of how and why their information is being used, unless it could put the patient
in danger.
As far as clinical researchers accessing medical records, in most cases, medical
professionals who are working on a research study do have access to patients medical records
and PHI but there are some regulations and exceptions. Authorization is required if the research
has to do with the actual treatment of a patient unless the researcher is involved in the direct care
of that person. One of the permitted exceptions applies to protected health information created
or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule
permits the individuals access rights, in these cases, to be suspended while the clinical trial is in
progress, provided the research participant agreed to this denial of access when consenting to
participate in the clinical trial (OCR, 2002). And the researcher must inform the patient that
they will have their rights back as soon as the clinical trial is completed.
Every person has a right to their own PHI but there are some exceptions. A patient can
obtain a copy of their PHI to examine it or to just have a copy of it unless it includes things like
psychotherapy notes, any information that is being used in a criminal, civil, or administrative
action, or if the PHI is maintained by a covered entity that is subject to The Clinical Laboratory
Improvements Amendments 1988 (CLIA) (Green & Bowie, 2005). Realistically, the only
person that can give consent is the patient themselves but under some circumstances people such
as a legal guardian, parents, or the agent of a minor can give authorization if needed.

As stated before, there are different situations where authorization for a patients PHI is
required and some situations where authorization is not needed. I do believe that safeguards are
in place to protect the privacy of patients but it is important that patients are made aware of when
and how their information is being used, especially in situations like research or when some
government agencies access them.

References

Green, M.A. & Bowie, M.J. (2005) Essentials of Health Information Management.
Office of Civil Rights (OCR). (2002) HIPPA Privacy Rule. Retrieved from

http://www.hhs.gov
Privacy Right Clearinghouse. (1969) HIPPA Privacy Rule. Retrieved from

http://www.privacyrights.org
Privacy Right Clearinghouse. (2012) How is your medical information used and
disclosed with and without consent. Retrieved from http://www/privacyrights.org