Doctors, medical practices, hospitals and other healthcare providers must properly maintain the records of patients, primarily to ensure the best treatment and care for patients. Proper management of medical records provides other advantages such as – helps with scientific evaluation of patient profiles, analyze the treatment results, and plan treatment protocols. To conduct medical record review for attorneys, the first step is to collect the medical records from various provider facilities and medical record custodians. Physician practices also receive medical record release requests from various sources. Medical records serve as crucial evidence in medical malpractice and negligence cases.
Healthcare providers are required to be compliant with HIPAA regulations, and ensure proper management of patient records to avoid getting into legal hassles. Here are some legal errors practices usually make in handling medical records, and need to avoid.
Not Handling Confidential Information Properly
In most states, additional protection is recommended to secure certain patient information such as reports of conditions such as – HIV/AIDS, sexually transmitted diseases, substance abuse or mental health and psychiatric disorders. To release such highly confidential information, more detailed and specific written consents and authorizations are vital. Such medical records need appropriate protection, and unauthorized release of patient information could lead to even greater civil and administrative liabilities. As hospitals and health systems are responsible for protecting the privacy and confidentiality of patients and patient information, they must make sure that their employees are properly trained on handling and release of confidential patient data.
Poor Management of Old Medical Records
Failing to properly store, retain, and dispose of old medical records could lead to privacy violations and severe legal consequences. Most state laws require hospitals to maintain patient records for at least six years from the date of the patient’s last visit. It is getting more important than ever for practices to develop policies and procedures for the appropriate storage, retention, and destruction of patient medical records and ensure that their employees are well-trained on such policies.
Not Responding to Subpoenas
A subpoena refers to the request for production of documents. Failing to respond to subpoenas can result in the lawyer or law enforcement agency approaching the court and reporting that the practice failed to respond.
When responding to subpoenas, make sure to determine whether it was from a federal or state court or a law enforcement authority, such as a U.S. attorney’s office and confirm that it is signed by a judge or magistrate. The hospital can comply with that subpoena without obtaining the patient’s permission. At the same time, PHI (Protected Health Information) cannot be provided in response to an attorney’s subpoena unless the patient has provided permission. When complying with a subpoena, make sure to provide only what was requested. A hospital can develop a form letter for responding to subpoenas that summarizes the HIPAA rules as they apply to subpoenas and information about specially protected documents and any state rules that may apply.
Not Obtaining Proper Authorization to Release Patient Records
Medical practices frequently receive medical record release requests from diverse sources – attorney letters, subpoenas or even patients themselves. Other than HIPAA privacy regulations, practices have to adhere to the concerned state’s laws and regulations that require written authorizations for the release of patient records or other information in a number of situations. Often a written consent is not required for the release of patient data for treatment, payment, or healthcare operations. Failure to comply with these laws and regulations can lead to severe consequences such as civil lawsuits for breach of privacy or even administrative action by state and federal agencies.
To avoid any such issues, providers and their staff must be properly trained and educated on applicable state and federal laws on proper release of patient information and medical records. Adhere to standard protocols when releasing patient records.
Not Adhering to HIPAA Privacy Rule
The U.S. Department of Health & Human Services (HHS) explains that with limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, PHI (the medical and health information) about them in one or more designated record sets maintained by or for the individuals’ health care providers and HIPAA-covered health plans. Providers failing to observe the technical requirements associated with these patient rights may find themselves at risk of unintended HIPAA violations.
Practices must make sure that physicians and their staff are trained well on the various patient rights under HIPAA.
Improper Telephone Disclosures of Patient Information
Even though the telephone is now widely used in the delivery of healthcare, PHI exchanged during a telephone call is subject to the HIPAA Security Rule. However, there are increased chances of privacy violations and improper disclosures of patient information to occur during such telephone conversations, if the staff fails to properly identify the individual to whom they are speaking and confirm that the individual is authorized to receive the patient’s information. In such cases, practices can consider implementing policies and procedures for their staff to follow when making telephone disclosures of patient information. The staff should verify that the callers, by telephone or in person, are who they say they are.
Not only medical practices, law firms, insurers and anyone dealing with patient records need to follow HIPAA privacy rules along with the concerned state laws and regulations. Attorneys collecting medical records for litigation purposes can consider professional medical review solutions from experts to understand the details of the case and determine its strengths and weaknesses.