You may not think much about medical records requests. Why should you? That’s why you have staff, after all.
And what’s to know, anyway?
More than you might think.
For starters, the HIPAA privacy regulations are loaded with nuances; you need to deal properly with them or risk or even (in extreme cases) jail time.
Also, new kinds of record requests have created novel challenges for practices just trying to keep up. Self-insured employers, for example, are becoming increasingly assertive about asking for take-backs and claims documentation. More and more health plans are auditing records for risk adjustment purposes or pay-for-performance programs. Medicare’s new “recovery audit contractors” are gearing up for a national assault. And while patients have always requested their records — when, say, they transfer to other practices or see specialists —don’t be surprised if some begin asking you for clinical data to include in their Web-based personal health records.
A more complicated task than in previous years? Yes. But not insurmountable. First, relax. You probably won’t go to jail: No physician has ever done time for a HIPAA violation and, indeed, enforcement, while likely to get a little tougher in coming years, has been pretty light thus far.
Next, check out our guide to fielding record requests in a litigious, privacy-obsessed society.
Attorneys
Unless you’re in a specialty that invites med-mal suits, such as OB/GYN or neurosurgery, you probably hear from malpractice attorneys rarely, if at all. But likely, you are pinged for record requests from lawyers for auto insurers and for people who have been injured on the job.
Such requests are fairly simple to process: Require the petitioner to submit the request in writing, accompanied by a signed patient consent form.
HIPAA allows the disclosure of patient records without specific patient permission only for purposes of treatment, payment, and operations (although this “TPO” exclusion has some tricky aspects we’ll discuss later). But if you have your patients sign a HIPAA privacy notice, you’re generally covered when you share records with payers and with other providers for purposes of patient care. Almost all other requesters must get the patient’s permission to view that patient’s records. If a request comes in without a patient consent form, says internist Greg Hood of Lexington, Ky., send it back without even indicating whether the person referred to is your patient.
A malpractice attorney may request records as part of pretrial discovery or before a suit is filed. In the latter situation, the lawyer is doing this because he may not yet know if he has a case or he may not know whether to include you among the defendants.
Normally, signed patient consent forms accompany these requests, says Steven Kern, a healthcare attorney in Bridgewater, N.J. If so, you must yield the records within 30 days in most states. However, some legal requests arrive with a subpoena signed by the attorney. Such a subpoena might just ask for records or it might also require you to appear at a deposition.
Take a good look at the subpoena before just handing over your patient’s records, though. Who signed it? Lee Johnson, an attorney and malpractice expert in Mount Kisco, N.Y., says the only true subpoenas are those signed by judges; subpoenas signed by attorneys don’t have the force of law. But a lawyer could easily get a judge to sign a subpoena if a physician doesn’t comply with his request, she notes.
Kern and Johnson agree that if you do receive a subpoena, then get legal advice. Kern suggests you consult your own lawyer first. If you have no liability, he says, going straight to your med-mal carrier will just lead to a higher malpractice premium. Johnson, on the other hand, advises that you contact your insurance company immediately. While there’s a chance your insurance rate might rise, she says, not notifying the insurer could result in a denial of coverage if you are sued.
What should you do if a codefendant’s lawyer asks you for patient records? Don’t share them if the suit has not yet been filed, says Johnson. Without your patient’s permission, it would be a HIPAA violation to show the records to another physician’s attorney before a suit is filed. After the complaint has been made, you’re allowed to send the records to your own lawyer and your malpractice carrier without the patient’s consent. But revealing them to codefendants would violate HIPAA and might compromise your legal position, she says.
Health plans
Health plans can audit your records at any time under the terms of their contracts with you. They also have patient consent by virtue of the forms that their members sign when they join the plan — and you have your HIPAA privacy notice.
In most cases, plans will examine claims data to determine whether they have a reason to audit your records. But some carriers want to see a random sample of charts at regular intervals. Aside from quality improvement efforts, the plans that do this are usually Medicare HMOs that are trying to establish the severity of your case mix so they can get higher payment rates from CMS.
