Be sure your medical releases are HIPAA-compliant so you don’t violate federal law, WC folks.
Editor’s comment: This article applies to risk managers, TPAs and insurers across the country. We have received a number of inquiries recently about the required language in your medical releases. If you aren’t aware, U.S. law changed way back in 1996. All current medical releases needed to be updated to comply—a medical release that doesn’t comply with applicable federal law puts you at risk for litigation with your friends in the federal government.
We recently reviewed a medical release from a major U.S. TPA that is very well-known in this industry—their release clearly did not comply with federal law and they are unquestionably violating the law in all of their claims involving use of this release. We have told them it has to be updated. And we just reviewed a medical release from a major Illinois employer and immediately noted a number of deficiencies. We are pretty confident no one in these organizations took the steps necessary to comply with the law more than a decade ago. We have made detailed recommendation on how they should do so and hope they catch up before the Federales catch up first.
HIPAA (it is not HIPPA) is the Health Insurance Portability and Accountability Act. It was signed into law by President Bill Clinton on August 21, 1996. Most healthcare insurance companies and providers were to adhere to the HIPAA regulation guidelines by October 2002. The HIPAA law presents a multi-step approach geared to improve the United States’ health and WC insurance system. One approach of the HIPAA regulations was to protect patient privacy. This provision is in Title IV which defines rules for protection of patient information.
All healthcare providers, health organizations, and government health plans that use, store, maintain, or transmit patient health care information are required to comply with the privacy regulations of HIPAA. We also feel all Illinois and U.S. employers need to create a “HIPAA circle” of the managers who are able to receive, consider and disseminate private health information. To protect your organization, you should consider creating such a “circle” if you haven’t already done so. If you need guidance or counsel on how to set up a HIPAA circle in your organization, send a reply.
One easy step in analyzing all medical releases is to look and see whether the medical release provides the power of revocation. Older releases don’t have such language. Both of the organizations mentioned above presented medical releases that did not allow revocation. When we see a release that doesn’t allow for revocation, we then assume most of the other HIPAA requirements aren’t present.
Here are the HIPAA requirements right out of the applicable Federal Code:
A valid HIPAA authorization under this section must contain at least the following elements:
(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
Required statements In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:
(i) The individual’s right to revoke the authorization in writing, and either:
(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
(B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by § 164.520, a reference to the covered entity’s notice.
(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations In paragraph (b)(4) of this section applies; or
(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this rule.
Plain language requirement The authorization must be written in plain language. No one knows whether “plain language” relates to folks who have law degrees or folks whose highest grade level was junior high in rural Appalachia.
Copy to the individual If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.
If you need us to review your current medical release, we are happy to do so without charge—send it along. We appreciate your thoughts and/or comments or simply post them on our award-winning blog run by our Blogmaster, Arik D. Hetue at www.keefe-law.com/blog
