OK, I know that HIPAA precludes an American's medical records from being given out willy-nilly to non-medical people that person doesn't know. But does every physician that person sees have complete access to their records? Does a podiatrist have complete access to their psychiatric records? Can a cardiologist find out they had an abortion from reading their records? What if a physician outright refuses to treat anyone who has had an abortion in the past? If they've ever been prescribed psychiatric medication?

Your questions seem to presume the existence of some centralized repository of medical records for the patient. I've never seen such a thing.

I just started seeing a new doctor. For them to get any of my previous medical records, I need to fill out a 'release of information' form, and give that form to any previous doctor that I want records released from.

This form details the records I want released, and whom I want them released to.

I'm not a HIPAA expert, but I did write a large part of the security code for an electronic medical record software application.

Here's what I remember:

- Your primary care physician has access to your records. If he's part of a group practice, the other physicians in his group can easily get access to your records.

- If you're admitted to the hospital, the nurses on the floor where you are staying have access to your records.

- If you go to a specialist, you fill out a form, and the specialist can see your records.

- Psychiatric and substance abuse records do not follow the above rules - you pretty much have to always fill out a form giving the doctor access to those types of records.

- You can specify that a certain person is *never* allowed access to your records by filling out a form.

In theory, your records are only accessible to health care specialists who need to see them to give you adequate care. That's what the above rules try to do. The software I wrote kept track of everyone who accessed a patient's records, and one of the first screens everyone saw when they pulled up someone's records was a history of who accessed them. There was a "report" button that anyone could use to alert the higher-ups if anyone thought that someone who shouldn't be looking saw someone's records.

This worked pretty well. But as with all secure information, there are ways around it. If I had wanted, I'm pretty sure I could have gotten into medical records that I shouldn't have - but that was because I was the one writing the software, and it would have taken some work on my part. In general, the rank and file medical workers would have a hard time getting access to something they shouldn't, and if they did, there would be records of it.

People really don't understand HIPAA.

I've tried to educate folks about this before, but most just don't seem to get the concept.

This is from Health & Human Services itself: http://www.hhs.gov/ocr/Healthcare-Provider-letter.pdf


HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances can share information for treatment purposes

My State spells it out specifically in their legislative code:

From: Wisconsin State Statutes (http://www.legis.state.wi.us/statutes/Stat0146.pdf)
146.82 Confidentiality of patient health care records.
(2) ACCESS WITHOUT INFORMED CONSENT. (a) Notwithstanding sub. (1), patient health care records shall be released upon request without informed consent in the following circumstances:
.......
2. To the extent that performance of their duties requires access to the records, to a health care provider or any person acting under the supervision of a health care provider or to a person licensed under s. 146.50, including medical staff members, employees or persons serving in training programs or participating in volunteer programs and affiliated with the health care provider, if any of the following is applicable:
a. The person is rendering assistance to the patient. (Like what doctors do. QtM)
b. The person is being consulted regarding the health of the patient. (ditto)
c. The life or health of the patient appears to be in danger and the information contained in the patient health care records may aid the person in rendering assistance.

Bottom line? If you're my patient, I don't need your signature or your consent to obtain your medical records from your previous providers. (exceptions: Psychiatric, alcoholism/addiction, & HIV records.)

People really don't understand HIPAA.

I've tried to educate folks about this before, but most just don't seem to get the concept.

This is from Health & Human Services itself: http://www.hhs.gov/ocr/Healthcare-Provider-letter.pdf



My State spells it out specifically in their legislative code:

From: Wisconsin State Statutes (http://www.legis.state.wi.us/statutes/Stat0146.pdf)


Bottom line? If you're my patient, I don't need your signature or your consent to obtain your medical records from your previous providers. (exceptions: Psychiatric, alcoholism/addiction, & HIV records.)
How strict is the 'requires the records' bit? Do you need to actually furnish proof that you believe condition X which you're treating the patient for is related to condition Y that a different doctor saw them for previously? Or is it just generally assumed that you need the record?

How strict is the 'requires the records' bit? Do you need to actually furnish proof that you believe condition X which you're treating the patient for is related to condition Y that a different doctor saw them for previously? Or is it just generally assumed that you need the record?
It's generally assumed that if I (or my staff) is requesting the record, we need it.

Frankly, what often gets put down as the reason for needing the record is "continuing care".

I see many requests returned without records, and the reason is "patient not one of ours" or "couldn't find record" etc.

I've never seen a request come back stating that our request wasn't valid.

Yeah, sure there isn't a federal mandate that requires consent for records to be shared with a physician who requests it, but in my experience, most hospitals will give you a hard time if you don't send a form.

It's generally assumed that if I (or my staff) is requesting the record, we need it.

Frankly, what often gets put down as the reason for needing the record is "continuing care".

I see many requests returned without records, and the reason is "patient not one of ours" or "couldn't find record" etc.

I've never seen a request come back stating that our request wasn't valid.
However, I'm pretty sure that a patient could sue you under HIPAA for that if they felt that the reason was insufficient. I doubt that most would bother, but they may if one of the hypotheticals in the OP happened.

Yeah, sure there isn't a federal mandate that requires consent for records to be shared with a physician who requests it, but in my experience, most hospitals will give you a hard time if you don't send a form.
The simplified US Health and Human Resources text of the regulations, including exclusions and penalties, can be found here (http://www.hhs.gov/ocr/AdminSimpRegText.pdf) (pdf). Note that due to the preemption clauses, this overrules all state laws that are not stricter than it. To summarize, that federal law most definitely exists. If your records are being released, they NEED to have a form, or fall into one of many very specific exclusions. (Some of which are amusing reading - your coroner has pretty much a free pass, for instance.)

Yeah, sure there isn't a federal mandate that requires consent for records to be shared with a physician who requests it, but in my experience, most hospitals will give you a hard time if you don't send a form.
I've not gotten a hard time from any hospitals due to lack of signed consent from the patient when requesting records.

And working at an intake facility, we have 8000 new patients come in a year, and request a hell of a lot of old records. And I end up reviewing the Lion's Share of the records we receive.

All requests are made on an official state records request form. Nowhere on the form is there even room for a patient signature. A separate form, with a spot for patient signature, is used for requesting HIV/mental health/chem dep records.

However, I'm pretty sure that a patient could sue you under HIPAA for that if they felt that the reason was insufficient. I doubt that most would bother, but they may if one of the hypotheticals in the OP happened.
Anyone can sue for anything, but legally their case would be very, very tenuous. IMHO.

The hypotheticals put together in the OP wouldn't fall under HIPAA in my estimation, but rather under denial of care statutes.

I've not gotten a hard time from any hospitals due to lack of signed consent from the patient when requesting records.

And working at an intake facility, we have 8000 new patients come in a year, and request a hell of a lot of old records. And I end up reviewing the Lion's Share of the records we receive.

All requests are made on an official state records request form. Nowhere on the form is there even room for a patient signature. A separate form, with a spot for patient signature, is used for requesting HIV/mental health/chem dep records.
I suspect you may fall under pages 59 - 61 of the above document (judicial and criminal exclusions).

I'm finding the general lackadaisical approach to compliance described in this thread very alarming. Rest assured my company takes HIPAA compliance very seriously, mostly because our lawyers have a lobbyists talking to the people in Washington about these laws, and THEY take them very seriously.

Anyone can sue for anything, but legally their case would be very, very tenuous. IMHO.

The hypotheticals put together in the OP wouldn't fall under HIPAA in my estimation, but rather under denial of care statutes.It's possible that they'd get hit with the denial of care suit first, but the law about improper release of information is very clear.

Then again, I'm not a lawyer. I may be gun shy, because a programming mistake we made got my client sued for COBRA violations (and they lost). The government take those VERY SERIOUSLY. I can't imagine that in the current political climate that they'd take HIPAA less seriously.

Risha can you point me to the section of that pdf you linked where it states that hospitals, clinics etc are required to have signed consent from a patient to share their records with a physician who is requesting them?

I'm finding the general lackadaisical approach to compliance described in this thread very alarming. Rest assured my company takes HIPAA compliance very seriously, mostly because our lawyers have a lobbyists talking to the people in Washington about these laws, and THEY take them very seriously.
Well, our State Dept. of Justice lawyers reviewed the requirements and our forms (which don't have patient consent on them) and found them wholly satisfactory for obtaining medical records.

And these forms have been sent out to many health care providers around the nation, and have been successful in getting records sent to us from hospitals/clinics/physicians from across the nation.

I really don't get why people still insist that medical records can't be released unless the patient signs for their release.

But arguments like this are why I no longer post any extended anecdotes about clinical encounters with patients. Someone always declares I am violating HIPAA by doing so. Despite proper anonymization on my part, which frankly exceeds the anonymization required by HIPAA, someone makes a crusade of this so-called violation.

Risha can you point me to the section of that pdf you linked where it states that hospitals, clinics etc are required to have signed consent from a patient to share their records with a physician who is requesting them?
I don't believe Risha will be able to. Such a requirement is not a part of HIPAA.
HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances can share information for treatment purposes: Providers can freely share information with other providers where treatment is concerned, without getting a signed patient authorization or jumping through other hoops. Clear guidance on this topic can befound at a number of places: For instance, see the answers tofrequently asked questions (FAQs) in the "Treatment/Payment/Health Care Operations "subcategory, or search the FAQs on a likely word or phrase -like "treatment." Or see the Fact Sheet, "Uses and Disclosuresfor Treatment, Payment, and Health Care Operations," www.hhs. gov/ocr/hipaa/twidelines/s harinsfortpo.pdf; or review the "Summary of the HIPAA Privacy Rule," www. hhs.gov/ocr/privacvsummary.pdf.http://www.hhs.gov/ocr/Healthcare-Provider-letter.pdf

I don't believe Risha will be able to. Such a requirement is not a part of HIPAA.
http://www.hhs.gov/ocr/Healthcare-Provider-letter.pdf

Yeah, it was more of a challenge than a true request. I still get Medical Records clerks asking me to fax over a patient consent when I call a nearby hospital to find out information about a patient. It can really make a huge difference in taking care of a patient in the ER too!

I don't believe Risha will be able to. Such a requirement is not a part of HIPAA.
http://www.hhs.gov/ocr/Healthcare-Provider-letter.pdf
Hm. OK, I've just reviewed the document you linked again, and I see where you're coming from. I think that maybe the different slant on the regulations that my company is teaching us is because we're administrators releasing information generally to other administrators and insurance companies.

I also never meant to imply that all releases of information to other doctors required a signature, only the non-urgent ones of wholesale record exchange. I must not be the only one misreading those regs, because my doctor required my signature to get my information from my old doctor, and also when they were sent to two different specialists.

I still think that any misuse of that information would get you sued to hell and back though. The whole point of the legislation is to prevent personal information about yourself from going to anyone you don't want it to go to. The maxim we live under today is to provide the absolute minimum required information to the person who needs it. We would no more tell your spouse who called up who your PCP is than we would tell a telemarketer.

By the way, I miss the personal-but-disguised anecdotes, which are obviously not a violation since it doesn't identify anybody, so I apologize if I've added to that stress. :D

Reasons why not to get into arguments on the internet: now I feel just terrible about accidentally passing on misinformation.

I still think that any misuse of that information would get you sued to hell and back though.
It would also violate patient confidentiality, medical ethics, and, in some circumstances the state and federal criminal codes.

I understand my responsibilities as a physician. And I understand my rights and privileges as one too.

One of those rights is to get the information I feel I need in order to care for my patient. Regardless of signed permission (save in the 3 exception areas I noted previously.)

It is my privilege and responsibility to use that information to the patient's benefit.

Thank you for your thoughtful reflection on my points.

How does this apply to diseases like AIDS and other sexually transmitted disease, don't most if not all states require you give the person's name to a central state agency?

How does this apply to diseases like AIDS and other sexually transmitted disease, don't most if not all states require you give the person's name to a central state agency?
Yes, HIV is a reportable disease. To fail to report it is a violation. But the agency to whom it is reported is also held by statute to strict confidence.

Similar rules apply to some other STDs and reportable infections (such as TB).

But arguments like this are why I no longer post any extended anecdotes about clinical encounters with patients. Someone always declares I am violating HIPAA by doing so. Despite proper anonymization on my part, which frankly exceeds the anonymization required by HIPAA, someone makes a crusade of this so-called violation.


This makes me sad. Can't you just write up a generic "this is why this post doesn't violate HIPAA" and use it as a footnote in your OP each time? Because I really love your posts about interactions with some of your more entertaining patients! :D

This makes me sad. Can't you just write up a generic "this is why this post doesn't violate HIPAA" and use it as a footnote in your OP each time? Because I really love your posts about interactions with some of your more entertaining patients! :D
Because doing that in the past never ended the arguments about how horrible I was for violating HIPAA from certain posters.

And while I can put such as do that on 'ignore' here at the message board, it doesn't prevent them from emailing me or even my employer and regulatory agencies with their baseless accusations.

And while I can put such as do that on 'ignore' here at the message board, it doesn't prevent them from emailing me or even my employer and regulatory agencies with their baseless accusations. :eek:

:eek:
Indeed.

However, it's really not a board matter, and I shouldn't have brought it up, frankly. It's not caused me any problems with employer or regulators (as they recognize how HIPAA should be properly applied too) but I'll let it serve as an explanation as for why I don't post nearly so much about life behind the walls.

A pity, but I don't need the aggravation.

'nuff said.