Risk Management

Release of Medical Records

Anne M. Menke, RN, PhD, OMIC Risk Manager

The HIPAA Omnibus Final Rule introduced new regulations for ophthalmologists and their staff to understand and implement. The need to update policies and procedures to address these changes provides a good opportunity to review some of the key federal regulations governing patient privacy and confidentiality that have been in effect since 2003. This Hotline article will address the release of medical records, and clarify when a patient’s authorization is needed and when the federal “minimum necessary rule” applies.

 My patient is on anticoagulants. I need the latest results for the INR test done to monitor her levels. My technician called the patient’s primary care provider and was told we need a patient authorization to obtain this information. Is that correct?

 No. HIPAA anticipated that physicians would need quick access to information in patient records in order for healthcare to be delivered without delay. For that reason, the regulations make clear that a covered entity (healthcare provider, health plan, or clearinghouse) does not need to obtain an authorization if the information requested relates to treatment, payment, or healthcare operations (often labeled “TPO”). Diagnosing and treating conditions is the primary aim of care, so there are the least restrictions related to it. If a physician is part of the patient’s current treatment team, he or she should be provided any information requested, including a copy of the entire medical record. (Please note that certain types of records, such as psychotherapy notes, drug or alcohol treatment records, etc., have special protection under federal and state law and may need a specific authorization before being released. Ophthalmologists are unlikely to have copies of these records.) Ophthalmologists may release records for treatment to other healthcare providers, such as hospitals, ambulatory surgery centers, and pharmacies. The covered entities’ right to access and share this information is explained to the patient in the Notice of Privacy Practices.

 My patient is unhappy with his premium IOL and has instructed his credit card company to stop payment. May I respond to the letter from the company? Do I need the patient’s authorization?

 You may respond to the letter from the credit card company without the patient’s authorization, as the query relates to payment for healthcare. Unlike requests for medical information for treatment purposes, however, you are required to limit the information you provide to the company to “the minimum necessary.” You could thus provide documents related to the patient’s choice of the particular intraocular lens, such as a copy of the consent discussion and consent form, for example, but not information related to other eye or medical conditions. It would be unusual to release the patient’s entire medical record to resolve a payment issue. The same need to limit information to the minimum necessary applies to the third part of TPO, healthcare operations. Operation activities include those that the healthcare provider asks other outside companies and individuals to perform on its behalf. The work OMIC performs for its policyholders falls into this category. Disclosures mandated by law, such as reporting communicable diseases, faulty medical devices, or child abuse or neglect, may also be made without an authorization. While the minimum necessary rule applies to disclosures for operations, you may at times need to provide more information, including the entire record. The main point to remember is that you need to evaluate what information is needed to accomplish the specific objective.

Q  When do I need to obtain the patient’s authorization?

 You should assume that you need an authorization any time the request does not involve treatment, payment, or operations. Such an authorization is needed when the patient wants the records. Under HIPAA, the patient has the right to request a copy of his or her records, or to ask that the records be sent to someone else. If the patient is the one requesting records, then it is the patient who decides what information is released. As a general rule, unless the patient specifically asks that only some of the records be sent, you should release the entire record, including billing statements, correspondence and records from other providers, advanced beneficiary notices, etc. If you are not sure whether a document is part of the medical record, please contact OMIC’s confidential Risk Management Hotline for assistance by calling 800.562.6642, option 4, or by emailing riskmanagement@omic.com.


Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Leave a comment

Six reasons OMIC is the best choice for ophthalmologists in America.

Consistent return of premium.

Publicly-traded insurance companies exist to make profits for shareholders while physician-owned carriers often return profits to their policyholders. Don’t underestimate this benefit; it can add up to tens of thousands of dollars over the course of your career. OMIC has one of the most generous dividend programs for ophthalmologists and has returned more than $90 Million to our members through dividends.