Legal FAQs

Yes.

If PHI is created after the date the authorization is signed but before the date of expiration of the authorization, under HIPAA regulations, covered entities are permitted to release the information. Covered entities are not required to do so. If an entity so chooses, the entity could contact the patient for another authorization. This should be a policy decision and documented in the HIM Policies and Procedures.

HIPAA Regulations stipulate the following aspects of a valid authorization form:

• Description of information to be used or disclosed
• The name of the person/entity or class of persons authorized to make disclosure
• The name of the person/entity or class of persons authorized to receive the information
• The purpose of the disclosure. “At the request of the individual” is acceptable if initiated by the individual.
• An expiration date or event that relates. For research, “end of the research study” or “none” is acceptable.
• Signature and date. If a “personal representative,” a description of the authority to act on the person’s behalf.

And the following statements:

1. An individual’s right to revoke the authorization in writing and either
• The exceptions to the right to revoke and a description of how they may revoke it, or
• A reference to the facility’s notice of privacy practices which explains the above.
2. The ability or inability to condition treatment, payment enrollment or eligibility for benefits if the patient does not sign authorization or the consequences of a refusal to sign the authorization
3. The potential for information disclosed to be subject to re-disclosure by the recipient and no longer protected by the HIPAA Privacy Rule.
4. The potential for information disclosed to no longer be protected.

If the foster parent can provide documentation that they have been given the authority by the Department of Human Services to consent for treatment or provide authorization for release of information, then yes, a foster parent can consent to treatment for the foster child and PHI can be released to a foster parent. A provider can require legal documentation of the foster care relationship.

For children in foster care, the State of Tennessee is considered their legal guardian and no information should be disclosed to the biological parents of these children. References to Tennessee Law that support this answer are listed below:

• TCA 37-2-415 (a)(14) indicates that “the department shall permit, through written consent, the ability of the foster parent or parents to communicate with professionals who work with the foster child, including therapists, physicians and teachers that work directly with the child.”
• TCA 37-2-415(a)(6) states, “The department shall provide a means by which the foster parent or parents can contact the department twenty-four (24) hours a day, seven (7) days a week for the purpose of receiving departmental assistance”

Email communication between patients and their health care providers is becoming more and more commonplace. Yes, you should have a policy and procedure addressing this activity. Here are some guidelines you might review – this is not an exhaustive list of resources available through the Internet, but it is a good place to start.

• AHIMA Practice Brief: E-mail as a Provider-Patient Electronic Communication Medium and its Impact on the Electronic Health Record (www.ahima.org – click HIM Resources)
• AMA’s Guidelines for Physician-Patient Electronic Communications
• Phoenix Health Systems: Electronic Communications
• Vanderbilt University Medical Center, Guidelines for Patient-Physician Electronic Mail
• The University of Texas Medical Branch, Electronic Mail Containing Protected Health Information (PHI)

Any policy should address when/if email communications will become part of a patient’s medical record or designated record set – refer to HIPAA regulations and JCAHO standards in making this determination. Finally, you should obtain input and approval of the policy from your facility/organization’s legal counsel.

T.C.A. 33-3-111 states:

Records of child service recipient not available to person accused of abusing recipient – Exceptions and limitations.

(a) In any case where a person is known to have been accused of physically or sexually abusing or neglecting a service recipient (defined below) who is a child, the service recipient’s record shall not be accessible to the person accused of such abuse or neglect except if:

(1) A court orders access under subdivision § 33-3-105(3) ; or

(2) (A) The child’s qualified mental health professional has determined in the course of such treatment or service, after consultation with the child, the child’s guardian ad litem, and others on the child’s behalf whom the professional deems appropriate, that the release of the child’s record to the accused person would not be harmful to the child, and (B) The accused person is the parent, legal guardian, or legal custodian of the child.

(21) “Service recipient” means a person who is receiving service, has applied for service, or for whom someone has applied for or proposed service because the person has mental illness, serious emotional disturbance, or a developmental disability

Does this law apply to hospital medical records even though it resides in the law that addresses the State Department of Human Services? Does the hospital have to determine if the child is a “service recipient?”

Yes, most health care attorneys believe that this law does apply to hospital medical records, and they advise their client hospitals NOT to release any medical records of a child who is suspected or known to have been abused to the person(s) suspected of the abuse. The hospital does not have to determine if the child is a “service recipient” because any child who is suspected or known to have been abused is automatically a “service recipient”. What if the person suspected of the abuse is cleared of the charge? Can that person bring suit against the hospital for denying him/her copies of their child’s records? Yes, they could. But, one must consider whether the risk of such litigation is outweighed by the potential harm that could be done to the child if records were released to an abusing parent. The bottom line: when there is suspicion of physical or sexual abuse to a child, do not release that child’s record to the person(s) suspected of the abuse, regardless of the relationship of the person(s) to the child. Any known or suspected child abuse or neglect should be reported as described in T.C.A. 37-1-403.

This is a common question because it has become a common practice in some areas to allow physicians to authenticate entries in medical records for one another. But, the answer is “No;” the legal standards for medical record authentication are clear that the author or originator of the order must authenticate the entry. The purpose of authenticating an entry is to identify the author, to verify the reliability of the entry, and to place responsibility of the entry on the author. The federal Conditions of Participation (42 CFR 482.24) clearly state “All entries must be legible and complete, and must be authenticated and dated promptly by the person (identified by name and discipline) who is responsible for ordering, providing, or evaluating the service furnished”. The Standards of the Joint Commission echo this requirement. Electronic signature is acceptable.