HIPAA Consult

March 3, 2006

Answers to your questions about...retaining records; reporting privacy violations; family authorizations

Retaining medical records

Q. My practice has had an influx of new patients. When their old records are transferred to me, I summarize the relevant parts, using speech recognition software. I then incorporate the summary into my EHR and shred the old records. Is this permitted under HIPAA, or does the law require that I physically house the old records in my office?

Q. I'm part of a group surgical practice. After we dismissed one of our employed physicians, he accessed patient files from his home computer. Was this a HIPAA violation and, if so, whom should we contact to complain about his actions?

A. To answer the first part of your question, Yes, this was probably a HIPAA violation. Once you dismissed the employed physician, he was no longer entitled to records that belong to the practice, unless patients specifically authorized that they be transferred to him. As for filing a complaint (there's no mandatory reporting requirement), contact the regional Office for Civil Rights, US Department of Health and Human Services, for your region. (To file a complaint online, go to http://www.hhs.gov/ocr/privacyhowtofile.htm, where a list of regional offices is included.)

There's another issue you should consider, however: Why was your former employee able to access practice records in the first place? And do you have appropriate security measures in place to prevent this kind of thing from occurring again? If the answer to the second question is No, take appropriate action to ensure that your medical record system is secure.

Family authorizations

Q. Our office, which sees many elderly patients, is once again updating our patient registration form. Is it a good idea to add a family authorization section that authorizes certain family members to discuss care on behalf of an elderly patient?

A. Yes, it is. In the section, ask the patient to list the name and relationship of any person to whom medical information can be released without the patient being physically present. Also, to be on the safe side, consider adding a second section that lists which family members have been authorized to receive appointment reminders.

Margaret M. Davino (mdavino@kbrny.com
) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com
, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.