HIPAA Consult

December 3, 2004

Answers to your questions about... copying sensitive chart entries; sharing data with noncovered entities.

Copying fees and sensitive chart entries Q. I plan to cut my hours in preparation for retirement and I expect many of my patients to leave the practice. If I'm required to respond to multiple record requests, may I charge a reasonable fee for copying and sending large records? Also, how should I handle any "delicate" and possibly inflammatory entries in charts?

The second question you raise is more difficult. Generally, you can't deny access to any part of a medical record under HIPAA, with certain exceptions: psychotherapy notes (unless the requesting doctor has obtained prior patient authorization); information compiled in anticipation of legal proceedings; CLIA information; research records during the course of a study; or records obtained from someone other than a healthcare provider, under a promise of confidentiality.

But you'll find no protection for indelicate entries. Although many state laws permit doctors to redact portions of the medical record, HIPAA doesn't recognize this right.

Sharing data with noncovered entities Q. I'm part of a five-doctor internal medicine group with managed care contracts through two different hospital PHOs. Recently, in connection with a quality improvement project it's conducting, one PHO demanded to see charts for a sampling of all our diabetic patients. Since only a handful of our patients with diabetes are enrolled through this PHO, we refused to release the patient charts of other patients for fear of violating HIPAA. Did we do the right thing?

A. Yes. Generally, covered entities-you and a hospital, for example-may use patient information for their own operational purposes, including quality assurance reviews. Similarly, if two covered entities have treated the same patient, they may exchange relevant information for quality assurance or other operational purposes.

In the case you describe, however, the PHO isn't considered a covered entity under HIPAA because it's not a healthcare provider, payer, or clearinghouse. Still, the PHO may be able to set things up so that it could legitimately obtain patient information from you, along with its other physician members. One, it could characterize itself as your business associate and enter into a business associate agreement with you. Or two, it could enter into a "data use agreement" with you, permitting you to release a "limited data set"-that is, information that excludes such identifying data as names, addresses, phone numbers, and Social Security numbers.

____________________________________________________________

Margaret M. Davinomdavino@kbrny.comis a healthcare attorney with Kaufman Borgeest & Ryan, in New York City. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice.

Please submit questions via e-mail to mehipaa@advanstar.com or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.