X-Ray Copy Service

Update for Attorneys

By Katherine Madden and Steve Ballinger, Esq.

As a company that deals with reproducing medical information, we have encountered extensive confusion and misunderstandings among attorneys regarding the new federal HIPAA Privacy Regulations. These Federal Medical Privacy Regulations (45 C.F.R. Parts 160 and 164) went into effect on April 14, 2003. This article addresses the changes in the requirements that must be included in a patient authorization and/or a subpoena.

In order for a hospital/medical facility to release Protected Health Information (PHI) such as medical records, billing records, x-rays, MRIs, etc., the following must be included in a Patient Authorization:

  1. Identify the name of the Medical Facility or Hospital that is being authorized to disclose PHI.
  2. Describe in detail the PHI that will be disclosed (e.g. exact dates or type of exams).
  3. Specify the person or class of persons to whom the PHI may be disclosed.
  4. Describe the purpose of its use.
  5. State the patient’s right to revoke the Authorization and advise the patient how to do it.
  6. State the consequences for the patient and how he is affected if he refuses to sign the authorization.
  7. Explain that once the PHI is disclosed, it may be re-disclosed to individuals or organizations not subject to the HIPAA regulations.
  8. Give the date of the Authorization and the date it will expire.
  9. Be signed and dated by the patient or his/her personal representative.
  10. If a personal representative signs the authorization, describe the person’s authority to act for the patient.

This represents a significant departure from records releases previously used by lawyers. It is also helpful to include the patient’s name with social security number and birth date.

As for Subpoenas Duces Tecum, the copy of the Notice of Production from a Non-Party or a Notice of No Objection must be included. This must be included because HIPAA requires the issuer of the subpoena to give reasonable assurance that the patient was notified and did not object to someone else getting his/her records. In regard to Subpoenas for Deposition that provide for mail-in compliance, such pleadings are not truly authorized by State Rules of Procedure and need to be avoided when HIPAA applies. If they are used, at least a certificate assuring notification and lack of objection should be supplied to the records custodian.

There are a few exceptions where HIPAA Regulations do not apply. These include worker’s compensation carriers, hospital risk managers, Dept. of Health officials, and the Medical Examiner. Also excluded is a Court order signed by a judge and certain law enforcement activity. At all other times (a plaintiff attorney requesting records, auto insurance claims, etc.), HIPAA compliance is mandatory.

Many attorneys have rewritten their Patient Authorizations to be HIPAA compliant, thus avoiding delays in obtaining PHI. Subpoenas are being sent with the Notice of Production from a Non-Party attached, thus expediting production.

Since X-Ray Copy Service, Inc. is contracted with many of the southeast Florida hospitals, we are obligated under Business Associate Agreements to protect such confidentiality and we cannot release PHI without proper Patient Authorizations or subpoenas. Services will be greatly expedited from both the hospitals and other medical facilities if the paperwork submitted is HIPAA compliant. HIPAA Privacy is found under Federal, not State law. HIPAA specifically provides that in each instance, the more stringent of the privacy rules between State and Federal Laws will apply.

Jennifer Alford is President and CEO of X-Ray Copy Service, Inc. Steve Ballinger, Esq. is a health law attorney in Ft. Lauderdale.

X-Ray Copy Service