May 2003

AUTHORIZATIONS FOR MEDICAL RECORDS MUST NOW COMPLY WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

In 1996, Congress passed the Health Insurance Portability and Accountability Act (AHIPAA). One function of HIPAA is to protect a patient's private medical information from being utilized against his or her will. While HIPAA's impact is mostly felt by healthcare and patient information providers, its effect is also felt in the insurance defense community. Covered entities, which include doctors, hospitals and other providers of patient medical information, were required to comply with HIPAA privacy regulations by April 14, 2003.

Of course, a critical aspect in successfully responding to a bodily injury claim is securing a complete set of medical records directly from healthcare providers. The increased privacy regulations will require that authorizations utilized by insurers and defense counsel be HIPAA compliant.

At a minimum, a HIPAA compliant authorization must include:

  • A description of the information to be disclosed;
  • The name of the person to whom the covered entity may make the disclosure;
  • The name of the individual authorized to request the disclosure;
  • An expiration date of the authorization;
  • A statement of the patient's right to revoke the authorization and how the individual may revoke the authorization;
  • a statement that information disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no long protected by HIPAA; and
  • The signature of the patient and date.

Authorizations received from plaintiffs should be examined for these minimum requirements. Authorizations not meeting these minimum requirements should be returned and exchanged for authorizations which do meet these requirements. Submitting a non-compliant authorization to a provider of medical records will only delay the discovery process.

In addition to the minimum criteria specified above, authorizations which permit the disclosure of certain more sensitive information, such as records of alcohol and/or drug abuse, sexually transmitted disease information, psychiatric records or HIV/AIDS information, should specifically state that the authorization applies to this information. Further, references within authorizations to this more sensitive information should be initialed by the plaintiff so that the plaintiff clearly understands and requests that this information be released.

Chelus, Herdzik, Speyer, Monte & Pajak, P.C., has updated its authorizations to be HIPAA compliant. The attorneys review all incoming authorizations from plaintiffs to ensure HIPAA compliance.

Scott W. Kroll