Editor’s note: This update supplants the 2009 practice brief “Redisclosure of Patient Health Information.”
Redisclosure is the act of sharing or releasing health information that was received from another source (e.g., external facility or provider) and made part of a patient’s health record or the organization’s designated record set. A designated record set is a group of records maintained by or for a covered entity that is “used, in whole or in part, by or for the covered entity to make decisions about individuals.”1
It is critical that organizations determine their responsibilities and processes for classifying and managing records received from other sources. Identifying records as part of the designated record set will determine how an organization should redisclose them.
This article offers guidance for the practice and management of the bidirectional redisclosure of protected health information. It is applicable regardless of the form or medium of health information.
Receipt of Outside Health Information
A healthcare provider’s records may contain patient information that originated from another healthcare provider. For example, copies of selected reports are often sent by an attending physician to the hospital where a patient is admitted. Similarly, reports compiled during the patient’s hospitalization are sent to the attending physician to assist in continued patient care. Information received from a previous provider is often incorporated into the patient’s health record at the receiving facility.
Although redisclosure of protected health information (PHI) is necessary for patient care across the healthcare continuum, the practice often leads to questions about the appropriateness of disclosing information that originated in or at another healthcare facility. However, the HIPAA Privacy Rule does not expressly prohibit covered entities from specifically redisclosing information received from other facilities. When information received from other facilities is used in whole or in part to make treatment decisions about a patient and made part of the facility’s designated record set, it may be subject to redisclosure in accordance with applicable state and federal laws. Alcohol and substance abuse confidentiality (42 CFR Part 2) which expressly prohibit redisclosure of information without the consent of the individual it pertains and redisclosures, if any must include probation statement.
Federal and State Laws
Organizations must understand their redisclosure responsibilities under all relevant federal and state laws. Most states permit redisclosure of health information if the request for information does not conflict with authorized purposes for which the information is sought. Check your state laws for any redisclosure statute.
Requirements for the proper redisclosure of health information created by another provider and made part of the organization’s designated record set may exist at both the federal and state levels.
Substance Abuse Patient Records
The Confidentiality of Alcohol and Drug Abuse Patient Records regulations apply to records of the identity, diagnosis, prognosis, or treatment of patients maintained in connection with the performance of drug abuse prevention functions conducted, regulated, or directly or indirectly assisted by any department or agency of the US government. The rules generally prohibit redisclosure of health information. In fact, the rules require that a notice accompany each disclosure made with a patient’s written consent. The notice must state:
The information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is not sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.
The regulations do not prohibit redisclosure:
- To medical personnel to the extent necessary to address a genuine medical emergency.
- If authorized by an appropriate court order of competent jurisdiction granted after an application showing good cause. However, the court is expected to impose appropriate safeguards against unauthorized disclosure.
The following situations illustrate the difficult decisions facilities face in redisclosing information.
Question: Can we redisclose behavioral health records received from another healthcare provider to a new healthcare provider treating the patient?
Answer: Yes, with certain exceptions. There may be state preemption issues for behavioral health, alcohol/drug abuse, or other restricted health information, which must be taken into consideration. The Confidentiality of Alcohol and Drug Abuse Patient Records rules, which apply to records of the identity, diagnosis, prognosis, or treatment of patients maintained in connection with the performance of drug abuse prevention functions conducted, regulated, or directly or indirectly assisted by any department or agency of the US government, generally prohibit redisclosure of health information.
Question: A patient has authorized that we disclose all of his health records relating to his recent treatment in our alcoholic rehabilitation center. We have received records from the patient’s previous encounters. Can we redisclose these records along with our records?
Answer: No. The patient should be referred back to the healthcare provider that originated the health records unless any part of the record was used in providing treatment or making a decision about the patient because then it becomes a part of the facility’s DRS..
Question: We are a nonprofit community-based care facility reliant on our state Medical Assistance program to sustain our services. The Medical Assistance program requires health records to determine eligibility, including health records obtained from other healthcare providers. Can we redisclose this information for purposes of eligibility and payment?
Answer: Yes, if the records are not protected by or fall under the Confidentiality of Alcohol and Drug Abuse Patient Records rules. Records disclosed should be limited to the minimum necessary need to carry out the function.
Question: When a parent requests a copy of her child’s health records for transfer of care, we have always provided the information that we have created within our practice. Recently a parent requested copies of the health records she brought with her for her daughter’s first visit. Upon receipt of these records, we filed them on the patient’s chart. Can we provide the mother with these records as well as the ones we created?
Answer: Yes, if the records were made a part of the child’s designated record set, they may be disclosed upon authorization.
Subpoenas: Two Case Examples
Court orders must be followed to the letter of the law, but subpoenas may not be quite as clear. The following two scenarios illustrate situations in which providers receive subpoenas that may involve redisclosure.
Pursuant to a Subpoena
A patient with degenerative disc disease is under the care of a pain management specialist. The patient’s pain is becoming increasingly difficult to manage, so the pain management specialist orders x-rays and magnetic resonance imaging (MRI). It is discovered that the patient has worsening spinal stenosis. The pain management specialist refers the patient to an orthopedic surgeon and sends the x-rays and the MRI along with the patient. Upon reviewing the x-rays and MRI, the surgeon determines surgery is necessary. The surgeon also decides that redoing the x-rays and MRI is not necessary. These results become part of the surgeon’s health record, supporting his decision to perform the surgery.
Months later the surgeon receives a subpoena requesting the patient’s health record. In response to the subpoena, the surgeon includes the x-ray and MRI reports received from the pain management specialist, as he used the reports to further diagnose and treat the patient and incorporated them into the health record. This type of redisclosure of PHI is appropriate.
Patient Transfer and Subsequent Subpoena
While out of town visiting relatives, a patient is involved in a car accident. She is taken to a local hospital and treated for injuries. Because the patient is unknown to the local doctors and her injuries are extensive, she receives a complete evaluation. Once stabilized, the patient wishes to be transferred to a local rehabilitation hospital to recover from her injuries.
The hospital that provided her with her primary care sends along a copy of the patient’s entire health record when transferring her to the rehabilitation hospital. In addition, the rehabilitation hospital asks the patient to authorize her family physician to provide information on her past and current healthcare. The family physician opts to send the entire health record. Upon receiving both health records, staff members at the rehabilitation hospital choose to use only select information from the two health records in providing rehabilitation treatment to the patient. The remaining information is kept on file in the health record but is never used by the rehabilitation hospital to treat the patient.
A lawsuit is filed against the other driver in the car accident. The rehabilitation hospital receives a subpoena to release the health record. In responding to the subpoena, the rehabilitation hospital chooses to disclose only the information within the transferred records that was actually used to treat the patient. Because the patient is attempting to prove that her injuries were the result of the accident and not a preexisting condition, records from the primary care hospital and family physician are also subpoenaed.
In this situation, it is appropriate for the rehabilitation hospital to redisclose only the information that was actually used to treat the patient as defined by the organization’s definition of the legal health record. However, it should be noted that circumstances could exist that would require the rehabilitation hospital to redisclose all the records received from the transferring hospital and family physician. If the facility maintained the outside records then they could be asked to produce them. Many facilities do not keep “all” of the outside records they receive if they are not used for patient care. Therefore they would not be able to produce them for a subpeona. Generally they are sorted and only pertinent records maintained.
HIPAA Privacy Rule
The HIPAA privacy rule defines health information as any information, whether oral or recorded, in any form or medium, that:
- Is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual
The rule states that a valid authorization must include a statement that information used or disclosed pursuant to an authorization may be subject to redisclosure by the recipient and no longer protected by the rule.
The privacy rule’s minimum necessary requirements should be followed as applicable to the circumstances of redisclosed personal health information.
The Department of Health and Human Services issued these responses to two frequently asked HIPAA questions on redisclosure:
Question: Does the Privacy Rule permit a covered entity to use or disclose protected health information pursuant to an Authorization form that was prepared by a third party?
Answer: Yes. A covered entity is permitted to use or disclose protected health information pursuant to any Authorization that meets the Privacy Rule’s requirements at 45 CFR 164.508. The Privacy Rule requires that an Authorization contain certain core elements and statements, but does not specify who may draft an authorization (i.e., it could be drafted by any entity) or dictate any particular format for an Authorization. Thus, a covered entity may disclose protected health information as specified in a valid Authorization that has been created by another covered entity or a third party, such as an insurance company or researcher.3
Question: A provider might have a patient’s health record that contains older portions of a health record that were created by another or previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete health record even though portions of the record were created by other providers?
Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete health record, including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.4
Individual states may have their own laws or regulations relative to redisclosure for all or some particularly sensitive types of health information. State law may preempt HIPAA when the state law provides stricter confidentiality protections or provides patients with greater right of access to their health information.
Organizations should consider the following recommendations when determining their policies and practices around redisclosure:
- Unless otherwise required by state law, incorporate in the facility’s designated record set the health information generated by other healthcare providers that was used in making treatment decisions.
- Become knowledgeable about and implement organizational compliance with federal and state laws and regulations that address redisclosure. Any redisclosure must comply with federal and state laws and regulations.
- Consult with legal counsel when federal and state redisclosure requirements differ and it is unclear which should prevail.
- Develop facility policies and procedures that address redisclosure. Include the requirement that prior to disclosure, the disclosing staff member verify the authority of the person to receive the information.
- Modify existing authorization forms to incorporate required language in the HIPAA privacy rule.
- In general, healthcare providers should redisclose PHI:
- To other healthcare providers when it is necessary to ensure the health and safety of the patient.
- When necessary to comply with Medicare and or Medicaid right of subrogation under third party liability claims for treatment provided to beneficiaries paid for by Medicare and or Medicaid. For Medicaid beneficiaries please check your state laws
- To patients when necessary.
- When necessary to comply with a valid authorization.
- When necessary to comply with a legal process.
- Ask legal counsel to review draft policies and procedures prior to implementation.
- Educate staff on new or revised policies and procedures.
- Implement policies and procedures and monitor compliance.
- When in doubt about a potential redisclosure, consult legal counsel.
- When asked to certify or testify about the authenticity of redisclosed health information, state that the information was received from another healthcare facility’s health record through normal business practices, your facility received the information in good faith, and that you cannot knowledgeably speak about the record-keeping practices of the originating organization.
- Modify existing certification forms when indicated.
The following practice briefs offer related guidance on redisclosure. They are available online in the AHIMA FORE Library: HIM Body of Knowledge at www.ahima.org.
- “Defining the Designated Record Set”
- “Notice of Privacy Practices”
- “Patient Access and Amendment to Health Records”
- “Understanding the Minimum Necessary Standard”
- HIPAA. 45 CFR § 164.501 – Designated Record Set. Available online at http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html
- Department of Health and Human Services. “Authorization Use and Disclosure.” August 8, 2005. Available online at www.hhs.gov/hipaafaq/use/472.html.
- US Department of Health and Human Services. “HIPAA—Frequent Questions.” Available online at www.hhs.gov/hipaafaq/providers/smaller/214.html.
- 42 U.S.C.A. § 1395y Medicare & Medicaid Secondary Payers program
- Hughes, Gwen. “Defining the Designated Record Set.” Journal of AHIMA 74, no. 1 (Jan. 2003): 64A–D.
Public Health Service, Department of Health and Human Services. “Confidentiality of Alcohol and Drug Abuse Patient Records.” Code of Federal Regulations, 2000. 42 CFR, Chapter I, Part 2.
“Standards for the Privacy of Individually Identifiable Health Information; Final Rule.” 45 CFR Parts 160 through 164. Federal Register Vol 78, no. 17 (January 25, 2013).
“Standards for the Privacy of Individually Identifiable Health Information; Final Rule.” 45 CFR Parts 160 through 164. Federal Register 65, no. 250 (December 28, 2000). Available online at http://aspe.hhs.gov/search/admnsimp/FINAL/pvcguide1.htm.
“Standards for the Privacy of Individually Identifiable Health Information; Final Rule.” 45 CFR Parts 160 through 164. Federal Register 67, no. 157 (August 14, 2002). Available online at www.access.gpo.gov/su_docs/fedreg/a020814c.html.
“Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.” 45 CFR Parts 160 and 164. Federal Register 78, no.17 (January 25, 2013)
Kathy Downing, MA, RHIA, CHPS, PMP
Godwin Odia, PhD, NHA, RHIA| CAPT,
Maxwell Agyei, RHIA
Marlisa Coloso, RHIA, CCS
Nancy Davis, MS, RHIA
Julie Dooling, RHIA
Beth Hjort, RHIA, CHPS
Chrisann Lemery, MS, RHIA
Leslie Kedlec, MA, RHIA
Brenda Olson, MEd, CHP, RHIA
Yvonne Pennell, MA, RHIA
Angela Dinh Rose, MHA, RHIA, CHPS
Andrea Thomas-Lloyd, MBA, RHIA, CHPS
Diana Warner, MS, RHIA, CHPS, FAHIMA
LaVonne Wieland, RHIA, CHP
Original Prepared By:
Jill Clark, MBA, RHIA
Angela Dinh Rose , MHA, RHIA
AHIMA Practice Brief. "Redisclosure of Patient Health Information (2013 update)"
(Updated November 2013)