records review by kid doctorToday we discuss 5 medical record uses and disclosures rules that I have been covering recently in training.  Medical records are always around for those of us in healthcare.  It is so easy to forget that the rules apply to more than just data breaches and social media.  There are some very basic concepts that people who have been dealing with medical records for years are surprised to learn.  Here are five of them we use the most.

5 Uses and Disclosures Rules

This year I have been featuring a session that discusses acceptable uses and disclosures for our workforce training.  I have done it with a wide variety of our client sites and gotten some interesting responses every single time.  One of the core sections that gets a lot of discussion is 5 rules about uses and disclosures.  I spend a lot of time answering questions when we cover those.

Today, we will cover those 5 uses and disclosure rules.  From my experience, I assure you these are very specific statements you should include in your policies and procedures.  Definitely, need to have the discussion of these with your staff.

First, let’s start with when it is proper for you to access any patient records: TPO (Treatment, Payment, and healthcare Operations).

I always hear TKO in my head when I say that.  TKO is a song by the band Le Tigre that has been stuck in my head since 2004.  If you know the song now it will be stuck in your head for TPO now.

Back to the real TPO, though.  There are very specific definitions in the law.  As you know, my method is to read the law first and then decide how to address things.  So here are the definitions in the law.

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Payment means:

(1) The activities undertaken by:

(i) Except as prohibited under §164.502(a)(5)(i), a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or

(ii) A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and

(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:

(i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;

(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(v) Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and

(vi) Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:

(A) Name and address;

(B) Date of birth;

(C) Social security number;

(D) Payment history;

(E) Account number; and

(F) Name and address of the health care provider and/or health plan.

Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

(3) Except as prohibited under §164.502(a)(5)(i), underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of §164.514(g) are met, if applicable;

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

(6) Business management and general administrative activities of the entity, including, but not limited to:

(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;

(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.

(iii) Resolution of internal grievances;

(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and

(v) Consistent with the applicable requirements of §164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

In basic terms though, treatment means you are involved in the care of the patient.  Payment is, you are involved in payment for insurance coverage or the treatment provided to a patient.  Operations is, the part that includes activities required for running the business requires access for management, reporting, etc.

You should always be involved in TPO as part of your job is the only reason you should see any patient records.  That is plain and simple one would think but not so much.  All basic training covers TPO at some point.  What they don’t cover is areas that people often forget to apply the TPO rules when they are doing something.

#1 I can NOT look at my family members records.

This one usually gets some shocked faces and notes scribbled. Just because they are a family member does not give you authority to review anything that was on their records.  Your job does not give you the authority to override a patient’s right to privacy.  Unless you are involved in TPO for a family member then you shouldn’t be looking at their records for any reason.  You must follow the same rules as every other family member.

One question I often get is about making appointments for family members.  I recently had someone tell me that they were told they couldn’t make an appointment for their father “because of HIPAA”.  Oh please.  Don’t get me started.

#2 I can NOT look at my own records.

I actually get some push back on this one sometimes.  Let’s review TPO again here.

Are you treating yourself?  Your malpractice policy may want to know about how many people are treating themselves.  There is a long list of reasons this shouldn’t be happening.

Are you handling your own payment?

Can we say conflict of interest here?  I am almost certain there should be no reason you would be managing the payments on your own account.  I don’t know many businesses that wouldn’t want to be above board in this area.  Even if you have no reason to believe there would be improper financial activity it is definitely much better to be above reproach in this area.

Are you accessing your own information to run the business?

See the previous two above.  There is a long list of reasons you shouldn’t be in your own records.  There may be some rare cases where this may occur incidentally.  It should never occur on purpose without careful considerations and ways to cover the concerns mentioned above.

#3 If someone tells me it is ok, then I still can NOT look at their records.

Yes, we have heard this one.  I actually have seen sworn documents by people that someone working in a health system had been looking at other people’s records.  They claimed that they told them about “the HIPAA” and all you needed was them to give you a paper saying it was ok.

Unless you are personally in charge of managing authorizations and making these types of decisions you don’t know what kind of HIPAA papers are required and what they allow.

#4 If I see info of a friend/relative/coworker as part of my job it is NOT ok to discuss it with them.

This goes back to my IT company example.  You have to train everyone about proper uses and disclosures or something like this could happen.

A tech sees a chart as part of their job in IT.  It happens to be their neighbor.  Nothing is said because there is no need to discuss it.  All good.  But….  The next time the tech sees their neighbor they say something like “I had no idea you saw Dr. X.  When did you have cancer?”.

The training most people give their BA staff, well all staff, they may have no idea that this is a violation.

#5 I can NOT get just the address or phone number of a friend/relative/coworker from their records.

This applies to more than just a phone number and address.  Of course, sometimes emergency situations happen but those are very rare and someone in charge of privacy should be making a specific decision.  But, there is never a reason to look up demographic information in charts without one of those decisions being made.  Period.

You also can’t just look up someone you know or meet to see if they are in the health system you have access to for your job.