Release of Information Guidelines and Why ROI is important
Understanding the release of information guidelines is essential for maintaining a high-functioning, compliant medical practice and keeping patient information secure. But it can be challenging. There are many bureaucratic steps to the process, making it easy to make mistakes along the way.
What Is the Release of Information in Healthcare?
Release of information (ROI) allows patients to release information from their medical records to authorized individuals or organizations. However, the release of information guidelines are rather specific—the Health Insurance Portability and Accountability Act, or HIPAA, requires that healthcare organizations, health plans, and other covered entities follow a strict checklist for releasing protected health information (PHI). These release of information guidelines are in place to protect patient privacy and prevent HIPAA Privacy Rule violations.
How Long Is a Release of Information Good For?
HIPAA mandates that covered entities respond to ROI requests within 30 days of receiving them. Entities may also request a 30-day extension if they provide written notice.
Although HIPAA is federally mandated, some states have more stringent ROI requirements. In these states, covered entities must abide by the more rigid state law.
When Is a Release of Information Not Required?
There are a few cases in which ROI requests are not required by the HIPAA Privacy Rule. Healthcare providers can disclose PHI to other providers participating in a patient’s care, such as specialists, testing labs, or medical billing services.
What Happens With Improper Release of Information?
The improper release of medical records and PHI can have disastrous consequences for healthcare providers, covered entities, and their business associates. HIPAA outlines four tiers of penalties for these violations:
- Tier 1: The covered entity did not or could not know how a breach occurred.
◦ Cost: $100-$50,000 per incident
- Tier 2: The covered entities should have known about a breach but did not.
◦ Cost: $1,000-$50,000 per incident
- Tier 3: The covered entity acted with willful neglect toward a breach but corrected it within 30 days.
◦ Cost: $10,000-$50,000 per incident
- Tier 4: The covered entity acted with willful neglect and did not make the proper corrections in time.
◦ Cost: $50,000 per incident
Who Has Access to Medical Records?
Medical records contain PHI, so they’re not accessible to everyone. However, several circumstances require expanded access to medical records and PHI. Here is a list of individuals and organizations that are typically allowed access to medical records:
- The patient: Patients have access to their own medical records.
- Personal representative: Patients can appoint a personal representative to have medical power of attorney.
- Legal guardians: Adults and legal guardians can obtain medical records of the minors under their care.
- Other authorized individuals and organizations: Patients can also authorize certain individuals and organizations, like their attorney or insurance provider, to obtain access to certain PHI.
At BSI Medical Billing, we work with various industries and healthcare providers to ensure compliance and maximize reimbursements for medical services. Explore our industries and find out if we can help your organization maintain compliance.
Why Are Release of Information Guidelines Important?
The release of information guidelines allow you to safely and securely share medical records and information with the parties mentioned above to gain access to various healthcare services and processes. Without access to pertinent medical information, many organizations would be unable to provide necessary services, such as life insurance or legal aid. Here are some of the reasons that following the release of information guidelines is necessary for a functioning healthcare system.
Continuity of Care
Doctors often refer patients to specialists depending on their required care. For example, you may be asthmatic, and during your annual doctor visit, your doctor may refer you to a pulmonary specialist. For the specialist to provide you with adequate care, they will need access to your medical records and history to determine the best treatment for your asthma.
Medical Billing Accuracy
Once a doctor or specialist provides treatment for a patient, their organization’s billing department will need to know what healthcare services were provided to bill for them accurately. For this reason, they also require access to patient medical records.
Health Insurance Billing
Similarly, once a patient receives care, their health insurance provider needs to know the details of treatment to determine the cost to cover it and the percentage that the patient is required to pay. For this reason, medical information must also be released.
Life insurance companies often request access to patient medical records to determine their level of risk and how high their premiums need to be. Access to these records allows life insurance providers to determine how a patient’s medical history affects their life expectancy.
PHI is also necessary for providing data for health studies. Perhaps a research institution is trying to develop new medications or therapies through clinical research and trials. In these situations, they require access to PHI. Doctors will ask patients to authorize the release of their information to share it with researchers.
Data for Legal Proceedings
In the event of a malpractice lawsuit, patients will need to authorize the release of PHI to their attorney. With access to medical history and information, the attorney is able to build a case and argue that medical error was the direct cause of patient affliction.
In some cases, healthcare organizations request access to PHI to share patient’s medical success stories for marketing purposes. For example, if you were successfully treated for breast cancer, the healthcare organization that provided treatment may request that you release your PHI so that they can share your story.
The Release of Information Workflow Process
The ROI process contains more than 40 separate steps. Fortunately, those can be broken down into five easy-to-digest phases.
1. Recording, Tracking, and Verification
The ROI process begins when the patient or authorized individual fills out a release of information form or a mental health release of information form. When the healthcare organization receives this request, they record it and verify that the authorization is valid. This step of the ROI process gives healthcare organizations the ability to release PHI.
2. PHI Retrieval
After verifying the authorization information and logging it accordingly, the healthcare organization locates your medical record and uploads the necessary information to a release of information software.
3. Safeguarding PHI
After retrieving your PHI, the healthcare organization takes meticulous steps to ensure that it doesn’t contain any PHI that is protected by federal or state law and thus not authorized for release.
During this phase of the ROI process, the healthcare organization verifies that the information is correct, uploads copies into the tracking system, and returns the files to their original storage place.
4. Releasing PHI
During this phase of the ROI process, the healthcare organization performs a final verification of your PHI, social security number, date of birth, diagnosis, and date range.
5. Completing the Request and Preparing an Invoice
Finally, the healthcare organization creates an invoice and sends your information in a sealed envelope or encrypted electronic form.