Processing a request for PHI can be daunting. Luckily, HIPAA has spelled out exactly what is required to release PHI. The basic requirements have been listed below.
When processing a request for medical records it is important to verify that the authorization has all of the following elements:
- The name of the institution or person authorized to release the PHI
- A description of the PHI to be disclosed
- Purpose of the disclosure
- Date or event the authorization will expire
- A re-disclosure statement
- A revocation statement
- The authorization is signed and dated by the patient or their authorized representative
Helpful tips when processing a request:
- It is important to always release the minimum necessary required to fulfill the request. Never release additional information that was not included on the authorization.
- If there is a request included with the authorization only release the PHI that was both requested and authorized. Often a patient will authorize complete records, but the requester only wants a specific date or document or vice versa the request letter will request all records, but the authorization only allows for a certain date range. ALWAYS release the minimum necessary and only include PHI that is both requested and authorized.
- PHI can be released after the date of signature if the expiration date of the request has not expired and the PHI being released was identified on the authorization.
- When in doubt, don’t send it out! If you are ever unsure, always check with the hospital’s legal counsel, privacy officer, or designated hospital expert on HIPAA and release of information.