At my seminars, if I don’t bring up the issue of release of third-party records to the patient or client under the Privacy Rule’s right of access (inspect and copy) to protected health information (“PHI”) maintained in a system of records by a covered entity, someone in the audience will ask. And it is a good question, because, for years, health information management professionals believed that you could not release third-party documents. The theory was that, if you released such a document, you were somehow “vouching” for its accuracy. That view is legal nonsense. All you are vouching for is that you filed the document in the chart. That’s all that you can vouch for. But because of that theory, many believed that you could not disclose third-party documents, even to the patient or client.
Under the Privacy Rule, an individual has a right of access to all PHI maintained in a system of records by a covered entity. People often ask me where it says that “all” includes “third-party documents.” It seems to me that “all” means “all,” but it is what the Rule doesn’t say. It doesn’t say “all except for third-party documents.” Note that the individual’s right to request correction or amendment specifically exempts third-party documents. The right of access has no such exclusion.
Such is not to say that a provider must file a third-party document in the chart in the first place. That question is a clinical decision—does this third-party document concern something that must be documented for purposes of continuity of care, making an appropriate diagnosis, or avoiding a clinical error? But once you file it in the chart, it is every bit as much a part of the chart as a first-party document and must be released to the individual unless one of the limited exceptions applies, such as that the disclosure to the individual is reasonably likely to result in death or bodily injury to the individual or someone else.
As a part of this discussion, I suggest that covered entities of any size should adopt a Medical Record Contents Policy to guide clinicians on what third-party documents and other communications, such as emails, phone conversations, and the like, should be filed in the chart. Obviously, the medical staff or the clinicians, if the entity does not have a formal medical staff, must be involved in developing this policy. It is not strictly a HIPAA policy, but is related in several ways. Timeliness of completion of the chart, for example, ties in with the HIPAA Data Integrity Standard.
I have drafted such a policy, and it is now available the Premium Member section of VeteransPress.com. In my sample policy, I do not attempt to specify what information must be included in the chart. Federal law, such as the Medicare Conditions of Participation, 42 CFR Section 482.24, state law, and accreditation requirements may specify minimum contents for medical records. Some state laws are vague, such as “sufficient information to support the diagnosis, justify the treatment provided, and document the care given.” Others list specific information that must be included. I could not possibly write a sample policy that would work for all jurisdictions. So you may have to do more revising of this policy than my HIPAA policies, which mostly apply the same in every jurisdiction. As always, Premium Members can ask questions about their issues if they decide to adapt the sample policy to their situation.
Good luck!