(Note: As always, nothing in this blog is legal advice.)
The Health Insurance Portability and Accountability Act (HIPAA) may be the most frequently misquoted law in the United States, or maybe it just seems that way to me because I encounter it every day in my work. I know the law is complicated, and laws around healthcare are no exception, but HIPAA often gets oversimplified with malicious intent.
Here is a scenario colleagues I run into all too often, which is not a description of any specific client or situation:
A client is undergoing a legal process. Maybe they are ending a marriage, fighting for custody, or filing or responding to a lawsuit. Their lawyer sends me a signed release of information requesting “the entire medical record.”
Here’s another scenario, again not describing any one, specific scenario:
A client is experiencing an increase in mental health symptoms and needs to take a leave of absence from work. They ask me to provide evidence of their current mental state and sign a release. Their employer sends a request for “all office notes.”
In both of these cases, someone gets angry with me because I acknowledge receipt but do not comply with the request. “But the client signed a release!” “You have to send the information right away!” “I am going to have you arrested!” (That, a lawyer actually did say to me. It didn’t end up happening.)
The thing is, a release of information is not a magical form that automatically teleports medical records from one place to another, or even obligates me to send said records. In fact, even with a release on file, I must still consider the legal and ethical implications of everything I release.
In both examples above, someone who is not a covered entity (a medical professional legally required to follow HIPAA) is asking for protected healthcare information (PHI). That means that any information I release does not have to be stored, transmitted, or protected in the same way that I store, transmit, and protect my clients’ information. I have to assume anything I send will be made public.
Imagine if you are requesting time off work for your mental health, and your boss read your therapy notes. Or, imagine if you are in the middle of a contentious divorce, and your attorney gets your records, forwards them to the other attorney, and your ex reads them. Compliance with these requests can put my client in danger.
I have found that clients often do not realize what they have authorized when I tell them this. When we review their chart together and they see how much information will go out, their eyes go wide. Even if I have a signature on a release, if a client did not give informed consent, if they did not understand what they were agreeing to, I have a legal and ethical responsibility to explain it to them rather than automatically complying with a request.
Additionally, even with appropriate release, HIPAA has a rule called Minimum Necessary, which means I must “make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose.” I legally cannot send information that is not essential to complete the request.
So, when an attorney wants the entire record, I need to determine exactly which components of the record the court needs. (Of course, a judge can still order release, and I am legally required to comply with a judge’s signed court order – which is different from a subpoena from an attorney.) Or when someone is applying for a leave from work, I can only submit the information that documents the client’s need for the leave.
Even if a judge orders me to release records, I must speak to my client and make sure they understand exactly what is being released and to whom. I can ask the judge to seal the records or accept a summary instead of a full chart, which is sometimes allowed.
Outside of judge orders, I typically respond to these requests by letting the requesting entity know that the disclosure they are asking for is illegal even with a signed release. I cite the Privacy Rule and Minimum Necessary requirements. When appropriate, I offer to instead submit a treatment summary, which my client reviews and consents to before I release it.
I can always release more information later, but I can never take back something once I have put it out there. My clients’ well-being, my ethics code, and my legal obligations always come first.