As the HIM Director of an acute care hospital you are charged with the responsibility of maintaining the hospital-wide confidentiality policies and procedures and managing the access and disclosure of

TITLE: AUTHORIZATION TO DISCLOSE PATIENT INFORMATION PATIENT ACCESS – USE AND DISCLOSURE OF MEDICAL INFORMATION POLICY: All information contained within a patient’s medical record will be maintained in a confidential manner to protect the patient’s right to confidentiality and comply with City, State and Federal Regulations including HIPAA. PURPOSE: This policy includes the procedures to follow when a patient request s to disclose their medical information to another physician, hospital, or medical f acility , an a ttorney, an insurance company , to the patient or any other party as authorized by the patient. Protected Health Information (PHI) may only be accessed / used or (disclosed) , as follows:  to those directly involved in the treatment of the patient;  to comply with public health regulations ;  for the payment of services provided to a patient;  to researchers as authorized by the patient or an IRB approval ;  as required by law ; or  as authorized by the patient or other legally authorized individual / or entity. Protected Health I nformation may be disclosed with a written authorization from the patient if:  The authorization is in writing, is dated, and is signed or otherwise authenticated with the exception of immunization records which may be disc losed to a school with the verbal permission of the parent or the patient.  The authorization specifies the information to be disclosed  The authorization specifies the entity or location to disclose the information  The authorization specifies the person or persons to receive the information PROCEDURES: 1. The following information must be reviewed before protected health information is disclosed :  A p atient or other designated /authorized individual requesting disclosure of the medical information has complete d an Authorization to Release Medical Information form.  The Authorization to Release Medical Information should be reviewed to verify the signature of the patient or legally authorized representative.  The date on the authorization must be no more than on e year old or must not hav e expired.  A healthcare provider can verbally disclose or fax medical information to a physician, hospital, or medical facility upon receipt of the required authorization or a statement in the record documenting that the patient i s unable to authorize release of their information in an emergency .  Medical information may be released and / or disclosed with another healthcare provider / healthcare organization without a signed authorization if the healthcare providers have a known patient in common or for continuity of care. Examples of this include; a physician that has referred a patient for a specialty consult . The consulted physician would be expected to share a report of their findings with the referring physician. Ano ther example includes providing information to a physical therapist when referring a patient for physical therapy.  According to New York State Law “…a subject over the age of 12 may be notified of any request by a qualified person to review his / her pati ent information, and, if the subject objects to disclosure, the provider may deny the request…” For questions, contact the Privacy Officer.  Medical information should be copied and forwarded within 10 days of receipt of a written request for such informa tion.  Refer to the ColumbiaDoctors’ Legal Health Record and the Designated Record Set Policy (AD.3.06) for guidelines prior to releasing medical information  Effective September 23, 2013, patients have the right to request an electronic copy of their medical information . Procedures to process patient request for an electronic copy of their medical information can be found at: -Download_Chart.pdf columbiadoctors/crownweb/docs/TrainDoc -JobAid - Download_Print_Chart.pdf  Effective September 23, 2013, patients have the right to designate a third party to receive copi es of their medical information, the patient must complete an authorization identifying the third party and place a copy in the patient’s medical record.  ColumbiaDoctors may charge $.75 per page for access to medical information. If the patient states in writing that he / she cannot a fford to pay for their records, the $.75 / page charge may be waived. Receipt of payment (or non -receipt of payment) will not affect request response. ColumbiaDoctors may charge a reasonable fee to provide an electronic copy of the medical information. 2. Research Staff participating in research activities approved by the Institutional Review Board (IRB) may have access t o medical information as necessary for the conduct of the research. If there are questions about the information requested, the Principal Investigator will provide a copy of the approved protocol. All researchers must also comply with the Research and HIPAA policy available o n the HIPAA web site. Researcher access to protected health information is limited to the scope approved by the IRB. It is responsibility of the Principal Investigator to comply with all Privacy, Security and Research policies for data access , use and disclos ure . 3. Legal request for medical information Upon presentation of proper authorization from the patient, a parent or guardian, or the executor of the estate of a deceased patient; attorneys, and others with a compliant authorization for the med ical information of a patient will be provided with the requested information. 4. Law Enforcement Agencies Members of the law enforcement that request medical information in the absence of an authorization from the patient should be referred to the Privacy O fficer or General Counsel . 5. Subpoenas for Medical Records When a department or healthcare provider receive s a subpoena for medical information they may contact the Privacy Officer or General Counsel if additional guidance is needed. 6. Mental Health Record Mental Health Records require the approval of the mental health provider or their designee when requested by the patient . If in the opinion of the physician it is felt that the information may be harmful to the patient or others, the provider may deny acc ess to the information. This opinion must be stated in writing in the medical record. In addition, the patient has the right to appeal this decision with the NYS Office of Mental Health. Notify the Privacy Officer if access to medical records will be de nied. For additional information or to respond to questions regarding access, use or disclosure of medical information, contact the Office of HIPAA Compliance at (212) 305 -7315 or [email protected] . Forms to authorize the release of information can be found at RESPONSIBILITY: ColumbiaDoctors and Office of HIPAA Compliance POLICY ISSUED: May 2008 REVISED: December 2009 REVISED: June 2012 REVISED: September 2013