February 7, 2013
HIPAA AS BASIS FOR DENYING ACCESS TO HOSPITAL CHARTS
By: Susan Price, Senior Attorney
You asked if the 1996 federal Health Insurance Portability and Accountability Act (“HIPAA,” P.L. 104-191) prohibits hospitals from giving a patient's independent health advocate access to an inpatient client's hospital chart.
The Office of Legislative Research is not authorized to give legal opinions and this should not be considered such.
We did not find any federal statute, regulation or guidance from the U.S. Department of Health and Human Services (HHS), the agency that administers HIPAA, directly addressing the entitlement of independent health advocates to view or receive a copy of a hospitalized client's hospital chart. “Independent health advocates” are typically registered nurses supported by medical directors and benefits specialists who help people navigate the healthcare system.
HIPAA provides federal protections for personal health information held by covered entities, including hospitals, and gives patients an array of rights with respect to disclosure of that information. The statute and regulations entitle patients to access to their own medical records and permit them to authorize their release to others; independent health advocates presumably fall within this category.
Valid authorizations must be written in plain language and contain six “core elements.” These are:
1. a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
2. the name or specific identification of the person, or class of people, authorized to make the requested use or disclosure;
3. the name or other specific identification of the person, or class of people, to whom the covered entity may make the requested use or disclosure;
4. a description of each purpose of the requested use or disclosure (the statement “at the request of the individual” is adequate);
5. an expiration date or an expiration event that relates to the person or information's use or disclosure; and
6. the authorizing person's signature and date (45 CFR Sec. 508(c)(1)).
Authorizations must also contain statements notifying signatories:
1. that they can revoke authorizations in writing;
2. if refusing to sign will affect their treatment, enrollment in a health plan, or eligibility for benefits; and
3. of the possibility that the person receiving the medical information will re-disclose it to an unauthorized entity, thus voiding HIPAA's confidentiality protections with respect to that information (45 CFR Sec. 508(c)(2)).