Unit 6: Clinical Operations
Clinical administration

Section 1. Health Records

Confidentiality

Health records are privileged or confidential communications between patient and health professional. Disclosure of a health record must be made only with the written permission of a patient to a person designated by the patient, such as the patient's attorney or health professional. Case law and subsequent legislation have consistently supported the patient's right to confidentiality. Under the law, all patient communication with the health professional must be kept confidential unless disclosure is specifically authorized by the patient.

The information in health records is considered the property of both the patient and the clinic, but the physical records themselves belong to the clinic. Patients or their agents are entitled to a complete copy of the records, but clinics may charge a reasonable copying fee before releasing the records. Other parties requesting patient records (including licensing or regulatory agencies, credentialing panels, public health agencies, spouses, and employers) must first obtain the patient's consent.

Guidelines to minimize risk when releasing information from a patient’s records:

  • Receive written authorization before releasing information.
  • In addition to the patient, the parent (if the patient is a minor), legal guardian, or person with health care power of attorney may provide written permission to release the confidential record.
  • Keep a copy of the consent form for release of the record with the records, in case questions arise later.
  • Be prepared to release records in response to a properly issued court subpoena. (Check with an attorney or insurance representative to ensure that the subpoena was properly issued and that the documents are not protected from disclosure by another privilege.)
Often, government agencies have specific statutory authority to obtain personal health information. If that is the case, the information may be disclosed to the government agency without the authorization of the patient or legal representative. (See 42 USC 1320-d7(b).)

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) requires any health professional who transmits health information in an electronic transaction to use a standard format and to abide by certain privacy requirements. HIPAA exempts health professionals who transact personal health information only in a paper format. If the health professional conducts some covered transactions of personal health information electronically and some in a paper format, then all transactions (paper or electronic) must comply with HIPAA.

Additionally, the HIPAA privacy rule requires activities such as the following:

  • Notifying patients about their privacy rights and how their information can be used.
  • Adopting and implementing privacy procedures for the clinic.
  • Training employees so that they understand the privacy procedures.
  • Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  • Securing patient records containing individually identifiable health information so that they are not readily available to those who should not have access to them.

Resources