HIPAA Right of Access: What It Means When Your Patient Is a Couple
Patients have a right to review their health records. Meanwhile, health information should not be disclosed to unauthorized persons. So how do you ensure access and privacy when records include information about more than one individual?
When your patient is a couple or family, your practice’s confidentiality procedures are more complex. But for practitioners such as family therapists or fertility specialists, treating a couple can also complicate your efforts to comply with a lesser-known element of HIPAA: the aggressively enforced “right of access” requirement.
What access should you provide when a single record contains vital health information about more than one person? And what happens if your patients are now a former couple who may be at odds about how the records should be used?
See our related article, Informed Consent and Privacy Obligations for Couples Therapy.
HIPAA’s Right of Access Rule
While HIPAA is best known as the law that protects the privacy of a person’s private health information, it also addresses the accessibility of that information. That is, HIPAA requires providers to honor a patient’s “right of access” to their records and dictates requirements for giving patients that access.
The premise is basic: patients have the right to obtain copies of their health information from their healthcare providers and health plans. In most cases, this right is explained to patients in the required Notice of Privacy Practices document at the start of the relationship. The Notice should also tell patients how to request their records. Typically, a patient request must receive a response within 30 days.
Broadly, the law entitles patients to their entire record, though some exceptions do apply. You might limit the records that you turn over if they include certain types of patient health information, including:
- Information not used to make decisions about the individual
- Psychotherapy notes (i.e., notes that contain the provider’s personal analysis of the client’s progress)
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
If you prune a patient’s record before delivering their copy, be careful that you haven’t excluded the information to which they’re entitled.
There are also situations in which you can entirely deny a patient’s request for access. This should be done in consultation with your attorney, as a denial of records may initiate a patient-driven appeal and subsequent investigative proceedings. We explain this more in our related article, “HIPAA Right of Access: Six Reasons That Practices Get Busted.”
Remember that the Open Notes Rule has further expanded patient access to their health information! For a refresher on those requirements, see our article, “The OpenNotes Rule Against Information Blocking: What Healthcare Practices Need to Know.”
Access vs. Privacy Under HIPAA
HIPAA has two basic principles that can feel in conflict for providers treating couples. On the one hand, patients have a right to review their health information and records. On the other hand, health information should not be disclosed to unauthorized persons.
It’s become common knowledge that providers can’t reveal information about a patient to anyone besides that patient without express authorization. And many people also know that they’re only entitled to view their own records.
However, healthcare professionals who treat infertility or counsel couples know that it’s not always easy to separate individuals’ health information. Patient visits may routinely involve examinations of or discussions with both individuals. Thus, clinical notes will contain a mixture of observations about both individuals as well as the couple as a whole.
What if one individual requests copies of medical records pertaining to a couple? Because the records are intertwined with those of the other party, the safest way to ensure that you’re disclosing information in compliance with HIPAA is to also obtain the other party’s consent to the release of records.
But sometimes, the other party doesn’t consent. In that situation, how can you comply with the Right of Access Rule, expeditiously handing over the patient’s records? HIPAA does not provide specific instructions about how best to handle this scenario. Some professional associations, however, have offered guidance.
The American Society for Reproductive Medicine (ASRM) addressed the privacy and confidentiality challenges of treating couples in a 2018 ethics opinion. In short, they asserted that sharing information is often crucial to providing effective, appropriate care. Therefore, whenever possible, “the reproductive dyad should sign a waiver allowing for their physician to share all clinically relevant information with both reproductive partners.”
The American Association for Marriage and Family Therapy’s code of ethics also advises marriage and family therapists to request (and hopefully obtain) written authorization from each individual affected by the record.
If a therapist cannot obtain authorization from all parties, the therapist should document in the file the reason why they withheld authorization. Then, when delivering the records to the requesting party, the therapist should make their best effort to protect the health information of those who have not authorized the record’s disclosure. If this means that if a therapist does not disclose the entirety of the requested record, it’s crucial to document the reason in the patient’s record.
The Importance of HIPAA Policies
Crafting the best response to a patient who requests a couple’s records without authorization from the other party will depend heavily on the specifics of the situation. Government investigations of right-of-access violations often look holistically at practices’ written HIPAA policies and procedures. So no matter your approach, you should have well-developed policies in place to demonstrate your commitment to compliance.
A healthcare attorney will likely craft HIPAA policies and procedures in such a way as to facilitate the easy delivery of records. The attorney can advise you about how you might keep interwoven records separated (or maintain active records release forms on file, with the caveat that those can be revoked).
An experienced healthcare attorney licensed in your state can help you draft a comprehensive, customized plan that encompasses all aspects of HIPAA’s Privacy and Security Rules. Such planning can help avert the costly consequences of non-compliance.
And while it’s essential to have a plan in place for responding to records requests, talking to a healthcare attorney when difficult legal and ethical situations arise can help you understand what options you might have and what obligations you must uphold.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.