HIPAA & Medical Records for the CPOA Exam

HistoryHIPAACPOA

HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that establishes national standards to protect patients' medical information. Understanding HIPAA and proper medical records practices is essential for every CPOA, as violations can result in significant penalties for both individuals and practices.

Protected Health Information (PHI)

Protected Health Information (PHI) is any information that identifies a patient and relates to their health, healthcare, or payment for healthcare. PHI includes:

Name, address, date of birth, Social Security number, phone number, email address
Medical record numbers, health plan numbers
Dates of service, admission, discharge
Photographs that could identify a patient
Any other identifier that could link information to a specific individual

PHI may be in written, electronic, or oral form. All three forms are protected under HIPAA.

The Minimum Necessary Standard

HIPAA requires that only the minimum amount of PHI necessary to accomplish the intended purpose is used or disclosed. This means:

Staff should access only the patient information needed for their specific role.
Medical records should include only the information necessary for clinical care and billing.
When releasing records, only the records requested and authorized should be provided.

The minimum necessary standard does not apply to disclosures for treatment purposes. A physician treating a patient may access all relevant records. However, front desk staff do not need to access clinical notes unrelated to their administrative role.

Patient Rights Under HIPAA

Patients have specific rights regarding their health information:

Right to access: Patients can request copies of their medical records. The practice must provide them within 30 days of the request.
Right to amend: Patients may request corrections to their records if they believe information is incorrect or incomplete.
Right to an accounting of disclosures: Patients can request a list of who has received their PHI for purposes other than treatment, payment, or operations.
Right to restrict: Patients may request restrictions on how their PHI is used or disclosed.
Right to confidential communications: Patients may request that communications be sent to a specific address or phone number.

Medical Records Documentation Standards

Proper medical record documentation must be:

Accurate: Record what was done and observed, not what should have been done.
Complete: All required elements of the visit documented.
Timely: Documentation completed at or near the time of service.
Legible: Electronic records should use standard abbreviations; handwritten notes must be readable.
Signed: Each entry must be authenticated by the responsible clinician.

Never alter or delete a previously documented entry. If a correction is needed, draw a single line through the error, write the correction, and sign and date the correction.

Altering a medical record (especially when there has been an adverse event or complaint) is a serious legal offense that can result in criminal charges and complete destruction of a legal defense. If an error is discovered, correct it properly with a dated addendum, never by erasing or deleting the original entry.

Release of Medical Records

PHI may only be released to third parties with a valid signed authorization from the patient, except for authorized disclosures (treatment, payment, healthcare operations, public health reporting). Key points:

A signed authorization must specify what records are being released, to whom, for what purpose, and the expiration date or condition.
Verbal or implied consent is not sufficient for releasing records to other providers, family members, or insurance companies.
Records must be released to the patient themselves without requiring a stated reason.

Key Takeaways

PHI includes any information that identifies a patient and relates to their health, care, or payment for care.
The minimum necessary standard limits PHI access and use to what is needed for the specific purpose.
Patients have rights to access, amend, and restrict their records under HIPAA.
Medical records must be accurate, complete, timely, legible, and authenticated.
Never alter or delete prior entries; use dated addenda for corrections. Release records only with signed authorization.

Frequently Asked Questions

What is the difference between HIPAA's Privacy Rule and Security Rule?

The HIPAA Privacy Rule establishes standards for the use and disclosure of Protected Health Information (PHI) in any form, including oral, paper, and electronic. It defines patient rights and limits who can access and receive PHI. The HIPAA Security Rule applies specifically to electronic PHI (ePHI) and requires covered entities to implement administrative, physical, and technical safeguards to protect ePHI from unauthorized access, alteration, or destruction. In practical terms, the Privacy Rule governs conversations, paper records, and all PHI; the Security Rule specifically governs electronic systems, networks, and data storage.

Can a patient's spouse receive copies of their medical records without the patient's authorization?

No. Under HIPAA, a patient's medical records are private and may not be released to family members, including a spouse, without the patient's signed authorization, unless the patient has previously designated the spouse as a personal representative with legal authority to access their records (such as through a healthcare proxy or power of attorney). Even if the spouse is paying for the care or is the insurance policyholder, this does not grant them access to the patient's PHI. Always verify patient authorization before releasing records to any third party.

How long does a practice have to provide medical records in response to a patient request?

Under the HIPAA Privacy Rule, a covered healthcare provider must respond to a patient's request to access their records within 30 calendar days of the request. If the records are not kept onsite (such as in an off-site archive), a one-time 30-day extension is permitted, but the practice must notify the patient of the delay and the reason within the original 30-day window. Many states have shorter deadlines, and some practices respond more quickly as a matter of service. Denying a patient access to their own records is generally not permitted except in specific, limited circumstances defined by law.

What is the proper way to correct an error in a paper medical record?

To correct an error in a paper medical record: draw a single horizontal line through the incorrect entry so it remains legible; write 'error' or 'correction' above or beside the line; write the correct information; sign or initial the correction; and date the correction. Never use white-out (correction fluid), scribble over the error to make it illegible, tear out pages, or delete electronic entries. The goal is to maintain a complete, accurate audit trail showing what was originally recorded, who recognized the error, and what the correct information is. Altering records to conceal errors, especially in the context of litigation, is a criminal offense.

What is a Business Associate Agreement (BAA) and when is it needed?

A Business Associate Agreement (BAA) is a written contract required by HIPAA between a covered entity (such as an eye clinic) and a business associate (any third-party vendor that creates, receives, maintains, or transmits PHI on the covered entity's behalf). Examples of business associates requiring a BAA include: electronic health record software vendors, billing services, transcription services, cloud storage providers, IT support companies with system access, and shredding companies. The BAA specifies how the business associate may use and protect PHI and requires them to implement appropriate safeguards. Failing to execute BAAs with business associates is a common HIPAA compliance gap.