When a student needed his physician’s note to return to school, a social worker from the clinic, which is part of Stormont Vail Health in Topeka, Kansas, faxed a letter confirming the patient was under the physician’s care. But she included medical records with protected health information (PHI) at the physician’s request. Although the authorization from the mother was on its way to the clinic, it wasn’t in hand at the time the PHI was faxed to the school.
The snafu was brought, as a HIPAA concern, to the attention of Barbara Duncan, HIPAA privacy officer at Stormont Vail Health, who saw it as a dual teachable moment for employees: the authorization must be received before disclosing PHI, and some requests for medical records should automatically be referred to the release of records department. “Somebody was being very helpful and released some medical records, and they were not the person who should have been releasing the medical records, and the way they did it was not the appropriate way,” she said. It’s happened before: this is the health care world, and people have a bent for caring and helpfulness. But sometimes they go overboard, although, ironically, employees also have been known to hold back when they are permitted to disclose PHI because of HIPAA anxiety or misapprehension.