Custodians of records, in following Federal law, will deny record requests that fail to follow HIPAA requirements, ensuring the patient consents to his or her protected health information being released to a third party. To prevent your HIPPA authorization from being rejected and delays in record delivery time, always review your authorization to ensure it avoids the top 10 reasons patient medical authorizations are denied.
A medical records release form containing wrong patient information is certain to result in rejection. A provider will deny a request when the patent’s last name has changed (ex: woman changing her name after marriage), dates of birth are inverted, or the patient’s address has changed. Even small mistakes can cause release forms to be rejected.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects patient privacy by preventing the unauthorized disclosure of medical records, which the Act defines as “protected health information” or PHI. The Department of Health and Human Services has a comprehensive question and answer section that covers the essential required elements that must be included in medical records release forms.
Some medical providers will only disclose PHI if their own HIPAA release form is completed and submitted. Ontellus has a robust Authorization Library for your use. With many years of experience, any time we learn a provider requires their own HIPAA release, it is added to our Authorization Library. Ontellus also has established relationships with providers across the country, and the ability to notify you right away if your release form does not meet the provider’s requirements.
The Privacy Rule requires that an Authorization contain either an expiration date or an expiration that relates to the purpose of the use or disclosure. Submitting an expired medical records release form will result in the provider denying your request. Litigation can span several years in some cases. To ensure your Authorization remains up-to-date, it is recommended to state the Authorization will expire “one year from the date the Authorization is signed,” or “upon the minor’s age of majority.” Any ambiguity in the expiration date, such as “during the life of the claim” can result in rejection.
Claimants or plaintiffs are typically asked to sign HIPAA Authorizations early in the claims handling process, at their initial meeting or during the client intake process. There are times when getting a signature is overlooked. If an Authorization is missing the patient’s signature, the provider is certain to not comply with the request. Using a record retrieval partner, such as Ontellus, can help identify missing information prior to submitting the request to the provider.
There are times when additional supporting documents need to accompany the Authorization. For example, if the patient is deceased, the provider may want to see a copy of the death certificate or, if someone has signed on behalf of a minor child, proof of Legal Guardianship may be required for records disclosure.
When an Authorization must be signed by an authorized patient representative on the patient’s behalf (ex: in cases of a deceased individual, minor child, incompetent adult), a copy of the document that authorizes the representative to sign the release needs to be provided. This can take the form of a power of attorney, a copy of the letters of authority appointing a personal representative (called an executor or administrator in some states) for an estate or a court decree appointing a guardian for the patient.
Failing to include all the required information will result in a denial of your request, creating delays that could have otherwise been avoided. If any information is incomplete, providers will send it back.
Authorization also must clearly state the name of the parties with whom medical records can be shared or disclosed. Providers require the name or other specific identification of the person(s), or class of persons, to who the provider may make the requested disclosure. In addition, the specific person(s)/entity must be identified on the Authorization itself. Including a cover sheet or other document stating who should receive the information is often rejected by the provider.
While an Authorization is valid if it authorizes the provider to disclose an "entire medical record", "complete patient file” or “any and all records,” the provider might find it to not be sufficiently specific and deny the request. Protected health information encompasses a wider range of information than that which is typically understood to be included in the medical record (i.e. mental health records), and individuals are less likely to understand the breadth of information that may be defined as "protected health information."
Have questions surrounding your Authorization? Ontellus is here to help.