This transcript has been auto generated
00;00;00;00 - 00;00;29;11
Bryan Nowicki
Hello and welcome to Hospice Insights: The Law and Beyond, where we connect you to what matters in the ever-changing world of hospice and palliative care. Know What You Owe: HIPAA and Third-Party Requests for Patient Records in Hospice. Taylor, welcome to the podcast. I think this is your first time doing this podcast where I'm the host or where my predecessor, Meg, was the host.
00;00;29;11 - 00;00;29;26
Bryan Nowicki
Is that right?
00;00;29;26 - 00;00;32;21
Taylor Crossley
Yeah. That's right. Thanks so much for having me today, Bryan. I'm excited.
00;00;32;21 - 00;00;57;03
Bryan Nowicki
Yeah. Me too. I know you and I work a lot, so, I mean, we're we're talking with each other weekly or daily on a lot of the projects we have going on. So I'm excited to introduce you to our audience, as a real solid member of our hospice home health and palliative care team, and you've done a lot of work across all the kinds of stuff we do audits, investigation, regulatory research.
00;00;57;03 - 00;01;25;24
Bryan Nowicki
But, what I've observed, Taylor, is, is you you have an interest in and it seems you've really focused on some areas that are really helpful to our team, important to hospices and other providers out there. And that is, HIPAA and the related privacy laws and also AI, which is really top of everybody's mind. So I'm glad you're, you're, able to share some of that expertise you've developed in those two areas, in some podcast episodes for us.
00;01;25;26 - 00;01;37;29
Taylor Crossley
Yeah. I'm super excited to be here, to be able to talk about these, issues that you and I are talking about you know, on a weekly basis. It seems to be more prevalent recently, too. So it's exciting to get to share this with our audience.
00;01;37;29 - 00;01;58;13
Bryan Nowicki
Oh you bet. And from the title of this one, we're going to start out talking about HIPAA, and third-party requests for records. And then, Taylor, you and I are doing a two parter on AI. So that will be coming in the, in the weeks ahead. But why don't you kind of introduce yourself a bit, to the listeners out there so they get to know who you are?
00;01;58;14 - 00;02;25;26
Taylor Crossley
Yeah. Thanks so much. So my name is Taylor Crossley. Like Bryan mentioned, I've been practicing here at Husch since I started practicing law. And I've had the, great honor and benefit of getting to work with the hospice team, and help hospice providers, you know, through their audit matters, but then also, I've really started to develop this focus on privacy and security matters and, making sure that providers kind of know the ins and outs of HIPAA.
00;02;25;29 - 00;02;46;21
Taylor Crossley
But also know the ins and outs of more stringent, federal privacy laws and state privacy laws. So, like you mentioned, that's a that's a core piece of my practice. And something I really enjoy helping providers work through is these document requests, which is what we're going to talk about today. But then also just creating more, innovative patient care.
00;02;46;27 - 00;03;03;16
Taylor Crossley
And I think that really touches on the AI topic we're going to talk about as well. And all of those privacy and security considerations, quality considerations that you have to take into account whenever your, expanding your care options and things like that. So, yeah, it's really exciting to be here today.
00;03;03;16 - 00;03;25;15
Bryan Nowicki
Great. Wonderful. Let's, let's dig in. And so we're talking today about HIPAA. And you know, I have been I've done this kind of work for a long time. And it seems several times a year, we get clients calling us because they got a subpoena, a family member of a patient or representative said they want medical records.
00;03;25;17 - 00;03;48;24
Bryan Nowicki
Maybe those requests come in writing. Maybe they come in, over the phone. Maybe there's no connection between the requester. Sometimes it might be an attorney making those requests. So we feel those from time to time. You know what? Like I said, several times throughout the year, and we thought, you know, let's let's share our collective experience and how to address these so that people kind of know what's coming.
00;03;48;24 - 00;04;01;20
Bryan Nowicki
So let's start with the reality check. Taylor, how often are hospices being pulled into litigation or investigations involving their patients that might give rise to a request for medical records?
00;04;01;24 - 00;04;29;16
Taylor Crossley
Yeah, I mean, you kind of previewed it. Bryan, it's more often than people might expect. Any time a hospice provider receives a third-party request or subpoena for protected health information, the organization has to think about both HIPAA compliance and potential litigation risks. And like you said, there's several different buckets, that we often see these requests, the ones that are most often I would say are civil litigation from families.
00;04;29;16 - 00;04;54;05
Taylor Crossley
So estate disputes, malpractice claims, wrongful death claims, and so that can involve civil litigation from the family to, you know, trying to pursue litigation against the hospice. But more often we see these kind of requests come up in, relation to litigation of other providers, that are maybe tangential to the hospice care that was provided.
00;04;54;08 - 00;05;22;12
Taylor Crossley
And then also just helping with that actual, probate administration. Often times we see personal representatives requesting records to help with their, duties as the personal representative or ultimately, the executor of the estate. So I'd say that's where the bulk of these records requests are coming, and those come really frequently. As a hospice provider, I think it's, especially frequent because, you know, hospices are for patients who are dying.
00;05;22;14 - 00;05;43;09
Taylor Crossley
And so when a patient does die, that can sometimes either lead to, contentious litigation or it can for sure lead to estate matters, making sure that the patient's estate's all wrapped up well. So, hospices, I think, get more record requests than a lot of other kind of providers, probably just because of, the kind of patients that they're serving.
00;05;43;16 - 00;06;11;26
Taylor Crossley
The second is really government investigations, which we see less frequently. And then the third is law enforcement requests, including criminal investigations. I'd say that's more than government investigations, but those law enforcement requests also are, less common than the civil litigation bucket. Regardless, third party subpoenas, document requests for protected health information, are not handled the same way as a routine patient records request.
00;06;11;29 - 00;06;33;13
Taylor Crossley
And there's not a blanket HIPAA prohibition. There's just a specific framework that has to be understood, for the hospice so that they know the starting point for every decision that follows when they do get these kind of records requests. So, overall, these these come in more often than you might think, especially given the, the posture that hospices sit in.
00;06;33;15 - 00;06;43;12
Taylor Crossley
And so it's really important that hospices and home health care providers understand this framework and are able to assess a request for records and kind of figure out what to do next.
00;06;43;13 - 00;07;05;21
Bryan Nowicki
Yeah. Something you said in there, I think is particularly important because I think when hospices get a request for records, the initial thought may be, are we in trouble? You know, what? What did we do wrong? Are we being criticized? And often that's not the case. As you said, it might be, the facility where the patient resided is really being, criticized for the care.
00;07;05;24 - 00;07;33;08
Bryan Nowicki
And we deal with those kinds of issues where, you know, the patient had a fall at a facility. It was a hospice staff on, on call or even present at the time. And the hospice is really more witness than target. And I think one of the things that, you know, might not come, first to mind, the hospice is, is reaching out to the person who made the request and asked them, is this related to an action against the hospice, against the facility?
00;07;33;08 - 00;07;44;27
Bryan Nowicki
Do you have criticisms of the hospice and try to get that kind of information? Opening a line of communication with the requester can reveal a lot of helpful information. Is that what you've found and when you've been doing these as well?
00;07;44;27 - 00;08;07;10
Taylor Crossley
Yeah, absolutely. And that's something where, you know, the hospice, whenever they first get a records request or a home health provider, whenever they first get these requests, we really recommend looping in legal counsel. Because legal counsel can do a lot of that conversing with the requester. And kind of coming attorney to attorney or attorney to paralegal, who's requesting these records?
00;08;07;12 - 00;08;31;04
Taylor Crossley
That often can lead to a really, just frank conversation about why they're requesting these records and give the hospice insight into, you know, what's the production for, what kind of records do they really need? And also quell that anxiety that you talked about whenever a hospice first gets these requests, make it clear to them that, you know, you're just the witness, as we usually are suspecting to be the case.
00;08;31;04 - 00;08;31;12
Taylor Crossley
So.
00;08;31;13 - 00;08;42;13
Bryan Nowicki
All right, well, let's jump into the framework then. What is the and walk us through this HIPAA framework and how that guides what a hospice should be thinking about in preparing to respond to these requests.
00;08;42;13 - 00;09;00;02
Taylor Crossley
Yeah. So a very high level HIPAA default rule is that covered entities cannot disclose protected health information without patient authorization. But that's that there are specific exceptions for legal process that permit or even require a hospice to disclose protected health information.
00;09;00;02 - 00;09;08;13
Bryan Nowicki
And when one definitional thing just to get out of the way, you use the term covered entities. And I know that's in the HIPAA statute. What is it? Covered it.
00;09;08;15 - 00;09;39;01
Taylor Crossley
Yeah, a covered entity broadly. It comes in three buckets. So either a health care provider, a health plan, or there's this third kind of bucket, that we don't talk about very often because very few organizations actually fall into it. Here for a provider, whenever you are a health care provider, providing patient care, as long as you are electronically billing insurance, those two things in combination kind of trigger the covered entity definition.
00;09;39;04 - 00;09;51;09
Taylor Crossley
And so hospice providers billing Medicare, are doing that electronically. And so certainly fall under the definition of a covered entity. And any provider that is billing insurance electronically is going to be a covered entity under HIPPA.
00;09;51;10 - 00;09;52;26
Bryan Nowicki
All right. Great. Please continue.
00;09;52;26 - 00;10;13;18
Taylor Crossley
Yeah, absolutely. That's a that's a great point of clarification there. So once you've disarmed it, determined that you are a covered entity, you've got that default rule that I can't disclose protected health information without patient authorization. Then you start looking at the exceptions, under HIPAA to certain times where you can release information without, patient authorization.
00;10;13;18 - 00;10;33;23
Taylor Crossley
And one of those exceptions is, legal process. And I say 1 to 1 of those exceptions. There are a bunch of kind of sub exceptions under this legal process exception. So the first one is a court order. If a judge has signed an order that expressly authorizes disclosure, then the hospice can produce what the order covers.
00;10;33;26 - 00;11;02;01
Taylor Crossley
The second exception is a subpoena without a court order. And this is where things get more complicated. So HIPAA permits disclosure in response to a subpoena that it's signed by, let's say, a court clerk or an attorney. But only if the hospice receives satisfactory, satisfactory assurances. So there's kind of this segue, right. If you've got a subpoena that's signed by a judge, then that's a court order, and you can go ahead and produce the records that are requested.
00;11;02;04 - 00;11;30;01
Taylor Crossley
And what that order actually covers. But if it's signed by a court clerk or an attorney, then you've got to get the satisfy satisfy three assurances, before producing records. So there's either kind of two avenues that you can get these satisfactory assurances. Either first, the provider receives evidence that the party requesting the records made reasonable efforts to notify the patient so that the patient or their personal representative, has the chance to object to the disclosure.
00;11;30;01 - 00;11;53;07
Taylor Crossley
Or second, the party requesting the records has sought a qualified protective order for the information from the court. So kind of going back to notifying the patient as one of the avenues for, getting those satisfactory assurances. Like I said, hospice is kind of, a specialty area where sometimes the patient is already dead whenever a record request comes into the hospice.
00;11;53;07 - 00;12;21;18
Taylor Crossley
So it's an important point that hospices know that HIPAA extends the personal representative framework to a deceased individuals. So the executor, administrator or other person with authority under applicable state law, gets to act on behalf of the dissidents. The state, kind of steps into the patient's shoes for hip purposes. And then grand jury subpoenas are kind of another area where there can be record requests to hospices.
00;12;21;21 - 00;12;44;14
Taylor Crossley
A grand jury subpoena, especially when paired with a court order, satisfies HIPAA because the legal process itself provides the procedural protections that substitute for patient notification. So, there's kind of all these different routes that you can get record requests. And you have to really be very detail oriented when looking at these requests to figure out which exception you're operating under, under HIPAA.
00;12;44;19 - 00;13;06;22
Bryan Nowicki
In those grand juries. I think the process that that is helpful for those is that grand jury process is their secret by law, as opposed to your typical court proceeding, which are public, it being the default rule. So, yeah, the additional protections of grand jury, I see how that fits into, further guarantee that this is not going to be, information that's disclosed more broadly.
00;13;06;22 - 00;13;26;06
Taylor Crossley
Right. It's always thinking about those kind of like that high level purpose of why does HIPAA exist? It exists to protect information. And if you just keep going back to that default rule that I can't disclose information without patient authorization, what's the purpose of that? Protecting, you know, the patient's information. So yeah, like you said, the grand jury, is already secretive.
00;13;26;06 - 00;13;30;16
Taylor Crossley
And so it kind of, fits the goals that HIPAA is trying to meet. Yeah.
00;13;30;23 - 00;13;54;20
Bryan Nowicki
So, you know what what, something that happens with hospices and these requests from time to time is there might be competing requests or competing interests about whether the records should be disclosed. I know you and I have worked in situations where a personal representative takes one position regarding records, but a family member who's not a personal representative takes another position.
00;13;54;20 - 00;14;05;14
Bryan Nowicki
And so you might get some people saying release him and others people saying don't release them. How do hospices, and home health agencies and other providers sort through that kind of situation?
00;14;05;14 - 00;14;27;19
Taylor Crossley
Yeah. Disputes over who has authority to consent to disclosure are very common. And so that's something to definitely be thinking about. When you're a hospice or home health care provider. So HIPAA defers to state law on who qualifies as a personal representative. So like I said, there is a rule under HIPAA that once a patient dies, their personal representative kind of steps into their shoes.
00;14;27;19 - 00;14;53;06
Taylor Crossley
And under the personal representative rule, it kind of refers back to state law on who qualifies as a personal representative. And after death, that is typically the executor or administrator of the estate. So in cases where authority is genuinely in dispute, a hospice is not obligated to produce records based on just one party's claim. So if you've got that disputing situation, that's a place to take pause.
00;14;53;08 - 00;15;17;13
Taylor Crossley
And make sure that you're fully assessing the, authority of the requester, to make sure that, you know, that you are, releasing the information properly. So if a hospice is served with a subpoena while the authority is still disputed, counsel for the organization, and this is what we recommend to our providers, is that counsel for the organization can appear before the court, explain this.
00;15;17;13 - 00;15;34;13
Taylor Crossley
HIPAA constraints on personal representatives, and rights under that standard, and then let the court issue a proper order that gives it the legal basis to disclose. So bottom line, a dispute over authority is a legitimate reason under HIPAA. To hold the record until there's clarity.
00;15;34;15 - 00;15;55;26
Bryan Nowicki
And I counsel clients that it's not your job to be the referee or umpire in deciding who wins, and not to get drawn into what could be a labor intensive process of sorting that out. I like to let the competing interest figure it out for themselves and come back to the hospice, and then get the clarity that way.
00;15;55;26 - 00;16;18;16
Bryan Nowicki
And I think to do that, it's really making sure you have open lines of communication. So that one party says, they want records that you alert to the candidates for having that authority. And say, we got this request. Anybody have a problem with that? And that sort of thing can help, allow those parties to fight among themselves about who has the authority and then come back to the hospice without getting involved.
00;16;18;21 - 00;16;38;00
Bryan Nowicki
But but kind of as you, as you kind of reference the bottom line, if you get if you have a valid request, you're going to have to produce it. And so you got to make a call on when that authority is established and presented to you and actually respond. So yeah, well, let's say we have a legitimate request from an authorized individual.
00;16;38;03 - 00;16;42;16
Bryan Nowicki
Do they hand over every piece of paper they have regarding that patient or what do they need to do.
00;16;42;16 - 00;17;10;10
Taylor Crossley
No. So HIPAA minimum necessary standard still applies. So under HIPAA minimum necessary standard, you know, we've got that default rule under Hipa that we should not be releasing protected health information without a valid authorization. If we get a valid offer authorization or we're acting under one of these exceptions, which here, under these third party document requests, we're often acting under one of the exceptions that we've been talking about.
00;17;10;10 - 00;17;35;17
Taylor Crossley
Or maybe the personal representative has signed an authorization to release the records. In either case, HIPAA minimum necessary standards are always going to apply. And that standard requires that providers only release the minimum amount of information necessary to fulfill the purpose of the disclosure. So in the case of a third party records request, the hospital should only produce what the request actually requires.
00;17;35;19 - 00;17;58;13
Taylor Crossley
If a request demands any and all records, it's likely overbroad. And it's important to know that that doesn't override those minimum necessary obligations. So hospices should be looking through the, patient medical record to kind of figure out what is actually satisfying this request. And making sure they're only disclosing the minimum amount necessary to fulfill the purpose of that.
00;17;58;14 - 00;17;59;14
Taylor Crossley
The request.
00;17;59;17 - 00;18;07;05
Bryan Nowicki
Does the HIPAA law provide any helpful guidance about how you identify that minimal necessary response?
00;18;07;05 - 00;18;36;07
Taylor Crossley
Yeah. Yeah, absolutely. So under HIPAA there are there's a definition of designated records set. And so under HIPAA, there is a right to access information and that right to access information, kind of correlates to this record request, third party record request line as well. Under the HIPAA regulations, providers only have to produce what's called the designated record set, which has a specific definition under HIPAA.
00;18;36;09 - 00;19;02;25
Taylor Crossley
And that includes medical and billing records maintained by the hospice, and any other records used to make decisions about the patient's care. So it's important to know that internal communications, kind of fall, you know, between in the gray gray area. So when you've got internal communications about a patient's care, you have to figure out if they are something that was used to make decisions about the patient's care.
00;19;02;25 - 00;19;25;03
Taylor Crossley
And that will help you determine whether the information truly falls in the designated record set that needs to be produced. Or not. And another important point, too, is to, you know, talk to the actual requester like Bryan I've been talking about. They can often give you a more, better understanding, so that you know exactly what it is that they're looking for.
00;19;25;06 - 00;19;48;21
Taylor Crossley
And it's not the hospices obligation to determine, you know, really, what is the minimum necessary amount for them to produce? It's something that the requester should be setting out in their request. So that you have, as a hospice, you know, the purpose of the request, and you're able to look at your designated record set and figure out what in the patient file actually falls within the request.
00;19;48;21 - 00;19;52;11
Bryan Nowicki
Is there anything specifically excluded from that?
00;19;52;13 - 00;20;16;11
Taylor Crossley
Yeah. Yeah. So RDS that's the designated records set. There are things that are definitely, excluded. And that's psychotherapy notes. Under HIPAA, there's a rule that psychotherapy notes are treated differently, than the rest of the medical records. So that's one thing that would be excluded from the designated records set. You know, records compiled anticipation of litigation would also be excluded.
00;20;16;13 - 00;20;45;13
Taylor Crossley
But also incident reports and administrative reports, staff scheduling and assignment records and internal quality review or peer review records. And those are the kinds of things where often we'll see, you know, personal representatives making requests for things like incident reports or staff scheduling. And those kinds of things are outside of the designated records set in the hospice can explain to the requester why those documents are not included in their production whenever they produce it.
00;20;45;13 - 00;21;05;04
Bryan Nowicki
And when we've been involved with these, I think most of the time it's a pretty clear line to draw between what's in and outside. But there are occasions and we've dealt with some recently, Taylor, where there is a bit of a gray area where maybe there were text messages or other stuff that maybe you wouldn't consider part of the medical record.
00;21;05;04 - 00;21;25;15
Bryan Nowicki
But they did refer to direct patient care. And so there can be some knotty issues from time to time. That's my experience. That's the exception. But at least want to be mindful that, you know, it's the medical record or, you know, the red the dress includes probably almost all of the medical record, but there could be some exceptions, but also stuff outside the medical record.
00;21;25;15 - 00;21;26;29
Bryan Nowicki
You got to make judgment calls on.
00;21;26;29 - 00;22;04;13
Taylor Crossley
Right? Right. That's where the that part of the regulation definition for designated records set, about records used to make decisions about the patient's care. That's where that gray area really falls. You know, which records, are were ones that we were actually using to make decisions about a patient's care. And when they fall outside the medical records, it feels like, you know, they most likely were not, that that's really where the gray area where the, you know, you got to look at the records and figure out where does it fall within the patient's care and be able to make that determination about whether it qualifies under the designated records set.
00;22;04;13 - 00;22;19;13
Bryan Nowicki
Right. So we've been talking HIPAA. That's a federal law. But the states they have their own laws that get into this area. What do you do to, to take into account whatever state law may exist in this situation? Yeah.
00;22;19;13 - 00;22;39;04
Taylor Crossley
So, hospice providers need to be aware of these state laws under HIPAA. Like I said, with the personal representative definition that falls back to state law. So that's something to be aware of in terms of the, authority of the requester. You're going to have to look back at state law to make that determination.
00;22;39;04 - 00;23;04;29
Taylor Crossley
But there's also state laws that will specifically govern the access and use of protected health information above and beyond what HIPAA requires. So, for example, with the designated records set, some state laws incorporate by reference the HIPAA right of access standards, which means the scope of a personal representative's right of access is governed by the HIPAA designated records set standard.
00;23;04;29 - 00;23;31;29
Taylor Crossley
We were just talking about, but there are some states that have privacy protections that are stricter than HIPAA. In particular, there are state laws around, well, state and federal laws around mental health records, substance use disorder records and HIV status. And those state protections apply alongside HIPAA. And not just instead of if there are two state or federal standards on the same topic, the more protective standard governs.
00;23;31;29 - 00;23;58;06
Taylor Crossley
So that's when you really need to be thinking about whether there is a state or federal law that might have more stringent, more protective standards on the medical records than HIPAA does. So one good example is at the federal level, there is a statute and corresponding regulations 42 CFR part two, which govern federally assisted substance use disorder programs and substance use disorder records.
00;23;58;08 - 00;24;23;17
Taylor Crossley
And those regulations can significantly limit the disclosure of substance use disorder records. Even when a provider has received a subpoena or other legal demand, there might be additional requirements. There are additional requirements for reduced, producing substance use disorder records. And then at the state level, there are often states that regulate protected health information higher than HIPAA does.
00;24;23;17 - 00;24;52;00
Taylor Crossley
So for example, New York imposes stricter consent requirements for disclosure of mental health records than HIPAA requires. And they define mental health records. And what kind of protections providers have to put on those kind of records. And there's another law in New York that provides heightened protections for HIV related information. So, again, there's these kind of subcategories mental health records, substance use, HIV status, you know, specially protected information as well.
00;24;52;00 - 00;25;14;18
Taylor Crossley
I like to call it where you need to be thinking about is this information protected just by HIPAA, or is there a federal or state law that might provide additional protections because HIPAA is really just the floor? It sets the federal floor, but it doesn't set a ceiling. States can impose stricter privacy protections. And those stricter standards will control.
00;25;14;18 - 00;25;29;25
Bryan Nowicki
All right. Well, let's get practical. Let's say, that the provider has a subpoena, maybe a demand for records, maybe it's, aggressive demand from an attorney or a friendly demand from a family. They get it, on a Tuesday morning. What do they do next? The hospital, the.
00;25;30;00 - 00;25;55;00
Taylor Crossley
Yeah, yeah, the first thing is don't start pulling records or produce anything until you get legal involved. So your first step is route it immediately to your compliance officer or general counsel. Who should contact outside counsel if needed. A records request shouldn't stay with the medical records staff because of all of the intricate details of analyzing these requests that we've been talking about so far.
00;25;55;02 - 00;26;20;28
Taylor Crossley
You need to make sure that you've got an attorney's eyes on it so that they can determine what kind of request it is. Is it a court order? Is this a subpoena with a court order attached? Is a subpoena without a court order? Is it a grand jury subpoena? A law enforcement request? You know, these are all the kinds of questions that legal will be asking, to then determine exactly what the hospice has to do in response to their request.
00;26;21;00 - 00;26;42;23
Taylor Crossley
Additionally, whenever you route it over to your legal, you should note the deadlines, if any, in the record request. So, oftentimes we'll see that court orders will have a, demand, for an aggressive timeline for the hospitals to produce records, maybe a self-imposed seven day deadline. And, missing those deadlines can create its own problems.
00;26;42;23 - 00;27;07;27
Taylor Crossley
So that's something to be taking into account as well. And then another thing to think about is preserving the records when you get this records requests, once the hospice is on notice, a potential litigation or a legal demand, which hopefully isn't the case, you know, but if it is, a litigation hold may attach, so records that would otherwise be destroyed in the normal course should be preserved at that time as well.
00;27;07;29 - 00;27;26;02
Taylor Crossley
And then once you've gotten that request routed to legal, they've had a chance to review it, figure out where it falls on the, hyperscale, in terms of production, and then you'll be able to produce the records as counseled by legal. So counsel can help you make legal determinations of the validity of the request under HIPAA.
00;27;26;04 - 00;27;48;01
Taylor Crossley
You know, is this person validly a personal representative under state law or is this something that needs additional, additional satisfactory assurances? Do we need a court order to make you, make you think about those things, figure out what the next steps are, and then can also help you make strategic decisions about what records to produce, depending on the circumstances surrounding the request.
00;27;48;01 - 00;28;09;22
Bryan Nowicki
And another, issue that comes up is who did these people request the records from or who did they subpoena? There's no state laws differ on how you subpoena or request medical records. You make it to the hospice, to the records custodian of the hospice. But we've seen subpoenas issued to a nurse employed by the hospice saying, give me the medical record.
00;28;09;22 - 00;28;30;07
Bryan Nowicki
Well, the medical record is not that nurse’s to produce. And so there may be an issue with who did they make this request to that you'd have to go back to the requester and explain this is not a legitimate request, because you subpoenaed an employee of the hospice who is not the custodian of the records. So, they often kind of cut to the chase and they know who they want to be a witness.
00;28;30;07 - 00;28;46;18
Bryan Nowicki
But it's important that we be a, kind of monitor there, jumping through all the appropriate hoop, when they're starting to make these records requests. What are some common mistakes that you see, when providers are responding to these kinds of requests?
00;28;46;18 - 00;29;14;22
Taylor Crossley
Yeah. So I'd say one of the big mistakes is, over disclosure. That's kind of the first mistake that an organization can make is treating it like a routine records request. Pull the chart and send the records. And that's likely more than they're obligated to provide. So over disclosure is one common mistake we see without actually sitting down and thinking about all of these points that we've been talking about today, just pulling the pull on the record and sending it over.
00;29;14;22 - 00;29;37;08
Taylor Crossley
That's one thing that we really recommend against. The opposite can also happen under disclosure. So, sometimes, you know, the organization might panic about HIPAA, refused to produce anything. And that ends ends up in the hospice in a non-compliant position. And so those are two kind of big things to be thinking about is the amount of information to produce.
00;29;37;11 - 00;30;04;25
Taylor Crossley
And hopefully going through this process that we've been talking about, you can avoid those two big mistakes. Some other common mistakes are not logging disclosures. Every disclosure of protected health information under HIPAA, needs to be documented in the accounting of disclosures. Another big issue is not verifying authority. So make sure that you're not producing records to someone who turns out not to have the legal authority to request them.
00;30;04;27 - 00;30;22;07
Taylor Crossley
Because that is a HIPAA violation regardless of what the person claims. And then the kind of final big point is I've seen providers sometimes just let the medical records department handle it alone. You know, they they see these requests all the time and they get, you know, requests for access. And so you can just do it on, on your own.
00;30;22;07 - 00;30;45;10
Taylor Crossley
And those are the situations, where we really want to remind providers that a request for access to information is something the medical records department can certainly handle by themselves from a patient. It's when you get these third-party requests, a subpoena, a court order. That's when legal analysis is required every time. And you don't want to produce without doing that first.
00;30;45;11 - 00;31;08;22
Bryan Nowicki
Well, great. Taylor, this has been extremely helpful. And all the the practical guidance you gave, it seems like as you compile, a provider out there can take your guidance and compile a process so that this is not something they're putting together when they receive it for the first time, but they have this in advance. They can then be methodical about it and make sure they're they're following the right process.
00;31;08;22 - 00;31;23;02
Bryan Nowicki
That's going to lead to a compliance result. So great information Taylor. Thanks for sharing all of this. And thanks to the, listeners out there for welcoming Taylor into the podcast. And I'm sure you're going to hear more from Taylor in the coming week. Thanks, Taylor.
00;31;23;05 - 00;31;27;06
Taylor Crossley
Thanks so much for having me, Bryan.
00;31;27;08 - 00;31;47;08
Bryan Nowicki
That's it for today's episode of Hospice Insights: The Law and Beyond. Thank you for joining the conversation. To subscribe to our podcast, visit our website at huschblackwell.com or sign up wherever you get your podcasts. Until next time, take care.