Q&A: Sending patient records to a physician's office

Q. A physician's office in a neighboring state calls to say they need our emergency department records for a patient who is calling from home for pain meds. They say they need the records (without the patient's written consent) before they can make their decision about the meds.

Nothing in the chart shows a relationship between this physician and the patient. The answers I get seem to have a lot of gray areas:

• Insist on the patient's signature
• Let the physician sign the authorization
• Call the patient and ask if it's okay (impossible to do given the volume)
• Accept a fax cover letter request as "proof" of them being "another provider"

This happens nearly every day in one form or fashion. Inconsistency is not an acceptable practice. What's the best practice?

A. The physician’s office in the neighboring state is a CE under HIPAA and must comply with the Privacy Rule. If it is likely this office is treating the patient (i.e., the office is located near the home address you have on file for the patient), you may accept their word that they are treating the patient. The Privacy Rule allows healthcare providers to release information for treatment purposes without the patient’s authorization or consent. If you are suspicious that the request is not legitimate, it would be reasonable to ask the physician’s office to submit a request in writing (sending it via fax machine is acceptable) or call the patient to confirm the patient wants the information released.

Editor's note: This question was answered by Mary Brandt, MBA, RHIA, CHE, CHPS. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.