goto Indian Health Service home page Indian Health Service: The Federal Health Program for American Indians and Alaska Natives

 
Advanced  Search
IHS HOME ABOUT IHS SITE MAP HELP
goto Health and Human Services home page goto Health and Human Services home page
gold bar
title banner graphic for the Privacy Act Office
gold bar
 


Administration and Management Resources

PAO Home
PAO Staff
General Q&A's
Medical Records General Q&A's
System of Records
Statutory/Regulations
Privacy Act & HIPAA Privact Presentation Materials
HIPAA
Related Links
DRLA
Questions or Comments or if unable to view a particular file. Please contact the Web Site Manager.


 

These plug-ins
may be required
for the content
on this page:

Link to Adobe Acrobat Plug-in Acrobat
Link to MicroSoft PowerPoint Plug-in PowerPoint
Link to MicroSoft Word Plug-in MS Word

IHS Plug-in Page

Use site contact
if unable to view
a particular file

Health and Medical Records System Q&A's

The information on this page was removed for updates. If you have any questions, please contact your Area Privacy Act Advocate or the IHS Privacy Act Officer.

The following are basic questions and answers regarding Privacy Act system of records: 09-17-0001, Indian Health Service Health and Medical Records, HHS/IHS/OHP. The answers are of a general nature and may not apply to your specific situation. When in doubt, do not disclose medical record information until you have consulted with the appropriate Privacy Act staff.


  1. System name
  2. System location
  3. Categories of individuals covered by the system
  4. Categories of records in the system
  5. Authority for maintenance of the system
  6. Purposes
  7. Routine uses of records maintained in the system
  8. Storage
  9. Retrievability
  10. Safeguards - authorized users
  11. Safeguards - physical
  12. Safeguards - procedural
  13. Safeguards - implementing guidelines
  14. Retention and disposal
  15. System manager(s)
  16. Notification and access procedures
  17. Requests in Person
  18. Requests by mail
  19. Requests by Telephone
  20. Parents or Legal Guardians
  21. Contesting record Procedure
  22. Record source categories
  23. Systems exempted from certain provisions of the act
  24. Miscellaneous Questions


SYSTEM NAME

1. Are IHS patient medical records covered by a Privacy Act System of Records?

Answer: Yes. The official name of the system of records is, "09-17-0001, Indian Health Service Health and Medical Records System, HHS/IHS/OHP".



SYSTEM LOCATION

2. Where are the IHS patient medical records located?

Answer: The IHS medical records are located throughout the IHS system wherever patient care is provided by IHS staff or IHS contractors.



CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM

3. Are all the IHS medical records, including those of non-Indians (non-IHS beneficiaries), covered by the Privacy Act?

Answer: Yes. The Privacy Act covers the records of all individuals who receive health care services from the IHS.



CATEGORIES OF RECORDS IN THE SYSTEM

4. What types of records are covered under the IHS Privacy Act system of records for medical records?

Answer: There are two major categories of records covered in the IHS medical records system:

  1. A variety of health and medical records concerned with patient care, such as: patient's name, address, date of birth, tribal affiliation, Social Security Number (voluntary); medical history, diagnosis, treatment records, dental records, nursing logs, treatment logs, laboratory and x-ray records; social services records; disease registries. and,
  2. Third-party billing and reimbursement records, such as: patient's name, address, date of birth, Social Security Number (voluntary); date of admission; Medicare or Medicaid claim numbers; health plan name, insurance number; employer's name and address, employment status; and other relevant claim information necessary to process and validate billing and third-party reimbursement claims.



AUTHORITY FOR MAINTENANCE OF THE SYSTEM

5. Under what authority does the IHS maintain medical records?

Answer: Congress has passed a number of laws that authorize IHS to provide health care services and thereby maintain patient medical records. These are: Indian Self Determination and Education and Assistance Act (25 U.S.C. 450); Snyder Act (25 U.S.C. 13); Indian Health Care Improvement Act (25 U.S.C. 1601 et. seq.); Indian Health Service Transfer Act (42 U.S.C. 2001-2004); Section 321 of the Public Health Service Act, as amended (42 U.S.C. 248), Hospitals, Medical Examinations, and Medical Care.



PURPOSES

6. What are the purposes of the IHS medical records?

Answer: There are nine (9) stated purposes for maintaining the IHS medical records:

  1. to provide for patient care and treatment;
  2. to provide statistical data for program evaluation;
  3. to communicate patient care information among providers;
  4. to serve as official documentation of patient care;
  5. to contribute to continuing education of IHS staff;
  6. for disease surveillance;
  7. to compile and provide aggregated program statistics;
  8. to process, document, and monitor third-party billing and reimbursement claims.
  9. to improve the IHS national patient care database by verifying patient's Social Security Numbers with the Social Security Admin.



ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM

7. Are routine use disclosures to third parties outside HHS permitted from IHS patient medical records?

Answer: Yes. The IHS medical records system contains 16 routine use disclosures. The complete text of the routine uses is published in IHS Privacy Act system notice 09-17-0001. The Privacy Act System Manager or designee is the only person authorized to release records subject to the Privacy Act. Prior to disclosure, the records should be checked for accuracy, timeliness, relevancy, and completeness. Routine use disclosures must be documented on IHS form 505, Disclosure Accounting Record.

8. Can IHS staff release information from a patient's medical record, including a minor's, who has been admitted for drug or alcohol treatment without the knowledge and approval of the patient or parent(s) of the minor patient?

Answer: Consult with your local Privacy Act staff. If a patient receives treatment, or referral for treatment, for alcohol and drug abuse, then the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations (42 CFR Part 2) may apply.

9. Can IHS staff release information from a patient's record to a State, local or other health care organizations which provide health services to American Indians without the knowledge or approval of the patient?

Answer: Yes. In accordance with routine use #1.

10. Are there limitations on sending a patient's medical history to another health care facility for a referral/consultation?

Answer: Yes. In accordance with routine use #1, records may be disclosed in part or whole to another health care facility. However, only information which is necessary to the patient's treatment should be released to the requesting facility.

11. Can IHS release information from a minor's medical record to a school serving American Indians if the minor is attending that school?

Answer: Yes. The information can be released under routine use #2, for purposes of student health maintenance.

12. Can IHS release information to schools regarding children's eye examinations?

Answer: Yes. In accordance with routine use #2.

13. Can medical record information be disclosed to a State utilization review board or in response to a quality assurance or medical audit without the knowledge or approval of the patient?

Answer: Yes. In accordance with routine use #3.

14. Can information from a patient's medical record be released to organizations or individuals conducting IHS-sponsored analytical or evaluation studies?

Answer: Yes. Routine use #4 permits such releases.

15. Can information from a patient's medical record be released to organizations or individuals conducting non- IHS-sponsored analytical or evaluation studies?

Answer: Yes, provided the procedures outlined in routine use #6 are followed.

16. Can information from a patient's medical record be released in response to a request from the Congressional office of a US Senator or U.S. Representative?

Answer: Yes. In accordance with routine use #5, information can be released if the patient has made a written request that his/her Congressman act on his/her behalf. A copy of the patient's request should be attached to the Congressional inquiry.

17. Can information from a patient's medical record be released for research or statistical purposes?

Answer: Yes, but only in accordance with the procedures and requirements set forth in routine use #6.

18. Can information from a patient's medical record be released for research or statistical purposes if it contains information on alcohol and/or drug abuse?

Answer: Yes, in accordance with the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations, records identifying patients may be disclosed for research, audit, and evaluation purposes. See 42 CFR section 2.52 Research Activities and section 2.53 Audit and Evaluation Activities. However, it is usually recommended to seek and receive patient consent.

19. Can information from a patient's medical record be released to Federal, State, or local authorities regarding a criminal investigation?

Answer: Yes, in accordance with routine use #7, provided that such a request is in writing from the head of the requesting Agency.

20. Can information from a patient's medical record be released to Federal, State, or local authorities regarding a criminal investigation if the information concerns alcohol and/or drug abuse?

Answer: Yes, if there is a court order signed by a judge or the patient signs a release of information form.

21. Can IHS release information regarding alcohol and/or drug abuse from a patient's medical record in response to a criminal investigation where child abuse is suspected?

Answer: Yes, but generally a court order signed by a judge is required (42 CFR §2.65). However, this information is also releasable to appropriate State and local authorities in accordance with State law. See routine uses 7 and 8.

22. Can IHS release information from a patient's medical record regarding communicable diseases or tumor registries?

Answer: Yes, in accordance with routine use #7.

23. Can IHS release information from the records of a deceased infant to the appropriate authorities if child abuse is suspected?

Answer: Yes, but such a release would have to be made under the Freedom of Information Act (FOIA). The Privacy Act only applies to living persons.

24. Can IHS release information from a child's medical record if child abuse is suspected?

Answer: Yes, under routine use #8, IHS health care providers (i.e. Physicians, Child Psychologists, Social Workers, etc.) may disclose such information to: (1) Federal, State, and Indian tribal agencies that have a need to know in the performance of their duties; and (2) members of community child protection teams.

25. Can IHS release information from a patient's medical record to the Department of Justice if a HHS health care provider or facility is being sued?

Answer: Yes, in accordance with routine use #9.

26. Can IHS release information from a patient's medical records regarding children with disabilities?

Answer: Yes, in accordance with routine use #10, however, such disclosures may only be made to the Bureau of Indian Affairs or its contractors.

27. Can IHS release patient medical records to IHS contractors for data entry or record maintenance?

Answer: Yes, in accordance with routine use #11.

28. Can IHS release medical records to IHS contract health providers, and do Privacy Act requirements apply to these providers?

Answer: Yes, in accordance to routine use #12, medical records can be released to IHS contract health providers (including tribal contractors) in order to provide health services. The contract health providers must maintain Privacy Act safeguards for such records. The contract itself must contain a provision stating that the Privacy Act applies.

29. Can IHS release medical records to the State of Alaska, Department of Health and Social Services (DHSS) to assist in providing health care services?

Answer: Yes, in accordance with routine use #13. However, IHS may only release medical records pertaining to the State of Alaska's DHSS patients.

30. Can IHS release a minor patient's medical record to the minor's parent or legal guardian?

Answer: Only under certain circumstances. In accordance with routine use #14, medical records concerning medical services that the minor's parent or legal guardian previously authorized may be released to the minor's parent or legal guardian. Everything else in the minor's medical record would have to be forwarded to the designated representative chosen to review the record.

31. Can IHS release a minor's medical record without the minor's consent to a minor's parents or guardians, such as pregnancy testing or sexually transmitted diseases, when the procedure was carried out without parental consent?

Answer: No. When a minor received treatment for a condition that did not require parental consent, such information may not be disclosed to the parents or guardians without the consent of the minor.

32. Both parents gave consent for a surgical procedure for their minor child. The parents were later divorced. The non-custodial parent is now requesting information on the surgical procedure. Can IHS disclose this information to the non-custodial parent?

Answer: Yes. In accordance with routine use #14, the information may be released to the non-custodial parent. Any information which is released must specifically relate to the medical services that both parents previously authorized. Absent a court decree terminating the parental relationship, a parent does not lose parental rights because another has custody. This also means that a non-custodial parent can authorize the release of their minor child's medical record or obtain a copy of the child's medical record for treatment where parental consent was necessary.

33. If a grandparent becomes the legal guardian, do the biological parents still have a right to see the medical record of their minor child?

Answer: Only under certain circumstances. In accordance with routine use #14, medical records concerning services that the parents previously authorized may be disclosed. If a grandparent has permanent custody, IHS should determine if a court decree exists which may have terminated parental rights. If such a decree exists, the biological parents would not have a right to access or authorize the release of their minor child's medical record.

34. If a facility treats a minor who is in foster care, does that facility have a legal obligation to notify the biological parents of the minor's admission to the facility?

Answer: No. When an IHS facility treats a minor who is in foster care, it does not have a legal obligation to notify the biological parents of the minor's admission. However, there may be a need to notify the Court/Social Services of that jurisdiction (i.e. Foster Care), who is considered the legal guardian of the minor.

35. If a patient is infected with the Human Immunodeficiency Virus (HIV), can IHS inform his/her sexual and/or needle sharing partner(s)?

Answer: Yes, in accordance with routine use #15. The IHS must first make a reasonable effort to counsel the patient and encourage a voluntary disclosure. If IHS determines that the patient is unlikely to make the disclosure, the patient must be informed that IHS intends to inform his/her needle sharing and/or sexual partner(s). Whenever possible, such disclosures will be made by the patient's physician or a professional counselor.

36. Can volunteers be given access to IHS patient medical records?

Answer: Yes. Under routine use #16, volunteers may have access to medical records to the extent needed in the performance of their assigned duties.

37. Can the IHS Office of Third Party Reimbursements release information from a patient's medical record to the Internal Revenue Service (IRS)?

Answer: No, because;

  1. IHS does not have a routine use for such a disclosure and
  2. Office of 3rd party staff are not authorized to release IHS patient medical records. Only the IHS Privacy Act System Manager or designee is authorized to release of records subject to the Privacy Act.
38. Can information from a patient's medical record be released to other IHS facilities, even from Area to another Area?

Answer: Yes, if the IHS staff requesting the information have a "need to know" in the performance of their duties. Only information that is actually needed by the requesting facility should be released. This disclosure does not have to be documented on IHS release of information form 505.

39. Can information be released from a patient's medical record in an emergency situation?

Answer: Yes, in life threatening situations a release is permitted. You must notify the patient at his last known address that you have made such a disclosure. See HHS PA Regulations, §5b.9(b)(8). This disclosure has to be documented on IHS form 505.



STORAGE

40. How is information in the IHS patient medical records filed?

Answer: The IHS files patient medical record information in a combination of file folders, ledgers, card files, microfiche, microfilm, computer tapes, disk packs, and automated files.



RETRIEVABILITY

41. How are IHS patient medical records retrieved?

Answer: The patient records are retrieved by either patient name, medical record number, Social Security Number, and are cross-indexed.



SAFEGUARDS - AUTHORIZED USERS

42. Which IHS employees are authorized to access IHS patient medical records?

Answer: Access to the IHS patient medical record is limited to IHS and IHS contractor staff who have a "need to know" in the performance of their duties. This staff may include: medical records personnel, health care providers, authorized researchers, medical auditors, health care team members, billing office and administrative staff. The IHS health facility director is responsible for developing and maintaining a list of facility staff authorized to access patient medical records.



SAFEGUARDS - PHYSICAL

43. Does the Privacy Act require that records subject to the Act be kept physically secure and safe from unauthorized disclosure?

Answer: Yes. The Privacy Act requires that IHS safeguard and secure these records when they are not actually in use during working hours and at all times during non-working hours. They must be stored in accordance with appropriate fire and safety codes. Computerized records must be stored in accordance with the safeguards developed for automated records. Record room door locks should be changed periodically and whenever an employee who has access authority resigns, retires or is reassigned.

44. Is the medical records work area, where the records are actually stored, considered a restricted area?

Answer: Yes, and it should be secured accordingly.

45. What should IHS staff tell a patient who questions why his medical records are being placed in a locked file cabinet?

Answer: The patient should be told this is standard operating procedure to ensure the privacy of the information in his/her record.



SAFEGUARDS - PROCEDURAL

46. How does IHS ensure that only authorized personnel have access to patient medical records?

Answer: Each IHS facility maintains a list of personnel or a category of personnel who have a "need to know" in the performance of their duties. Authorized users must follow sign-out procedures for all patient medical records removed from the medical records area.

47. What if an IHS staff member is not on the list of staff authorized to have access to patient medical records?

Answer: Each IHS facility should have procedures in place to grant or deny one-time requests for access to patient medical records from staff who are not on the authorized user list.

48. Are any procedures or training provided to staff authorized to access patient medical records?

Answer: Yes, authorized staff should be instructed regarding confidentiality of records, making disclosures, and the penalties for violating the Privacy Act.

49. Are procedures in place to protect and ensure the confidentiality of automated patient medical records?

Answer: Yes. These procedures include security clearance screening of staff and contractors prior to access to the automated IHS patient record files, periodic changing of passwords and log-on codes.

50. Are contractors who run or maintain automated patient medical record systems for the IHS required to have security procedures in place?

Answer: Yes. Automated Information Systems security provisions must be specifically included in contracts whenever contractors run or maintain automated IHS patient medical record systems.



SAFEGUARDS - IMPLEMENTING GUIDELINES

51. Are there guidelines for safeguarding Privacy Act records?

Answer: Yes, the General Administration Manual, HHS Chapter 45-13, "Safeguarding Records Contained in Systems of Records;" supplementary Chapter PHS.hf:45-13; and the HHS, "Automated Information Systems Security Program Handbook."



RETENTION AND DISPOSAL

52. How long does IHS keep patient medical records?

Answer: The records are retained in accordance with the IHS Records Disposition Schedule. Inactive patient medical records are kept anywhere from 3 to 7 years at the facility, then transferred to a Federal Records Center for seventy-five (75) years. All records must be retained in a usable format for the life of the record.



SYSTEM MANAGER(S)

53. Are there Privacy Act System Managers for the IHS medical records system?

Answer: Yes, the IHS Privacy Act System Mangers are: Area and Service Unit Directors. A complete listing of the system managers is set forth in 09-17-0001, IHS Health and Medical Records Systems, HHS/IHS/OHP, Appendix 1. Appendix 2 contains a listing of the Federal Archives and Records Centers

54. During evenings and weekends, who is the IHS official at the facility (Service Unit) level responsible for deciding whether information from a patient's medical record may be released to the patient or a third party?

Answer: The facility (Service Unit) Director (Privacy Act system manager) should designate in writing, those individuals authorized to release information from a patient's medical record during non-regular hours (5pm-8am, weekends, and holidays).



NOTIFICATION AND ACCESSPROCEDURES

IHS has published detailed instructions regarding notification and access procedures to patient medical records in the Notification and Access Procedure sections of the system notice.

55. Can patients see their own medical record?

Answer: Yes, but only with the approval of the responsible IHS official and the assistance of a health care provider. Refer to HHS Privacy Act Regulations, section 5b.5.

56. Can a patient gain access to or get a copy of his/her medical record?

Answer: Yes. The patient must designate a representative in writing, this may be an IHS health professional, who is willing to review the medical record and inform the patient of its contents at his/her discretion. If the IHS responsible official determines that there is nothing in the medical record that would have a negative affect on the patient, the patient may be given access to his medical record. However, if the responsible official cannot reach a decision on the matter, the medical record will be forwarded to the patient's designated representative. The patient should be informed in writing that his medical record have been forwarded to the designated representative.



REQUESTS IN PERSON

57. Can a patient gain access to their medical record if they are filed under her maiden name?

Answer: Yes. The patient must first provide evidence that she is the person to whom the medical records applies. The notification procedures must be followed.

58. What types of identification (I.D.) are required from a patient to access their medical record?

Answer: A driver's license or other official photo I.D. is preferred. However, if the individual is personally known to the IHS medical record's employee, a note to that effect can be put in the patient's medical record and the patient may be given access to their own record, provided procedures are followed. If no I.D. is available, and the individual is not known to the medical record's staff, the individual may attest in writing that he/she is the person to whom the record applies. Individuals attesting to their identity should be informed of the penalties for requesting records under false pretenses.

59. What if a person doesn't know how to write?

Answer: They should make their mark on the release form and have it verified in writing by two witnesses.



REQUESTS BY MAIL

60. Can patients request a copy of their medical record through the mail?

Answer: Yes. Written requests must contain the patient's name, address, D.O.B , if possible the Social Security Number, the patient's signature, and indicate a knowledge of something distinctive about the record, such as dates of service or treatment, or date of a past admission to a particular IHS facility, etc.

61. What is the best way for a patient to request access to his/her own medical record?

Answer: The preferred manner for a patient to gain access to his/her medical record is to put their request in writing. The IHS facility should respond within 10 working days. A patient can also make his/her request in person, with proper I.D.



REQUESTS BY TELEPHONE

62. If a patient requests information from his/her medical record over the phone can IHS staff provide the information?

Answer: No. Since positive I.D. of the caller cannot be established, telephone requests are not honored.

63. What should IHS staff do if they receive a telephone call from the local police, who want to confirm an inmate's medication or request information from the inmate's medical record?

Answer: The process should be as follows: (1) callers should be referred to the medical record's staff; (2) medical record's staff should take down the information being requested, get the name and number of the individual requesting the information; and (3) contact the Privacy Act staff who will determine whether to release the information. Under emergency life threatening situations, this information may be released.

64. How should staff handle outside calls for medical record information regarding third-party payments under a health plan?

Answer: Take down the information being requested, the name and telephone number of the person requesting the information, and refer it to the Privacy Act staff, who will determine whether the information will be released, or follow Service Unit written policies and procedures.

65. What information can IHS staff release to an outsider caller about a patient's medical condition or stay in an IHS hospital to: (1) immediate family members; (2) friends and relatives; or (3) other third parties?

Answer: Be aware that telephone requests for patient status are probably the easiest way to lose control of confidential information. Depending on the patient's condition, suggest that the patient designate a particular friend or relative as a spokesperson, to whom others can be referred to for further information. The patient may request that no one be told that he/she is in the hospital or that only certain information be given out. These wishes should be respected. If there is a newsworthy event (accident, assault, shooting, suicide, etc.), it is advisable to designate one or more hospital or health facility staff to assume the role of spokesperson to respond to the media. Answer general questions, but do not provide detailed information or photographs.

If the patient is being treated for alcohol or drug abuse, the more restrictive regulations regarding the confidentiality of alcohol and drug abuse patient records may apply. Assuming this is not the case, information on the patient's condition (stable, fair, critical, etc.) may be released. The particular ward, unit, clinic, diagnosis, prognosis, or treatment being provided should not be released if it would reveal items of a sensitive nature.

66. The IHS staff received a telephone call from the HHS Office of the Inspector General (OIG) requesting information from a patient's medical record. Can IHS disclose the information to the OIG?

Answer: The IHS Privacy Act staff should request a written explanation of why the HHS OIG is requesting the information. Once the justification is obtained, the release is permissible within HHS to HHS employees who have a need for the records in the performance of their duties.



PARENTS AND LEGAL GUARDIANS

67. Are parents or legal guardians required to show I.D. when requesting information from the medical record of their minor children or legally incompetent individuals for whom they are responsible?

Answer: Yes. Parents and guardians must verify their I.D. A birth certificate or legal guardianship papers may be requested or required if there is any doubt as to the relationship with the child or legally incompetent individual.

68. Are there procedures for a patient to access his/her reimbursement records?

Answer: Yes. When seeking access, the patient must provide a description of the information he/she is seeking and provide identification.

69. Can a patient find out if any routine use disclosures have been made from his/her records?

Answer: Yes. The patient can make a written request for a listing of the disclosures that have been made from his/her records.

70. Should a patient be given direct (hands-on) access to their own chart?

Answer: Patients should NOT have direct access to their medical record unless the responsible IHS official has made a determination that direct access is not likely to have an adverse effect on the subject individual, and the patient reviews the chart in the presence of IHS staff.

71. Can patients be given their charts to carry to another department within the same facility or to another health care facility?

Answer: It is preferable that charts be transmitted from one department to another or to another facility without involving the patient. However, if patients must hand-carry their own records, due to staffing or time constraints, the records should be placed in an envelope that is then securely sealed.

72. Can a patient be given direct (hands-on) access to another patient's medical record, i.e., a parent/child, husband/wife, etc.?

Answer: No.

73. What should IHS staff do if they see a patient reading their own medical record?

Answer: Politely retrieve the file and inform the patient of the procedures they need to follow to gain access to their own medical record. Find out how they came into possession of their record so that the safeguards can be improved and the proper procedures are followed.

74. Can a supervisor be given direct access to information in an employee's medical record?

Answer: If a supervisor needs to review the employee's job-related medical records in the performance of his/her duties, he/she may review the relevant records in the presence of medical record's staff. However, alcohol and drug abuse patient records may be subject to more stringent disclosure rules.

75. When a supervisor requests job-related information from an employee's medical record, does the request have to be in writing?

Answer: No.

76. Is there a time limit in which a patient's request to access his Medical Records should be honored?

Answer: While there is no statutory or regulatory requirement, as a matter of policy, a patient's request should be honored within ten (10) working days.

77. May a patient review someone else's medical record?

Answer: No. Unless release of the requested information is permissible under the FOIA, he/she may not access information in the medical record of another patient unless the patient has consented in writing to the review.

78. If a patient is referred to another facility (IHS or non-IHS), can the patient take their medical record with them?

Answer: No, the original patient medical record should never leave the IHS facility. A copy of the medical record should be mailed or delivered by a staff member to the referral facility. If patients must hand-carry copies of their own records to another facility, due to staffing constraints, the records should be placed in a sealed envelope.

79. Does IHS have a standard form for patient's to release of information from their patient medical record?

Answer: Yes. The form is the IHS-810, "Authorization for Release of Information". In order to maintain consistency, IHS staff are required to use this form. As with other authorized agency forms, this form may not be changed, modified, or altered in any manner except by the IHS forms committee.



CONTESTING RECORD PROCEDURE

80. Can a patient contest information contained in his/her medical record?

Answer: Yes. The patient will need to specify:

  1. the information being contested,
  2. the corrective action being sought;
  3. the reason for requesting the correction; and
  4. produce supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. See also, HHS Privacy Act Regulations, section 5b.7.



    RECORD SOURCE CATEGORIES

    81. What sources does IHS use to develop its records?

    Answer: In addition to the patient and his/her family, IHS may obtain information from IHS health care personnel, State and local health care providers, IHS Contract Health Services (CHS), Medicare/Medicaid agencies, and the Social Security Administration.



    SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT

    82. Are any IHS systems exempted from certain provisions of the Act?

    Answer: No.



    Miscellaneous Questions About IHS Medical Records System
    1. General Questions
    2. Social Security numbers
    3. Privacy act violations


    GENERAL QUESTIONS:

    1. If a copy of a birth certificate or tribal enrollment form is in the patient's IHS medical record, can IHS staff give a copy to the patient because the patient lost the original and requests a copy?

    Answer: Yes. The patient has a right to a copy of any record in his/her file.

    2. May information from a deceased person's (child or adult) medical record be disclosed to the public?

    Answer: Contact your Area/Program office Privacy Act Coordinator if you receive such a request. The request for access to the medical record of a deceased person must be treated as a FOIA request.

    3. Are the medical records of a deceased patient subject to the Privacy Act?

    Answer: No. The Privacy Act only applies to living individuals. Access to the records of a deceased individual must be made through the FOIA procedures.

    4. What do you do when the emergency room of another facility requires medical information concerning previous medications given to someone being treated for acute alcoholism? Can such information be released?

    Answer: It depends. Pursuant to 42 CFR Part D, sec. 2.51, disclosure of a diagnosis, prognosis, referral or treatment of alcohol or drug abuse may be made without the patient's consent to meet a medical emergency.

    5. How should IHS staff at the local level handle a court order for medical records information?

    Answer: Court orders (including tribal court orders) will need to be examined to see if they were issued by a "court of competent jurisdiction" as required by the Privacy Act, i.e., a court having jurisdiction over the parties and the subject matter. Staff should immediately refer all court orders to the Area Privacy Act Coordinator or the regional attorney for a technical advise and assistance.

    6. Should IHS staff honor a subpoena signed by an attorney or the clerk of a court?

    Answer: No. Subpoenas for medical records, unless actually signed by a judge, are not court orders. A subpoena does not constitute "the order of a court of competent jurisdiction," as required by the Privacy Act. Also, there is no routine use allowing such a disclosure. However, subpoenas are legal documents and should be referred to the Privacy Act staff for appropriate follow-up.

    7. May a IHS release medical records pursuant to a written request from a Federal agency performing a criminal investigation?

    Answer: Yes. The Privacy Act (5 U.S.C. §552(a)(b)(7)), allows such a disclosure. Such a request must be submitted by the head of the requesting agency, specify the records desired, and the law enforcement activity for which the record is sought.

    8. Are there any special procedures to protect the medical records information and confidentiality of AIDS patients?

    Answer: No. The IHS has not implemented any special procedures. IHS has determined that it would only draw attention to such medical records if they were separately flagged.

    9. Can IHS staff release information from a patient's medical records to a police officer so that he/she may contact a family member to notify them that the patient is in custody due to an alcohol/drug abuse related incident?

    Answer: No. IHS staff must have a release form signed by the patient before you can release information to a police officer.

    10. Should Privacy Act responsibilities be designated in writing?

    Answer: Yes. The appropriate Privacy Act system manager (Area/Program and Service Unit Directors) are responsible for designating, in writing, staff assigned Privacy Act responsibilities. This staff includes Area Privacy Act Coordinators, Service Unit Liaisons and their alternates, if any.

    11. Should Service Unit Privacy Act staff review contracts that require a contractor to maintain or have access to the IHS Privacy Act medical records system?

    Answer: Yes, but it is the Area Privacy Act Coordinator and the IHS contracting specialist who have the primary responsibility for ensuring that the Privacy Act requirements are contained in Area contracts.

    12. Can Service Unit management staff make and keep copies of employees SF-50's and SF-52's and maintain an unofficial personnel file?

    Answer: Yes. These records may be copied and filed at the local management level. However, only those IHS staff who have a "need to know" in the performance of their duties should have access to the information and the records must be safeguarded accordingly. Copies should be destroyed or returned when the "need to know" has expired. HHS maintains a Privacy Act system for unofficial personnel records.

    13. Can a supervisor in HHS review the Time & Attendance records of a prospective employee who is employed in HHS?

    Answer: Yes, in this instance he/she has a "need to know" in the performance of his duty, since he/she may hire the person.

    14. Can a supervisor review the Earnings and Leave statements or the SF-50's of their employees? Answer: Yes, if the supervisor can demonstrate a need to know in the performance of his duties.

    15. What information from a patient's medical record can be released if it contains information on alcohol and/or drug abuse?

    Answer: If the Medical Record contains information on alcohol and/or drug abuse, then the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations apply (See, 42 CFR Part 2). In summary, such records may only be disclosed: (1) to meet medical emergencies; (2) for research, audit and evaluation; (3) pursuant to a court order signed by a judge; and (4) pursuant to an authorized and qualified service organization agreement.

    16. The IHS mental health unit may maintain confidential mental health information in separate records. Should mental health prescriptions be kept in this record or in the patient's main medical record?

    Answer: Such records may be maintained in separate files, but they are part of the IHS medical records Privacy Act system.

    17. What do I do if the local Privacy Act staff are unable to answer a Privacy Act question or problem?

    Answer: If local Privacy Act staff are unable to provide an answer to a Privacy Act question or problem, request technical assistance and guidance from the Area Privacy Act Coordinator. If the Area Privacy Act Coordinator is unable to respond, they should in turn refer the matter to the Agency Privacy Act Officer at IHS Headquarters, Rockville, MD. The Office of the General Counsel and regional attorneys may also be contacted for a legal opinion. The agency Privacy Act Officer forwards copies of legal opinions to the Privacy Act field staff.

    18. When IHS makes a disclosure to a third party, is there anything the agency can do to protect against further disclosure of the information?

    Answer: Yes, when copies or other reproductions of medical records are provided to an authorized third party, the disclosure should be accompanied by the following or a similar statement:

    1. The use of the data for other than the stated purpose is prohibited;
    2. Disclosure by the (name of requesting organization) to any other party is prohibited; and
    3. All copies of the data must be destroyed after the stated purpose has been fulfilled.



    SOCIAL SECURITY NUMBERS (SSN):

    1. Can IHS request a patient's SSN?

    Answer: Yes, but IHS must inform the patient: (1) why IHS is collecting the SSN (see below); (2) that the patient is not required to provide the SSN to receive services; and (3) that the IHS has established a relationship with the Social Services Administration to obtain or verify a patient's SSN.

    2. What happens if a patient refuses to give IHS his/her SSN?

    Answer: IHS health care services cannot be denied to a patient who refuses to provide his/her SSN. SSN can be obtained from the Social Services Administration.

    3. Does the patient have to give a reason for not providing his/her SSN?

    Answer: No, patients do not have to state a reason for refusing to give their SSN. Providing the SSN to IHS for use in this System of Records is voluntary.

    4. Can an IHS employee demand, insist, or order that a patient provide his/her SSN?

    Answer: No, providing the SSN is voluntary. Follow the procedures discussed in #104 above. IHS may not threaten or refuse to provide health care services.

    5. Why does IHS collect SSNs from patients?

    Answer: IHS collects SSN to: (1) specifically identify patients; (2) reduce the number of medical records kept on a particular patient; (3) improve patient and health program management.

    6. Can IHS staff ask to see a patient's Social Security card to verify the patient's name and number?

    Answer: Yes. Keep in mind however, that providing SSNs is voluntary. Verification of SSNs is done through the Social Security Administration (SSA).



    PRIVACY ACT VIOLATIONS:

    1. What are the penalties for violating the Privacy Act?

    Answer: A knowing and willful violation of the Privacy Act can result in criminal prosecution and a fine of $5,000. An IHS employee can also be subject to disciplinary action (reprimand, suspension, termination of employment) for a Privacy Act violation due to negligence or incompetence if he/she did not learn about his/her Privacy Act responsibilities (45 CFR Part 5b, Appendix A).

    2. Can IHS employees be found liable for Privacy Act violations?

    Answer: Under 5 U.S.C. 552a(i) a criminal conviction may occur and a fine may be imposed. Only the agency can be sued for damages by the subject individual.

    3. What happens if a staff member makes an unauthorized disclosure of information from a patient's medical record?

    Answer: A knowing and willful disclosure of information from a patient's medical record could result in criminal prosecution, a fine of $5,000, and/or disciplinary action (including suspension or dismissal).

    4. What are the procedures for filing a Privacy Act violation?

    Answer: The procedures are discussed in Appendix G, "Procedures for Handling Privacy Act Violations."

    5. What should a patient do if he/she knows information about him/her was released to an unauthorized source but does not know who released the information?

    Answer: His/her concerns should be put in writing and forwarded to the Service Unit PAL or SM. The patient should be advised that IHS will conduct an investigation.

    6. Is it a violation of a patient's privacy to place a bulletin board where the general public can see it and determine why a patient is on that hospital floor, ward, unit, etc.?

    Answer: Yes, because this practice may allow unauthorized disclosure of a patient's medical condition. However, if such a bulletin board is needed, it should be placed in an area only accessible to appropriate staff.

    7. To what extent should the Patient Advocate Program investigate Privacy Act complaints?

    Answer: Privacy Act complaints should be referred to the appropriate Area/Service Unit Privacy Act staff. They will investigate the complaint and make recommendations for appropriate action.

    5. Accessibility  --  Disclaimers  --  Website Privacy Policy  --  Freedom of Information Act
    Kids Page  --  No Fear Act  --  Frequently Asked Questions  --  USA.gov  --  HHS

    This file last modified: Thursday July 3, 2008  9:18 AM