By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CDH-L, CRIS, CC
Director of Compliance and Government Affairs
Verisma
June 10, 2025

I had the opportunity this spring to appear before a Florida State Senate committee to share a personal story pulled from my nearly 20 years as a health information professional – emphasizing the importance of protecting patient privacy and opposing SB 1606 as written.

As I prepared my testimony, I remembered the countless individuals who entrusted me with their most sensitive information. The important story I shared underscores the critical need for maintaining patient privacy protection.

A little over ten years ago, a woman came to my office with her children. She was there to request medical records, which at first seemed routine. However, as she completed the necessary forms, she quietly pulled me aside and made a special request: she asked me to ensure any bills related to her records would be sent directly to her attorney instead of her home.

The records she needed were related to abuse evaluations. She feared if her husband saw an invoice for medical record copies, he would realize she had taken the children to see a doctor and would know she was planning to leave him. This brave mother was concerned not only for her own safety, but also for the wellbeing of her children.

Fortunately, under existing HIPAA regulations, she was able to narrowly select the information to be released and designate an alternate address for communication to protect her privacy. However, this protection could be jeopardized by proposed legislation, including Florida’s SB 1606.

If SB 1606 and other bills like it pass, it would allow a patient’s attorney – sometimes any attorney – access to their entire medical record, including sensitive information like domestic violence evaluations and behavioral health treatment. This unrestricted access would expose vulnerable individuals to greater risks. In this mother’s case, her abuser could gain access to her sensitive information and even learn about her upcoming appointments, putting her safety in jeopardy.

This story is not unique. Sadly, I have encountered many domestic violence survivors over the years who rely on the privacy protections guaranteed by HIPAA to keep them safe. These laws have been in place for over two decades, ensuring only patients have unfettered access to their medical records because they are best equipped to assess the risks associated with disclosing their health information.

The passage of SB 1606 would strip patients of this critical ability, harming the most vulnerable among us. While there are numerous other concerns regarding SB 1606, this story highlights the deep personal and significant impact such legislation could have.

It is easy to focus on the technical aspects of medical records requests, including turnaround times and compliance, but we must remember each request represents a real person facing a significant challenge. Very few people request their medical records unless something has gone wrong in their lives.

I know the critical importance of patients being able to access their medical records. At the same time, I know patient portals are not designed to limit the information released. If only a patient can access a portal, there is not a need to withhold HIV test results or substance abuse treatment.

The changes proposed by Florida’s SB 1606 would primarily benefit a select few, while causing significant harm to vulnerable patients. It is crucial we continue to uphold the privacy protections that have safeguarded patient information for so long.

Let us remain vigilant in protecting patient privacy and ensure every individual’s sensitive information remains secure.

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CDH-L, CRIS, CC
Director of Government Affairs and Policy
Verisma
April 30, 2025

This post does not include a link to a speaking engagement or webinar. It is something rather personal. So, I am going to just dive in.

I am autistic, which some may know, and the end of this Autism Awareness month has made me unusually reflective. While I have brought it up during conversations, presentations and roundtables I have not gone out of my way to be vocal about my diagnosis.

Part of it is because I was not officially diagnosed until after I was 40.
I am also frequently told I do not look autistic, to which I want to say you have probably not spent enough time with me and I have had a lot of practice masking it.

In addition, there are real, potential consequences to disclosing my diagnosis. There is still a lot of misinformation about autism. Even if you are disclosing to someone you trust, you never remove the fear you will always have that asterisk after your name.

There is good reason for that fear. Autistic adults may be reluctant to apply to be foster parents because they’re afraid they won’t be accepted. We are also less likely to be believed by some healthcare providers, which can contribute to the average autistic lifespan being two decades less than the American average.

But I have learned not being authentically myself only hurts me, mentally and physically. For instance, I have had actual chest pain but that is a story for another post.

It is in this spirit that I am sharing my story. I think the more autistic people are open about their diagnosis, the better the community will understand the autism spectrum. There is not a typical autistic person, and we all deserve respect and support.

I also think it demystifies autism. I know there are more people out there who have not been diagnosed or were diagnosed later in life. I was told I could not be autistic because I had been in a relationship for 15+ years and could make eye contact. Being diagnosed a decade ago would have saved so much stress.

Finally, autism has reframed my understanding of how policymakers and health information professionals should approach patient privacy. Before my diagnosis, I thought I had a solid understanding of what privacy meant to an individual. It was not until my diagnosis, I truly understood why parents or patients may not share their complete medical history with providers … and the consequences, right or wrong, of disclosing a diagnosis.

There is a saying in the autism advocacy community: “Nothing about us without us.”

I love this motto.

I believe a health information professional’s job is to protect patients, autistic or not, and educate them on their right to disclose protected health information. Patients should be given this information in an understandable format and allowed to decide what, when, and to whom information is disclosed.

I suppose it is fitting HIP Week overlaps with Autism Awareness Month. All patients, particularly those in vulnerable populations, need to feel they control their health information, and it is securely kept. Health information professionals are uniquely positioned to advocate for patients and families. Belonging to both groups has emphasized the critical role my peers play in ensuring a patient’s trust. My hope is more health information professionals will feel comfortable and empowered to leverage experiences to move beyond daily work and examine how they can help patients understand privacy rights.

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CDH-L, CRIS, CC
Director of Compliance and Government Affairs
Verisma
February 8, 2025

Unfortunately, unauthorized disclosures (UAD) are a reality for today’s healthcare organizations. We’ve all been there – a staff member accidentally mistypes a fax number, or a patient ends up with one page of another patient’s protected health information (PHI) in their mailed medical records. What happens next determines if you have a Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reportable breach on your hands. When notified that PHI may not have been delivered as directed, your compliance team needs to spring into action to mitigate any risk to PHI.

Don’t have a compliance team? Not sure what steps and procedures define your processes for HIPAA unauthorized disclosures? Read on for recommendations and best practices for mitigating compliance risk.

Develop Investigation Protocol

When you are aware of a possible UAD, mitigate the possible risk as quickly as possible. Because we oversee hundreds of millions of record requests annually, our volume is substantially higher than most – and we have a designated Compliance Officer and support team. Therefore, we have developed our UAD Investigation Protocol based on years of experience and countless processed records.
The moment a release of information specialist (ROIS) is aware of a possible incident, he or she has a short amount of time to initiate an incident report and submit it to the Compliance team. In many organizations, employees fear admitting mistakes. Creating a culture of compliance includes reassuring your team, “to err is human and to report is divine.” If your staff isn’t reporting errors to you, it is not because they are not making them, they are not admitting it. Not knowing about an incident is far worse for your organization than being aware and taking measures to mitigate the damage of compromised PHI.

When an incident occurs, we rely on our team to notify us immediately. The Compliance team then begins working the risk assessment right away to research how the situation occurred. It is important to quickly contact the unauthorized recipient and collaborate with them to securely destroy, or return, the PHI. Additionally, to assert a low probability of PHI compromise or harm, a confidentiality statement must be obtained from the unauthorized recipient, outlining the secure destruction and assuring no further disclosure of the information occurs.

It is critical that you take steps to mitigate the possibilities of future UADs. Supervisors need to re-train the ROIS on best practices and auditing procedures based upon the mistake the ROIS made. If an ROIS working at a front desk were to hand one patient another patient’s medical records, you would want to spend time discussing best practices about double checking discharge paperwork off the printer before handed over the counter.

After re-training, the Compliance Officer completes the risk assessment. On the Health Insurance Portability and Accountability Act (HIPAA) Risk Assessment, the Compliance Officer reports whether the PHI has been acquired or viewed, and determines the extent of PHI risk, following federal HIPAA guidelines and state laws. After you are aware there is a possible breach, you have 60 days to complete your investigation, unless your state requires a shorter amount of time.

Violation vs. Breach

UADs typically fall into two categories, violation or breach.

A violation is a UAD with low probability of PHI compromise. If low risk is determined and supported by the assessment, reporting the incident to the OCR and patient is not necessary. For instance, if unauthorized PHI is disclosed to a covered entity, they have a legal responsibility to protect that information. Once the covered entity has destroyed the PHI, there is a low probability of compromise and it is classified as a violation.

If there isn’t low probability of PHI compromise, the UAD is a breach. For example, if you are not able to obtain a confidentiality statement from an unauthorized recipient, there is not a proven low probability of compromise. The breach needs to be reported to the OCR and the patient must be notified, explaining how their PHI was compromised.

According to the OCR, between 2019-2023 there was a substantial 89 percent increase in hacking and a massive 102 percent increase in ransomware. Realizing the agency can issue up to a $50,000 fine per incident with an annual cap of $1.5 million is how healthcare nightmares are made.

ROI Partner

Healthcare providers often face the challenge of managing a high volume of medical record requests, which can be time-consuming and prone to manual errors. Collaborating with a trusted ROI partner transfers the workload to a team of specialists who are dedicated to handling these requests accurately, securely and efficiently – freeing up valuable time for your staff to focus on patient satisfaction.
Verisma’s team of healthcare data experts is equipped to simplify workflows with advanced technology to manage the complexities of HIPAA compliance and mitigate risks associated with UADs. We understand the importance of policies and procedures and have processes in place to protect PHI. Our compliance team can quickly assess the situation, contact unauthorized recipients, and take necessary steps to secure the information.

Ready to reduce workloads and improve patient experience? Contact us today to discuss how we can help.

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs
Verisma
December 9, 2024

When a patient moves between healthcare providers, their medical information and records often need to follow. Records necessary for care of the patient fall under the treatment provision on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and (generally) don’t require an authorization from the patient or their personal representative. But when sharing records with another facility for treatment purposes, what and how much should you disclose?

What’s Transfer of Care?

While a Continuity of Care request is often a patient travelling between providers, the patient remains actively involved with both organizations. Consider a patient moving between a primary care physician and a cardiologist. It’s important for both providers to know what the other facility’s treatment of the patient entailed. So, they may submit a Continuity of Care request to obtain the records from the other provider.

A Transfer of Care request is different. In a Transfer of Care, the patient is transferring who’ll provide his or her care from one provider to another, and there’s no intent for the patient to return to the originating organization. Transfer of Care requests happen most often when the patient has moved and established care with a new provider.

Minimum Necessary Standard

The minimum necessary standard of the HIPAA Privacy Rule requires a provider to disclose the minimum amount of information be disclosed to accomplish the intended purpose. However, the minimum necessary standard isn’t required to apply to provider-to-provider requests for treatment purposes. Providers are permitted to request and disclose the amount of PHI necessary to treat a patient. The releasing provider is permitted to rely on the requesting provider’s judgment about what’s the minimum amount of information needed. Even though minimum necessary may not be required for Continuity of Care or Transfer of Care requests, the framework can serve as a best practice to get the most meaningful information to another provider.

When a provider receives hundreds of pages of medical records, it’s burdensome for them to sort through the information and determine what’s needed. The electronic health record (EHR) can be filled with “note bloat” and templated, duplicative information. For Continuity of Care purposes, most providers only need the most recent records of a patient. Sending all records for Continuity of Care requests can be a waste of time and resources. Applying the minimum necessary standard to Continuity of Care and Transfer of Care requests allows providers to receive the most pertinent information often on the first request. Of course, if the requesting provider needs more records, a second release of information (ROI) can occur with the transfer of the additional records.

Creating a Continuity of Care Policy

It’s important healthcare organizations create policies and procedures remaining consistent when applying standards like the minimum necessary. This can be done through a general ROI policy or within linked procedures and workflows. In either case, when your organization implements the minimum necessary standard for Continuity of Care or Transfer of Care requests, you should outline what factors are considered to limit the number of pages or information initially disclosed.

These factors could include, but aren’t limited to:

• An understanding with the receiving practice on what they want to receive
• Patient age
• Patient condition
• Size of the medical record
• Organization’s EHR solution
• The specialty of the provider

If your organization decides to limit the information initially sent to the requesting provider, it’s critical you make the receiving facility aware not all the information has been sent. This can be incorporated through a cover letter indicating the most recent records have been sent and include instructions on how the provider may request additional records if needed.

Release Record Requests to a Partner

If you find Continuity of Care, Transfer of Care, and all other record requests take too much of your staff’s valuable time, consider releasing this administrative burden to a partner. Verisma processes hundreds of millions of record requests annually and is an industry-leader with the highest accuracy rate. If you need to focus more on patient care, request a demo today to see how we can help.

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs
Verisma
September 30, 2024

Annoyed and confrontational requestors may challenge the content provided in response to a request for medical records because they don’t think they received the precise information requested. These complaints can happen when requestors are unfamiliar with the minimum necessary standard.

If your organization adheres to its policies, it’s likely you’re compliant with HIPAA provisions despite pushback from requestors. Your organization isn’t required to spend hours sifting through the medical records and parsing out information to spare a requestor spending time to locate the information they deem relevant.

What’s HIPAA minimum necessary standard?

Covered entities and business associates are required by the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)[1] to take reasonable efforts to limit the release of protected health information (PHI) to the minimum necessary to accomplish the intended purpose of the request,[2] often referred to as the minimum necessary standard. It’s designed to be flexible and places the authority with the covered entity to determine implementation.[3]

How does the minimum necessary requirement rule work?

A healthcare organization must develop and implement policies and procedures appropriate for its organization and reflect the business practices and workforce. The organization’s policies and procedures must identify who needs access to PHI to fulfill job responsibilities, categories of PHI needed, and conditions where access is appropriate. For instance, a hospital can permit doctors, nurses or others involved in treatment to have access to the full medical record. When the entire medical record is necessary, the organization’s policies and procedures must state so and include a justification.

When does the minimum necessary standard not apply?

• Healthcare providers making a request for treatment purposes
• Patients when they request for their records
• Requests with valid authorization
• Requests required for compliance with HIPAA Administrative Simplifications Rules
• U.S. Department of Health and Human Services (HHS) requests for disclosure of information required under the Privacy Rule for enforcement purposes
• When the request is required by law

Who decides what’s minimum necessary?

A covered entity may rely on its business associate re: the minimum amount of information needed for a reasonable request to disclose PHI. Covered entities can defer to Verisma and let us handle the burden. As a trusted business associate, we provide requestors with the right information. Covered entities entrust us with PHI, and we have an obligation to disclose information correctly. We’ve developed policies and procedures for implementing the minimum necessary standard so our fulfillment of applicable requests is compliant with the Privacy Rule.

Verisma and your minimum necessary policy

We do what’s in the best interest of our clients. During the implementation process, we’ll work together to make sure we have a clear understanding of what minimum necessary means for your organization.

Learn more by contacting our team of healthcare data experts.

[1] 45 CFR Part 160 and Part 164, Subparts A and E
[2] 45 CFR 164.502(b)
[3] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html