The practitioner in private practice is the owner of patient records, but patients have rights of access (either by federal or state statute or by judicial decision) to the information in the record.Federal and state freedom of information acts, state optometry statutes and board rules, and most recently HIPAA provide access.
The records of optometrists are generally subject to discovery in both civil and criminal cases. If subpoenaed by a court of competent jurisdiction, they must be turned over to the court.This means they are “wide open” to scrutiny in legal proceedings.
“Privileged communications” laws hold that private information entrusted to a doctor will not be divulged to a third party without the consent of the patient.Thus, doctorsare not allowed in legal proceedings to disclose information necessary to the care and treatment of the patient acquired while attending the patient. The privilege may be waived by the patient, however, thereby allowing the doctor to provide the information to a third party or to testify concerning the communication.
Because optometrists are rarely included in “privileged communication” statutes, however, patient records are open to subpoena and optometrists may be questioned in legal proceedings about information collected during examination or comments made by the patient.
Because of a patient's right of access to information in the record, entries should be made in accordance with professional standards. Extraneous or derogatory comments that reflect poorly on the patient or are unrelated to patient care should be avoided.Entries not related to patient care should be placed on personal notes.
No patient information should be released to a third party without the patient's written consent.When information must be released, only the information requested, not the entire record, should be provided. Summaries of patient care should be used to protect confidentiality.
Optometrists should be familiar with the provisions of federal and state law that pertain to the release of information contained in a medical record. The most important law in this respect is the Health Insurance Portability and Accountability Act (HIPAA).Prescription information is the most widely-sought part of an optometrist’s record.
The release of prescription information, either for spectacles or for contact lenses, is not regulated by HIPAA. The release of prescriptions and prescription information is subject to federal law, but it is the Federal Trade Commission that actually regulates this issue.
Spectacle prescription release is regulated in all jurisdictions by the Federal Trade Commission's "Eyeglasses" rules: a copy of the prescription must be given to the patient at the conclusion of the examination. Only one copy has to be provided.If there is no prescription, nothing must be given. If the prescription has not changed and the spectacles are serviceable, the prescription must still be given.
The elements of a spectacle prescription are defined by the FTC's "Eyeglasses" rules as:"the written specifications for spectacle lenses which are derived from an eye examination, including all the information specified by state law, if any, necessary to obtain spectacle lenses."The minimum requirements for a spectacle prescription are specified in the laws of several states; practitioners in those states must include the required information on all spectacle prescriptions.
An expiration date may be placed on the prescription; one year is customary.A fee can be charged for writing the prescription, as long as all patients are charged it. A fee may be charged for verifying spectacles obtained from a third party dispenser.
No disclaimers or waivers can be placed on the prescription, but limitations are allowed (“polycarbonate only”).Violations of the rule are punishable by a fine of up to $10,000 per offense. The FTC has punished offenders with fines.
The release of contact lensprescriptions is also controlled by federal law (as of 2004).Patients must be given a copy of the prescription at the conclusion of the fitting process (which includes a period of lens wear).
Patients cannot be required to purchase lenses from the prescriber as a condition for receiving the prescription.A fee cannot be charged for release of the prescription or verification of lenses obtained from a third party seller.
Prescriptions may have an expiration date of 1 year; a shorter period can be specified “based on the medical judgment of the prescriber with respect to the ocular health of the patient” (documentation is required), and a longer period may be specified if required by state law.Disclaimers or waivers from responsibility for prescriptions filled by third parties are prohibited.
The contact lens prescription must include:• Name of the patient• Date of examination• Issue date and expiration date• Name, address, telephone number, and fax number of the prescriber• Lens power, material or manufacturer, or both• Base curve or appropriate designation• Diameter, when appropriateThird party sellers cannot alter the information in a contact lensprescription.
The prescriber can limit the number of lenses or refills by including this information on the prescription.The prescriber does not have to provide a copy of a prescription that has expired, or prescription information that has expired, to a third party seller.
The law requires the verification of contact lens information, sent by a third party seller to a prescriber, attendant to the sale of lenses by the seller to the prescriber’s patient. The seller must have a valid prescription in order to make the sale, and if the seller only has contact lens information—not a prescription—the prescriber must be contacted (by telephone, fax, or e-mail) to verify the information.
The prescriber must reply to the seller within 8 business hours, verifying that the information is correct or, if it is incorrect, providing the correct information. Failure to respond is deemed to mean that the information was correct.A seller’s request must include the patient’s name and address, the lens power, manufacturer, base curve, diameter, or other appropriate information, quantity of lenses ordered, date of the request, date and time of the communication to the prescriber, and the name, telephone number, and fax number of the seller.
Because of these many legal obligations, it is essential that patient care be properly documented, information safeguarded, and records appropriately maintained.Although federal and state laws do not mandate any particular type of recordkeeping method, professional standards have established a clearly preferred system.
The problem-oriented record system is solution-oriented and enables the practitioner to manage patients in a logical and efficient manner by helping to define problems, plan for their resolution, and properly monitor their progress. When used appropriately, the problem-oriented record system also provides the documentation that is essential for medicolegal purposes while requiring a minimum of time for recording and interpretation.
There are four steps to the problem-oriented system of recordkeeping: 1-formulating an adequate data base2-compiling a problem list3-formulating a plan to solve the identified problems4-using progress notes for follow- up.
Key aspects of documentation include:• complaints• best visual acuities• significant clinical findings• problems and plans for care• recall and referral information• warnings or informed consent
Chief complaints and the history of present illness should be described in accordance with federal requirements for Medicare documentation, which is now the obligatory means of documenting care because of HIPAA (to be described).Best visual acuities should be noted at every examination.
Key findings must always be noted.The examination data collected by a student (or technician) are incorporated into the record when the record is signed by a licensed practitioner, who then becomes responsible for it.This process is legally termed “authentication”.
Entries of findings should be descriptive whenever possible:• optic nerve: C/D=.6/.7, NRRI, no pallor, margins distinct • macula: no pigmentation or mottling noted • lens: cataract 2+ OD and 1+ OS • cornea: no opacities, infiltrates or staining noted Negative findings, when useful, should be recorded: • no staining with fluorescein or rose bengal (dry eye)
In a problem-oriented recordkeeping system, only problems are written in the record, along with a plan to solve each problem.For example, if visual acuity is reduced, the record should reflect why; if not known, the record should reflect what will be done to determine the cause.
Recalls should be always be written in the record. Referrals should be scheduled by telephone with the practitioner to whom the patient is being referred and noted in the record. A referral letter should be written, signed and mailed (or sent by FAX) before the appointment date.
If a warning is required, or a risk must be described due to the doctrine of informed consent, the communication should be documented. The most common circumstance requiring a warning is dilation of the pupil. For informed consent, it is fitting of extended wear contact lenses and prescribing of therapeutic drugs with adverse side effects.
Erroneous entries must be properly corrected.A line (that means one) should be drawn through the error, the correct information should be written in, and the change should be initialed and dated. If an explanation of the correction is needed, it should also be provided.
A key responsibility of recordkeeping is ensuring the confidentiality of information.Not only the release of information but also the use and protection of information in the officeare now subject to federal regulation. Practitioners must establish office policiesfor the control of patient information due to HIPAA.
The HIPAA “privacy rules” are extensive, but contain 3 basic requirements:1. HIPAA creates restrictions on the use or disclosure of “individually identifiable health care information” 2. rights are established with respect to a patient’s “individually identifiable health care information”3. health care providers are required to take certain administrative actions that are intended to protect the privacy of “individually identifiable health care information”
Any information created or received by a health care provider from a patient that identifies the patient is defined as “individually identifiable health care information” and thus subject to HIPAA.The first HIPAA requirement involves restrictions on the use of health care information: health care providers “cannot use or disclose protected health information, except as permitted or required by the rules”.
There are 10 disclosure exceptions, the most important being: • without additional consent for treatment, payment, or health care operations (emergencies, if there are barriers to communication) • with a specific authorization (if disclosure is sought for reasons other than treatment, payment, or general health care operations) • with a written contract for “business associates” (but optical laboratories are exempted from this category)
HIPAA requires that whenever a health care provider is using or providing protected health care information, reasonable efforts must be made to limit information to the minimum necessary to accomplish the use or disclosure.
The second HIPAA requirement establishes privacy rights: • every practitioner has to have a “privacy notice” for patients, the contents of which are established by HIPAA • patients are given the right to inspect and obtain copies of their medical and billing records • patients have the right to ask the practitioner to amend records • patients can request an account of all disclosures of personal health information by a provider within the preceding 6 years (except those for treatment, payment, or health care operations)
The third HIPAA requirement establishes several administrative requirements: • a “privacy officer” must be appointed by the provider • employees must undergo training so they understand HIPAA • safeguards must be put in place to ensure that the privacy of personal health information is protected • a complaint process for patients must be established • sanctions must be imposed on employees who do not comply with HIPAA provisions • patients cannot be required to waive HIPAA rights as a condition for treatment nor can they be punished for exercising these rights • policies and procedures must be documented in writing
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. We respect our legal obligation to keep health information that identifies you private. We are obligated by law to give you notice of our privacy practices. This Notice describes how we protect your health information and what rights you have regarding it. TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS The most common reason why we use or disclose your health information is for treatment, payment or health care operations. Examples of how we use or disclose information for treatment purposes are: setting up an appointment for you; testing or examining your eyes; prescribing glasses, contact lenses, or eye medications and faxing them to be filled; showing you low vision aids; referring you to another doctor or clinic for eye care or low vision aids or services; or getting copies of your health information from another professional that you may have seen before us. Examples of how we use or disclose your health information for payment purposes are: asking you about your health or vision care plans, or other sources of payment; preparing and sending bills or claims; and collecting unpaid amounts (either ourselves or through a collection agency or attorney). “Health care operations” mean those administrative and managerial functions that we have to do in order to run our office. Examples of how we use or disclose your health information for health care operations are: financial or billing audits; internal quality assurance; personnel decisions; participation in managed care plans; defense of legal matters; business planning; and outside storage of our records. We routinely use your health information inside our office for these purposes without any special permission. If we need to disclose your health information outside of our office for these reasons, we will ask you for special written permission.
AUTHORIZATION FOR RELEASE OF IDENTIFYING HEALTH INFORMATION I authorize the professional office of my optometrist named above to release health information identifying me [including if applicable, information about HIV infection or AIDS, information about substance abuse treatment, and information about mental health services] under the following terms and conditions: • Detailed description of the information to be released: • To whom may the information be released (name(s) or class(es) of recipients): • The purpose(s) for the release (if the authorization is initiated by the individual, it is permissible to state “at the request of the individual” as the purpose, if desired by the individual): • Expiration date or event relating to the individual or purpose for the release: • It is completely your decision whether or not to sign this authorization form. We cannot refuse to treat you if you choose not to sign this authorization. • If you sign this authorization, you can revoke it later. The only exception to your right to revoke is if we have already acted in reliance upon the authorization. If you want to revoke your authorization, send us a written or electronic note telling us that your authorization is revoked. Send this note to the office contact person listed at the top of this form. • When your health information is disclosed as provided in this authorization, the recipient often has no legal duty to protect its confidentiality. In many cases, the recipient may re-disclose theinformation as he/she wishes. Sometimes, state or federal law changes this possibility. I HAVE READ AND UNDERSTAND THIS FORM. I AM SIGNING IT VOLUNTARILY. I AUTHORIZE THE DISCLOSURE OF MY HEALTH INFORMATION AS DESCRIBED IN THIS FORM.
There are also HIPAA rules that apply to the security of electronic information; practices must have: • administrative safeguards (risk analysis and risk management) • physical safeguards (protected access to electronic information) • technical safeguards (limited access, protection of information, identification of third parties seeking information)