Accessing Medical Records and the HIPAA Privacy Regulation Cheryl Fish-Parcham and Sonya Schwartz...

Accessing Medical Records and the HIPAA Privacy Regulation

Cheryl Fish-Parcham and Sonya Schwartz

Health Assistance Partnership

Prepared for the NAPAS Conference

May 31, 2003

Health Assistance Partnership 2

HIPAA Privacy Regulation Myths

• HIPAA is a large herbivorous 4-toed mammal.

• Consumers will not be able to access their own medical records.

• Advocates will no longer be able to access medical records for their clients.


Presentation Overview

• HIPAA Privacy Regulation Authority and Basics• Consumers’ Right to Access Records• Rights of P & A Advocates, Other Advocates,

Family Members and Personal Representatives to Access Records

• Consumers’ Right to Amend Records • HIPAA Privacy Regulation’s Interaction with

State and Federal Law• Complaints• Resources


Authority

• The HIPAA Privacy Regulation Arises out of the “Administrative Simplification” measures of the the Health Insurance Portability and Accountability Act of 1996

• The HIPAA Privacy Regulation can be found at 45 CFR Part 160 and 164

• HIPAA Privacy Regulation Compliance Deadlines

– April 14, 2003 for all covered entities – April 14, 2004 for small health plans


HIPAA Privacy Regulation Basics

• Applies only to “personal health information.”

• Applies to “covered entities.”

• Protects the privacy of health information.

• Provides access to health information.


Basics: Personal Health Information (PHI)

• The HIPAA Privacy Regulation only applies to PHI, which must be both:

1. Health information – any oral or recorded information relating to past, present or future physical or mental health of an individual; AND

2. Individually identifiable – identifies or can reasonably be used to identify the individual, and not information where the identity has been removed


Basics: Covered Entity

1. A Health plan – The regulation is very broad here and includes individual or group plan that provides or pays for medical care, including private and government plans. (However, employers who sponsor plans are not covered entities); OR

2. A Health Care Clearinghouse – A term of art that refers to entities that translates health information received from other entities in a standard format; OR

3. A Certain Health Care Provider – Providers are defined broadly (homeopaths, pharmacists…) but must electronically transmit (not fax) health information in standard format.


Basics: Privacy Protections

• Generally, covered entities cannot use or disclose PHI.

• However, covered entities may disclose PHI:– pursuant to an authorization (described later),– for treatment, payment or health care operations, – for public health and other specific purposes,– pursuant to a business associate agreement,

• Covered entities must disclose PHI:– to the individual, – when required by HHS to determine compliance


Basics: Access Protections

• Consumers’ have a right to access their own medical records.

• P & A advocates acting within their mandate have a right to access medical records.

• Other consumer advocates or P & A advocates acting outside of their mandate may also access medical records with a written authorization from the patient.

• Certain “personal representatives” have a right to access medical records without a written authorization.


Consumers’ Rights to Access Records (1)

• Consumers’ have a right to inspect, obtain a copy records within 30 days from the date the request is received.

• Under certain conditions (see next slides), a covered entity can deny access to certain information, but it must give the consumer a written denial in 30 days containing:

1. the basis for the denial; AND

2. a statement about review rights; AND

3. information about how to file a complaint with HHS



• A covered entity does not have to provide access or allow consumers to review decisions about the following (there is no right to appeal):– Psychotherapy notes (see definition ahead)– Information compiled for use in a civil, criminal or

administrative action or proceeding– PHI maintained by a covered entity required by the

Clinical Laboratory Improvements Amendments– Information requested by an inmate under certain

circumstances



• A covered entity does not have to provide access or allow consumers to review decisions about the following (there is no right to appeal):

– Research that includes treatment– Information contained in records subject to Privacy

Act– Information obtained by the covered entity from

someone other than a health care provider under a promise of confidentiality and access to which would be “reasonably likely to reveal the source of the information”



• A covered entity does not have to provide access to the following, but may release it to a health care provider, if a licensed health care professional determines that (there is a right to appeal):– It is reasonably likely that access to the requested information

would endanger the life of the consumer; OR– The information makes reference to another person, it is

reasonably likely to cause substantial harm to the consumer or another person; OR

– B/c the consumer’s personal representative requested the information, it is reasonably likely to cause substantial harm to the consumer or another person


Psychotherapy Notes

Definition: Notes by a mental health professional about a counseling session, separated from the rest of the medical record.

• Requires separate authorization.• No individual right of access.• Disclosure to oversight entity may be required by

laws governing investigation of health, safety, death or oversight of the psychotherapist.


Fees

• A Covered Entity can charge “reasonable” cost-based fees, including the labor and supply providing costs of copying the information

• Covered entities may not charge for the labor or handling of the information or for processing the request

• A few tips:– Fees for copying and postage under state law are presumed

reasonable and state law may also provide for the release of medical records for free for low-income individuals.

– A helpful doctor (with consumer’s authorization) can often get their patient’s medical records for free. You may want to ask a doctor to request the medical records for you and then release them to you to avoid paying fees.


Rights of P & A Advocates (1)

Covered entities may use or disclose PHI “to the extent that such use is required by law and the use or disclosure complies with and is limited to the relevant requirements of the law.” (45 CFR 164.512(a))

Other laws give P&As rights to access:• Records of individuals not competent to consent

who have no guardian if P&A has received a complaint and has probable cause to suspect abuse or neglect;


Rights of P & A Advocates (2)

• When there is a guardian and the agency has unsuccessfully attempted to resolve the concern through the guardian, access to records without the guardian’s consent if probable cause that the health or safety of an individual is in serious or immediate jeopardy.

• When operating outside of its mandates to investigate abuse and neglect, P&As may be subject to general HIPAA use and disclosure rules.


Rights of Other Types of Consumer Advocates

• Consumer advocates may access medical records with a proper authorization (next slide).


Authorization (1)

1. Must be separate from other general authorization forms; and

2. A description of the information that may be disclosed (can be very general and request the entire record of a particular provider); and

3. The covered entity, person or persons authorized to disclose the information; and

4. The name of the person(s) authorized to receive the information; and

5. An expiration date or event (ex. “Until completion of my appeal”); and


Authorization (2)

6. The signature of the consumer and the date (may also be signed by the “personal representative along w/ a description of their authority); and

7. A statement of the individual’s right to revoke the authorization; and

8. A statement that information disclosed may be subject to redisclosure if the recipient is not a covered entity under HIPAA*


Rights of Personal Representatives

• Personal Representatives Step into the Shoes of the Consumer and May Access Records Without An Authorization– authority is limited to information that is

relevant to such personal representation• Personal representatives are:

1. Parents of minor and unemancipated children; OR

2. Individuals who have authority under other law to act on behalf of the consumer in making decisions related to health care.


Rights of Family Members

• May be given information relevant to their involvement in care or payment for care if the individual is present and doesn’t object.

• If they are the personal representative (e.g., parent of minor; legal guardian) step into individual’s shoes.

• Can be denied access if entity believes the individual may be subject to violence, abuse, neglect, or endangerment by representative.


General Directory Information

• A facility can disclose an individual’s location and general condition to people asking about the individual by name. The individual can opt not to have this information disclosed.


Consumer’s Rights to Amend or Supplement Records (1)

• Consumers’ have a right that “covered entities” amend their “personal health information” within 60 days from the date the request is received

• This deadline may be extended 30 days if the covered entity provides a written statement with reason for the delay


Consumer’s Rights to Amend or Supplement Records (2)

• The Amendment may be denied if the record: 1. was not created by the covered entity unless the

originator of the PHI is no longer available to make the amendment; OR

2. was not part of the record set; OR 3. is available for inspection

• If an entity accepts the request, it must: 1. make the amendment; AND2. inform the consumer; AND3. provide amendment to entities identified by

consumer and other entities known to have received erroneous information


Interaction with State Law? (1)

• The HIPAA privacy regulation establishes a federal floor for protecting privacy and providing access to medical records

• State laws that are “contrary” to federal law, and will not remain in effect. “Contrary” means:– A covered entity would find it impossible to comply

with both the state and federal requirements; OR– The state law conflicts with the HIPAA Statute’s

provisions on privacy


Interaction with State Law? (2)

• State laws “more stringent” than the federal rule will remain in effect. “More stringent” means:– With respect to patient privacy, a state law is more

stringent when it provides consumers greater privacy protections.

– With respect to patient access, a state law is more stringent when it provides consumers greater access to medical records.

• For review of state law, see the appendix of the Health Privacy Project’s The State of Health Privacy http://www.georgetown.edu/research/ihcrp/privacy/statereport.pdf


Interaction with Federal Law (1)

• Covered entities subject to the HIPAA Privacy Rule are also subject to other federal statutes and regulations.

• There should be few conflicts between a federal statute or regulation and the HIPAA Privacy Rule.

• In cases where a potential conflict appears, HHS would attempt to resolve it so that both laws apply.


Interaction with Federal Law (2)

• Our issue brief provides an overview of four federal health care laws/regulations: – Medicaid Managed Care Regulation– ERISA Claims Procedures Regulation– Nursing Home Rights Law– Medicare + Choice Regulation


Filing Complaints (1)

• There is no private cause of action under the regulation itself.

• Consumer may file a complaint with the Secretary of HHS

• Three requirements to filing a complaint:1. filed in writing (paper or electronically)2. name the entity and describe how the entity violated

the regulation (by acts or omissions)3. filed within 180 days of when the complainant knew

(or should have known) that the regulation was violated. The secretary can waive this if there is a showing of good cause.


Filing Complaints (2)

• After complaint is filed, HHS may:– conduct an investigation– attempt to solve the matter informally– impose $100-$25,000 civil penalty per

year for each standard violated– Impose criminal penalties for certain

wrongful disclosures• Helpful Complaint Form is Available from the

Health Privacy Project at www.healthprivacy.org


Helpful Resources (1)

Rights to Access Medical Records Under the HIPAA Privacy Regulation http://www.healthassistancepartnership.org

HIPAA Privacy Regulation: Questions and Answers for Consumer Health Assistance Programs http://www.healthassistancepartnership.org

The complete HIPAA privacy regulation text (unofficial version) http://www.hhs.gov/ocr/combinedregtext.pdf


Helpful Resources (2)

• HHS HIPAA Privacy Website, http://www.hhs.gov/ocr/hipaa/finalreg.html

• HHS decision tool for identifying covered entities http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp

The Health Privacy Project’s Summary of HIPAA Privacy Regulation http://www.healthprivacy.org/usr_doc/RegSummary2002.pdf


Our Contact Information

• Sonya Schwartz [email protected]

• Cheryl Fish-Parcham [email protected]

Health Assistance Partnership

A Project of Families USA

1334 G Street, NW

Washington, DC 20005

(202) 737-6340

www.healthassistancepartnership.org

Accessing Medical Records and the HIPAA Privacy Regulation Cheryl Fish-Parcham and Sonya Schwartz...

Documents

Transcript of Accessing Medical Records and the HIPAA Privacy Regulation Cheryl Fish-Parcham and Sonya Schwartz...