Accessing Medical Records and the HIPAA Privacy Regulation Cheryl Fish-Parcham and Sonya Schwartz...
-
Upload
marissa-oleary -
Category
Documents
-
view
217 -
download
2
Transcript of Accessing Medical Records and the HIPAA Privacy Regulation Cheryl Fish-Parcham and Sonya Schwartz...
Accessing Medical Records and the HIPAA Privacy Regulation
Cheryl Fish-Parcham and Sonya Schwartz
Health Assistance Partnership
Prepared for the NAPAS Conference
May 31, 2003
Health Assistance Partnership 2
HIPAA Privacy Regulation Myths
• HIPAA is a large herbivorous 4-toed mammal.
• Consumers will not be able to access their own medical records.
• Advocates will no longer be able to access medical records for their clients.
Health Assistance Partnership 3
Presentation Overview
• HIPAA Privacy Regulation Authority and Basics• Consumers’ Right to Access Records• Rights of P & A Advocates, Other Advocates,
Family Members and Personal Representatives to Access Records
• Consumers’ Right to Amend Records • HIPAA Privacy Regulation’s Interaction with
State and Federal Law• Complaints• Resources
Health Assistance Partnership 4
Authority
• The HIPAA Privacy Regulation Arises out of the “Administrative Simplification” measures of the the Health Insurance Portability and Accountability Act of 1996
• The HIPAA Privacy Regulation can be found at 45 CFR Part 160 and 164
• HIPAA Privacy Regulation Compliance Deadlines
– April 14, 2003 for all covered entities – April 14, 2004 for small health plans
Health Assistance Partnership 5
HIPAA Privacy Regulation Basics
• Applies only to “personal health information.”
• Applies to “covered entities.”
• Protects the privacy of health information.
• Provides access to health information.
Health Assistance Partnership 6
Basics: Personal Health Information (PHI)
• The HIPAA Privacy Regulation only applies to PHI, which must be both:
1. Health information – any oral or recorded information relating to past, present or future physical or mental health of an individual; AND
2. Individually identifiable – identifies or can reasonably be used to identify the individual, and not information where the identity has been removed
Health Assistance Partnership 7
Basics: Covered Entity
1. A Health plan – The regulation is very broad here and includes individual or group plan that provides or pays for medical care, including private and government plans. (However, employers who sponsor plans are not covered entities); OR
2. A Health Care Clearinghouse – A term of art that refers to entities that translates health information received from other entities in a standard format; OR
3. A Certain Health Care Provider – Providers are defined broadly (homeopaths, pharmacists…) but must electronically transmit (not fax) health information in standard format.
Health Assistance Partnership 8
Basics: Privacy Protections
• Generally, covered entities cannot use or disclose PHI.
• However, covered entities may disclose PHI:– pursuant to an authorization (described later),– for treatment, payment or health care operations, – for public health and other specific purposes,– pursuant to a business associate agreement,
• Covered entities must disclose PHI:– to the individual, – when required by HHS to determine compliance
Health Assistance Partnership 9
Basics: Access Protections
• Consumers’ have a right to access their own medical records.
• P & A advocates acting within their mandate have a right to access medical records.
• Other consumer advocates or P & A advocates acting outside of their mandate may also access medical records with a written authorization from the patient.
• Certain “personal representatives” have a right to access medical records without a written authorization.
Health Assistance Partnership 10
Consumers’ Rights to Access Records (1)
• Consumers’ have a right to inspect, obtain a copy records within 30 days from the date the request is received.
• Under certain conditions (see next slides), a covered entity can deny access to certain information, but it must give the consumer a written denial in 30 days containing:
1. the basis for the denial; AND
2. a statement about review rights; AND
3. information about how to file a complaint with HHS
Health Assistance Partnership 11
Consumers’ Rights to Access Records (2)
• A covered entity does not have to provide access or allow consumers to review decisions about the following (there is no right to appeal):– Psychotherapy notes (see definition ahead)– Information compiled for use in a civil, criminal or
administrative action or proceeding– PHI maintained by a covered entity required by the
Clinical Laboratory Improvements Amendments– Information requested by an inmate under certain
circumstances
Health Assistance Partnership 12
Consumers’ Rights to Access Records (3)
• A covered entity does not have to provide access or allow consumers to review decisions about the following (there is no right to appeal):
– Research that includes treatment– Information contained in records subject to Privacy
Act– Information obtained by the covered entity from
someone other than a health care provider under a promise of confidentiality and access to which would be “reasonably likely to reveal the source of the information”
Health Assistance Partnership 13
Consumers’ Rights to Access Records (4)
• A covered entity does not have to provide access to the following, but may release it to a health care provider, if a licensed health care professional determines that (there is a right to appeal):– It is reasonably likely that access to the requested information
would endanger the life of the consumer; OR– The information makes reference to another person, it is
reasonably likely to cause substantial harm to the consumer or another person; OR
– B/c the consumer’s personal representative requested the information, it is reasonably likely to cause substantial harm to the consumer or another person
Health Assistance Partnership 14
Psychotherapy Notes
Definition: Notes by a mental health professional about a counseling session, separated from the rest of the medical record.
• Requires separate authorization.• No individual right of access.• Disclosure to oversight entity may be required by
laws governing investigation of health, safety, death or oversight of the psychotherapist.
Health Assistance Partnership 15
Fees
• A Covered Entity can charge “reasonable” cost-based fees, including the labor and supply providing costs of copying the information
• Covered entities may not charge for the labor or handling of the information or for processing the request
• A few tips:– Fees for copying and postage under state law are presumed
reasonable and state law may also provide for the release of medical records for free for low-income individuals.
– A helpful doctor (with consumer’s authorization) can often get their patient’s medical records for free. You may want to ask a doctor to request the medical records for you and then release them to you to avoid paying fees.
Health Assistance Partnership 16
Rights of P & A Advocates (1)
Covered entities may use or disclose PHI “to the extent that such use is required by law and the use or disclosure complies with and is limited to the relevant requirements of the law.” (45 CFR 164.512(a))
Other laws give P&As rights to access:• Records of individuals not competent to consent
who have no guardian if P&A has received a complaint and has probable cause to suspect abuse or neglect;
Health Assistance Partnership 17
Rights of P & A Advocates (2)
• When there is a guardian and the agency has unsuccessfully attempted to resolve the concern through the guardian, access to records without the guardian’s consent if probable cause that the health or safety of an individual is in serious or immediate jeopardy.
• When operating outside of its mandates to investigate abuse and neglect, P&As may be subject to general HIPAA use and disclosure rules.
Health Assistance Partnership 18
Rights of Other Types of Consumer Advocates
• Consumer advocates may access medical records with a proper authorization (next slide).
Health Assistance Partnership 19
Authorization (1)
1. Must be separate from other general authorization forms; and
2. A description of the information that may be disclosed (can be very general and request the entire record of a particular provider); and
3. The covered entity, person or persons authorized to disclose the information; and
4. The name of the person(s) authorized to receive the information; and
5. An expiration date or event (ex. “Until completion of my appeal”); and
Health Assistance Partnership 20
Authorization (2)
6. The signature of the consumer and the date (may also be signed by the “personal representative along w/ a description of their authority); and
7. A statement of the individual’s right to revoke the authorization; and
8. A statement that information disclosed may be subject to redisclosure if the recipient is not a covered entity under HIPAA*
Health Assistance Partnership 21
Rights of Personal Representatives
• Personal Representatives Step into the Shoes of the Consumer and May Access Records Without An Authorization– authority is limited to information that is
relevant to such personal representation• Personal representatives are:
1. Parents of minor and unemancipated children; OR
2. Individuals who have authority under other law to act on behalf of the consumer in making decisions related to health care.
Health Assistance Partnership 22
Rights of Family Members
• May be given information relevant to their involvement in care or payment for care if the individual is present and doesn’t object.
• If they are the personal representative (e.g., parent of minor; legal guardian) step into individual’s shoes.
• Can be denied access if entity believes the individual may be subject to violence, abuse, neglect, or endangerment by representative.
Health Assistance Partnership 23
General Directory Information
• A facility can disclose an individual’s location and general condition to people asking about the individual by name. The individual can opt not to have this information disclosed.
Health Assistance Partnership 24
Consumer’s Rights to Amend or Supplement Records (1)
• Consumers’ have a right that “covered entities” amend their “personal health information” within 60 days from the date the request is received
• This deadline may be extended 30 days if the covered entity provides a written statement with reason for the delay
Health Assistance Partnership 25
Consumer’s Rights to Amend or Supplement Records (2)
• The Amendment may be denied if the record: 1. was not created by the covered entity unless the
originator of the PHI is no longer available to make the amendment; OR
2. was not part of the record set; OR 3. is available for inspection
• If an entity accepts the request, it must: 1. make the amendment; AND2. inform the consumer; AND3. provide amendment to entities identified by
consumer and other entities known to have received erroneous information
Health Assistance Partnership 26
Interaction with State Law? (1)
• The HIPAA privacy regulation establishes a federal floor for protecting privacy and providing access to medical records
• State laws that are “contrary” to federal law, and will not remain in effect. “Contrary” means:– A covered entity would find it impossible to comply
with both the state and federal requirements; OR– The state law conflicts with the HIPAA Statute’s
provisions on privacy
Health Assistance Partnership 27
Interaction with State Law? (2)
• State laws “more stringent” than the federal rule will remain in effect. “More stringent” means:– With respect to patient privacy, a state law is more
stringent when it provides consumers greater privacy protections.
– With respect to patient access, a state law is more stringent when it provides consumers greater access to medical records.
• For review of state law, see the appendix of the Health Privacy Project’s The State of Health Privacy http://www.georgetown.edu/research/ihcrp/privacy/statereport.pdf
Health Assistance Partnership 28
Interaction with Federal Law (1)
• Covered entities subject to the HIPAA Privacy Rule are also subject to other federal statutes and regulations.
• There should be few conflicts between a federal statute or regulation and the HIPAA Privacy Rule.
• In cases where a potential conflict appears, HHS would attempt to resolve it so that both laws apply.
Health Assistance Partnership 29
Interaction with Federal Law (2)
• Our issue brief provides an overview of four federal health care laws/regulations: – Medicaid Managed Care Regulation– ERISA Claims Procedures Regulation– Nursing Home Rights Law– Medicare + Choice Regulation
Health Assistance Partnership 30
Filing Complaints (1)
• There is no private cause of action under the regulation itself.
• Consumer may file a complaint with the Secretary of HHS
• Three requirements to filing a complaint:1. filed in writing (paper or electronically)2. name the entity and describe how the entity violated
the regulation (by acts or omissions)3. filed within 180 days of when the complainant knew
(or should have known) that the regulation was violated. The secretary can waive this if there is a showing of good cause.
Health Assistance Partnership 31
Filing Complaints (2)
• After complaint is filed, HHS may:– conduct an investigation– attempt to solve the matter informally– impose $100-$25,000 civil penalty per
year for each standard violated– Impose criminal penalties for certain
wrongful disclosures• Helpful Complaint Form is Available from the
Health Privacy Project at www.healthprivacy.org
Health Assistance Partnership 32
Helpful Resources (1)
Rights to Access Medical Records Under the HIPAA Privacy Regulation http://www.healthassistancepartnership.org
HIPAA Privacy Regulation: Questions and Answers for Consumer Health Assistance Programs http://www.healthassistancepartnership.org
The complete HIPAA privacy regulation text (unofficial version) http://www.hhs.gov/ocr/combinedregtext.pdf
Health Assistance Partnership 33
Helpful Resources (2)
• HHS HIPAA Privacy Website, http://www.hhs.gov/ocr/hipaa/finalreg.html
• HHS decision tool for identifying covered entities http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp
The Health Privacy Project’s Summary of HIPAA Privacy Regulation http://www.healthprivacy.org/usr_doc/RegSummary2002.pdf
Health Assistance Partnership 34
Our Contact Information
• Sonya Schwartz [email protected]
• Cheryl Fish-Parcham [email protected]
Health Assistance Partnership
A Project of Families USA
1334 G Street, NW
Washington, DC 20005
(202) 737-6340
www.healthassistancepartnership.org