Title: Accessing Medical Records and the HIPAA Privacy Regulation
1Accessing Medical Records and the HIPAA Privacy
Regulation
- Cheryl Fish-Parcham and Sonya Schwartz
- Health Assistance Partnership
- Prepared for the NAPAS Conference
- May 31, 2003
2HIPAA Privacy Regulation Myths
- HIPAA is a large herbivorous 4-toed mammal.
- Consumers will not be able to access their own
medical records. - Advocates will no longer be able to access
medical records for their clients.
3Presentation Overview
- HIPAA Privacy Regulation Authority and Basics
- Consumers Right to Access Records
- Rights of P A Advocates, Other Advocates,
Family Members and Personal Representatives to
Access Records - Consumers Right to Amend Records
- HIPAA Privacy Regulations Interaction with State
and Federal Law - Complaints
- Resources
4Authority
- The HIPAA Privacy Regulation Arises out of the
Administrative Simplification measures of the
the Health Insurance Portability and
Accountability Act of 1996 - The HIPAA Privacy Regulation can be found at 45
CFR Part 160 and 164 - HIPAA Privacy Regulation Compliance Deadlines
- April 14, 2003 for all covered entities
- April 14, 2004 for small health plans
5HIPAA Privacy Regulation Basics
- Applies only to personal health information.
- Applies to covered entities.
- Protects the privacy of health information.
- Provides access to health information.
6Basics Personal Health Information (PHI)
- The HIPAA Privacy Regulation only applies to PHI,
which must be both - Health information any oral or recorded
information relating to past, present or future
physical or mental health of an individual AND - Individually identifiable identifies or can
reasonably be used to identify the individual,
and not information where the identity has been
removed
7Basics Covered Entity
- A Health plan The regulation is very broad here
and includes individual or group plan that
provides or pays for medical care, including
private and government plans. (However,
employers who sponsor plans are not covered
entities) OR - A Health Care Clearinghouse A term of art that
refers to entities that translates health
information received from other entities in a
standard format OR - A Certain Health Care Provider Providers are
defined broadly (homeopaths, pharmacists) but
must electronically transmit (not fax) health
information in standard format.
8Basics Privacy Protections
- Generally, covered entities cannot use or
disclose PHI. - However, covered entities may disclose PHI
- pursuant to an authorization (described later),
- for treatment, payment or health care operations,
- for public health and other specific purposes,
- pursuant to a business associate agreement,
- Covered entities must disclose PHI
- to the individual,
- when required by HHS to determine compliance
9Basics Access Protections
- Consumers have a right to access their own
medical records. - P A advocates acting within their mandate have
a right to access medical records. - Other consumer advocates or P A advocates
acting outside of their mandate may also access
medical records with a written authorization from
the patient. - Certain personal representatives have a right
to access medical records without a written
authorization.
10Consumers Rights to Access Records (1)
- Consumers have a right to inspect, obtain a copy
records within 30 days from the date the request
is received. - Under certain conditions (see next slides), a
covered entity can deny access to certain
information, but it must give the consumer a
written denial in 30 days containing - the basis for the denial AND
- a statement about review rights AND
- information about how to file a complaint with
HHS
11Consumers Rights to Access Records (2)
- A covered entity does not have to provide access
or allow consumers to review decisions about the
following (there is no right to appeal) - Psychotherapy notes (see definition ahead)
- Information compiled for use in a civil, criminal
or administrative action or proceeding - PHI maintained by a covered entity required by
the Clinical Laboratory Improvements Amendments - Information requested by an inmate under certain
circumstances
12Consumers Rights to Access Records (3)
- A covered entity does not have to provide access
or allow consumers to review decisions about the
following (there is no right to appeal) - Research that includes treatment
- Information contained in records subject to
Privacy Act - Information obtained by the covered entity from
someone other than a health care provider under a
promise of confidentiality and access to which
would be reasonably likely to reveal the source
of the information
13Consumers Rights to Access Records (4)
- A covered entity does not have to provide access
to the following, but may release it to a health
care provider, if a licensed health care
professional determines that (there is a right to
appeal) - It is reasonably likely that access to the
requested information would endanger the life of
the consumer OR - The information makes reference to another
person, it is reasonably likely to cause
substantial harm to the consumer or another
person OR - B/c the consumers personal representative
requested the information, it is reasonably
likely to cause substantial harm to the consumer
or another person
14Psychotherapy Notes
- Definition Notes by a mental health professional
about a counseling session, separated from the
rest of the medical record. - Requires separate authorization.
- No individual right of access.
- Disclosure to oversight entity may be required by
laws governing investigation of health, safety,
death or oversight of the psychotherapist.
15Fees
- A Covered Entity can charge reasonable
cost-based fees, including the labor and supply
providing costs of copying the information - Covered entities may not charge for the labor or
handling of the information or for processing the
request - A few tips
- Fees for copying and postage under state law are
presumed reasonable and state law may also
provide for the release of medical records for
free for low-income individuals. - A helpful doctor (with consumers authorization)
can often get their patients medical records for
free. You may want to ask a doctor to request the
medical records for you and then release them to
you to avoid paying fees.
16Rights of P A Advocates (1)
- Covered entities may use or disclose PHI to the
extent that such use is required by law and the
use or disclosure complies with and is limited to
the relevant requirements of the law. (45 CFR
164.512(a)) - Other laws give PAs rights to access
- Records of individuals not competent to consent
who have no guardian if PA has received a
complaint and has probable cause to suspect abuse
or neglect
17Rights of P A Advocates (2)
- When there is a guardian and the agency has
unsuccessfully attempted to resolve the concern
through the guardian, access to records without
the guardians consent if probable cause that the
health or safety of an individual is in serious
or immediate jeopardy. - When operating outside of its mandates to
investigate abuse and neglect, PAs may be
subject to general HIPAA use and disclosure
rules.
18Rights of Other Types of Consumer Advocates
- Consumer advocates may access medical records
with a proper authorization (next slide).
19Authorization (1)
- Must be separate from other general authorization
forms and - A description of the information that may be
disclosed (can be very general and request the
entire record of a particular provider) and - The covered entity, person or persons authorized
to disclose the information and - The name of the person(s) authorized to receive
the information and - An expiration date or event (ex. Until
completion of my appeal) and
20Authorization (2)
- 6. The signature of the consumer and the date
(may also be signed by the personal
representative along w/ a description of their
authority) and - 7. A statement of the individuals right to
revoke the authorization and - 8. A statement that information disclosed may be
subject to redisclosure if the recipient is not a
covered entity under HIPAA
21Rights of Personal Representatives
- Personal Representatives Step into the Shoes of
the Consumer and May Access Records Without An
Authorization - authority is limited to information that is
relevant to such personal representation - Personal representatives are
- Parents of minor and unemancipated children OR
- Individuals who have authority under other law to
act on behalf of the consumer in making decisions
related to health care.
22Rights of Family Members
- May be given information relevant to their
involvement in care or payment for care if the
individual is present and doesnt object. - If they are the personal representative (e.g.,
parent of minor legal guardian) step into
individuals shoes. - Can be denied access if entity believes the
individual may be subject to violence, abuse,
neglect, or endangerment by representative.
23General Directory Information
- A facility can disclose an individuals location
and general condition to people asking about the
individual by name. The individual can opt not to
have this information disclosed.
24Consumers Rights to Amend or Supplement Records
(1)
- Consumers have a right that covered entities
amend their personal health information within
60 days from the date the request is received - This deadline may be extended 30 days if the
covered entity provides a written statement with
reason for the delay
25Consumers Rights to Amend or Supplement Records
(2)
- The Amendment may be denied if the record
- was not created by the covered entity unless the
originator of the PHI is no longer available to
make the amendment OR - was not part of the record set OR
- is available for inspection
- If an entity accepts the request, it must
- make the amendment AND
- inform the consumer AND
- provide amendment to entities identified by
consumer and other entities known to have
received erroneous information
26Interaction with State Law? (1)
- The HIPAA privacy regulation establishes a
federal floor for protecting privacy and
providing access to medical records - State laws that are contrary to federal law,
and will not remain in effect. Contrary means - A covered entity would find it impossible to
comply with both the state and federal
requirements OR - The state law conflicts with the HIPAA Statutes
provisions on privacy
27Interaction with State Law? (2)
- State laws more stringent than the federal rule
will remain in effect. More stringent means - With respect to patient privacy, a state law is
more stringent when it provides consumers greater
privacy protections. - With respect to patient access, a state law is
more stringent when it provides consumers greater
access to medical records. - For review of state law, see the appendix of the
Health Privacy Projects The State of Health
Privacy http//www.georgetown.edu/research/ihcrp/p
rivacy/statereport.pdf
28Interaction with Federal Law (1)
- Covered entities subject to the HIPAA Privacy
Rule are also subject to other federal statutes
and regulations. - There should be few conflicts between a federal
statute or regulation and the HIPAA Privacy Rule.
- In cases where a potential conflict appears, HHS
would attempt to resolve it so that both laws
apply.
29Interaction with Federal Law (2)
- Our issue brief provides an overview of four
federal health care laws/regulations - Medicaid Managed Care Regulation
- ERISA Claims Procedures Regulation
- Nursing Home Rights Law
- Medicare Choice Regulation
30Filing Complaints (1)
- There is no private cause of action under the
regulation itself. - Consumer may file a complaint with the Secretary
of HHS - Three requirements to filing a complaint
- filed in writing (paper or electronically)
- name the entity and describe how the entity
violated the regulation (by acts or omissions) - filed within 180 days of when the complainant
knew (or should have known) that the regulation
was violated. The secretary can waive this if
there is a showing of good cause.
31Filing Complaints (2)
- After complaint is filed, HHS may
- conduct an investigation
- attempt to solve the matter informally
- impose 100-25,000 civil penalty per year for
each standard violated - Impose criminal penalties for certain wrongful
disclosures - Helpful Complaint Form is Available from the
Health Privacy Project at www.healthprivacy.org
32Helpful Resources (1)
- Rights to Access Medical Records Under the HIPAA
Privacy Regulation http//www.healthassistancepart
nership.org - HIPAA Privacy Regulation Questions and Answers
for Consumer Health Assistance Programs
http//www.healthassistancepartnership.org - The complete HIPAA privacy regulation text
(unofficial version) http//www.hhs.gov/ocr/combin
edregtext.pdf
33Helpful Resources (2)
- HHS HIPAA Privacy Website, http//www.hhs.gov/ocr/
hipaa/finalreg.html - HHS decision tool for identifying covered
entities http//www.cms.hhs.gov/hipaa/hipaa2/suppo
rt/tools/decisionsupport/default.asp - The Health Privacy Projects Summary of HIPAA
Privacy Regulation http//www.healthprivacy.org/us
r_doc/RegSummary2002.pdf
34Our Contact Information
- Sonya Schwartz sschwartz_at_healthassistancepartnersh
ip.org - Cheryl Fish-Parcham cparcham_at_healthassistancepartn
ership.org - Health Assistance Partnership
- A Project of Families USA
- 1334 G Street, NW
- Washington, DC 20005
- (202) 737-6340
- www.healthassistancepartnership.org