Accessing Medical Records and the HIPAA Privacy Regulation

1
Accessing Medical Records and the HIPAA Privacy
Regulation

• Cheryl Fish-Parcham and Sonya Schwartz
• Health Assistance Partnership
• Prepared for the NAPAS Conference
• May 31, 2003

2
HIPAA Privacy Regulation Myths

• HIPAA is a large herbivorous 4-toed mammal.
• Consumers will not be able to access their own
  medical records.
• Advocates will no longer be able to access
  medical records for their clients.

3
Presentation Overview

• HIPAA Privacy Regulation Authority and Basics
• Consumers Right to Access Records
• Rights of P A Advocates, Other Advocates,
  Family Members and Personal Representatives to
  Access Records
• Consumers Right to Amend Records
• HIPAA Privacy Regulations Interaction with State
  and Federal Law
• Complaints
• Resources

4
Authority

• The HIPAA Privacy Regulation Arises out of the
  Administrative Simplification measures of the
  the Health Insurance Portability and
  Accountability Act of 1996
• The HIPAA Privacy Regulation can be found at 45
  CFR Part 160 and 164
• HIPAA Privacy Regulation Compliance Deadlines
• April 14, 2003 for all covered entities
• April 14, 2004 for small health plans

5
HIPAA Privacy Regulation Basics

• Applies only to personal health information.
• Applies to covered entities.
• Protects the privacy of health information.
• Provides access to health information.

6
Basics Personal Health Information (PHI)

• The HIPAA Privacy Regulation only applies to PHI,
  which must be both
• Health information any oral or recorded
  information relating to past, present or future
  physical or mental health of an individual AND
• Individually identifiable identifies or can
  reasonably be used to identify the individual,
  and not information where the identity has been
  removed

7
Basics Covered Entity

• A Health plan The regulation is very broad here
  and includes individual or group plan that
  provides or pays for medical care, including
  private and government plans. (However,
  employers who sponsor plans are not covered
  entities) OR
• A Health Care Clearinghouse A term of art that
  refers to entities that translates health
  information received from other entities in a
  standard format OR
• A Certain Health Care Provider Providers are
  defined broadly (homeopaths, pharmacists) but
  must electronically transmit (not fax) health
  information in standard format.

8
Basics Privacy Protections

• Generally, covered entities cannot use or
  disclose PHI.
• However, covered entities may disclose PHI
• pursuant to an authorization (described later),
• for treatment, payment or health care operations,
  
• for public health and other specific purposes,
• pursuant to a business associate agreement,
• Covered entities must disclose PHI
• to the individual,
• when required by HHS to determine compliance

9
Basics Access Protections

• Consumers have a right to access their own
  medical records.
• P A advocates acting within their mandate have
  a right to access medical records.
• Other consumer advocates or P A advocates
  acting outside of their mandate may also access
  medical records with a written authorization from
  the patient.
• Certain personal representatives have a right
  to access medical records without a written
  authorization.

10
Consumers Rights to Access Records (1)

• Consumers have a right to inspect, obtain a copy
  records within 30 days from the date the request
  is received.
• Under certain conditions (see next slides), a
  covered entity can deny access to certain
  information, but it must give the consumer a
  written denial in 30 days containing
• the basis for the denial AND
• a statement about review rights AND
• information about how to file a complaint with
  HHS

11
Consumers Rights to Access Records (2)

• A covered entity does not have to provide access
  or allow consumers to review decisions about the
  following (there is no right to appeal)
• Psychotherapy notes (see definition ahead)
• Information compiled for use in a civil, criminal
  or administrative action or proceeding
• PHI maintained by a covered entity required by
  the Clinical Laboratory Improvements Amendments
• Information requested by an inmate under certain
  circumstances

12
Consumers Rights to Access Records (3)

• A covered entity does not have to provide access
  or allow consumers to review decisions about the
  following (there is no right to appeal)
• Research that includes treatment
• Information contained in records subject to
  Privacy Act
• Information obtained by the covered entity from
  someone other than a health care provider under a
  promise of confidentiality and access to which
  would be reasonably likely to reveal the source
  of the information

13
Consumers Rights to Access Records (4)

• A covered entity does not have to provide access
  to the following, but may release it to a health
  care provider, if a licensed health care
  professional determines that (there is a right to
  appeal)
• It is reasonably likely that access to the
  requested information would endanger the life of
  the consumer OR
• The information makes reference to another
  person, it is reasonably likely to cause
  substantial harm to the consumer or another
  person OR
• B/c the consumers personal representative
  requested the information, it is reasonably
  likely to cause substantial harm to the consumer
  or another person

14
Psychotherapy Notes

• Definition Notes by a mental health professional
  about a counseling session, separated from the
  rest of the medical record.
• Requires separate authorization.
• No individual right of access.
• Disclosure to oversight entity may be required by
  laws governing investigation of health, safety,
  death or oversight of the psychotherapist.

15
Fees

• A Covered Entity can charge reasonable
  cost-based fees, including the labor and supply
  providing costs of copying the information
• Covered entities may not charge for the labor or
  handling of the information or for processing the
  request
• A few tips
• Fees for copying and postage under state law are
  presumed reasonable and state law may also
  provide for the release of medical records for
  free for low-income individuals.
• A helpful doctor (with consumers authorization)
  can often get their patients medical records for
  free. You may want to ask a doctor to request the
  medical records for you and then release them to
  you to avoid paying fees.

16
Rights of P A Advocates (1)

• Covered entities may use or disclose PHI to the
  extent that such use is required by law and the
  use or disclosure complies with and is limited to
  the relevant requirements of the law. (45 CFR
  164.512(a))
• Other laws give PAs rights to access
• Records of individuals not competent to consent
  who have no guardian if PA has received a
  complaint and has probable cause to suspect abuse
  or neglect

17
Rights of P A Advocates (2)

• When there is a guardian and the agency has
  unsuccessfully attempted to resolve the concern
  through the guardian, access to records without
  the guardians consent if probable cause that the
  health or safety of an individual is in serious
  or immediate jeopardy.
• When operating outside of its mandates to
  investigate abuse and neglect, PAs may be
  subject to general HIPAA use and disclosure
  rules.

18
Rights of Other Types of Consumer Advocates

• Consumer advocates may access medical records
  with a proper authorization (next slide).

19
Authorization (1)

• Must be separate from other general authorization
  forms and
• A description of the information that may be
  disclosed (can be very general and request the
  entire record of a particular provider) and
• The covered entity, person or persons authorized
  to disclose the information and
• The name of the person(s) authorized to receive
  the information and
• An expiration date or event (ex. Until
  completion of my appeal) and

20
Authorization (2)

• 6. The signature of the consumer and the date
  (may also be signed by the personal
  representative along w/ a description of their
  authority) and
• 7. A statement of the individuals right to
  revoke the authorization and
• 8. A statement that information disclosed may be
  subject to redisclosure if the recipient is not a
  covered entity under HIPAA

21
Rights of Personal Representatives

• Personal Representatives Step into the Shoes of
  the Consumer and May Access Records Without An
  Authorization
• authority is limited to information that is
  relevant to such personal representation
• Personal representatives are
• Parents of minor and unemancipated children OR
• Individuals who have authority under other law to
  act on behalf of the consumer in making decisions
  related to health care.

22
Rights of Family Members

• May be given information relevant to their
  involvement in care or payment for care if the
  individual is present and doesnt object.
• If they are the personal representative (e.g.,
  parent of minor legal guardian) step into
  individuals shoes.
• Can be denied access if entity believes the
  individual may be subject to violence, abuse,
  neglect, or endangerment by representative.

23
General Directory Information

• A facility can disclose an individuals location
  and general condition to people asking about the
  individual by name. The individual can opt not to
  have this information disclosed.

24
Consumers Rights to Amend or Supplement Records
(1)

• Consumers have a right that covered entities
  amend their personal health information within
  60 days from the date the request is received
• This deadline may be extended 30 days if the
  covered entity provides a written statement with
  reason for the delay

25
Consumers Rights to Amend or Supplement Records
(2)

• The Amendment may be denied if the record
• was not created by the covered entity unless the
  originator of the PHI is no longer available to
  make the amendment OR
• was not part of the record set OR
• is available for inspection
• If an entity accepts the request, it must
• make the amendment AND
• inform the consumer AND
• provide amendment to entities identified by
  consumer and other entities known to have
  received erroneous information

26
Interaction with State Law? (1)

• The HIPAA privacy regulation establishes a
  federal floor for protecting privacy and
  providing access to medical records
• State laws that are contrary to federal law,
  and will not remain in effect. Contrary means
• A covered entity would find it impossible to
  comply with both the state and federal
  requirements OR
• The state law conflicts with the HIPAA Statutes
  provisions on privacy

27
Interaction with State Law? (2)

• State laws more stringent than the federal rule
  will remain in effect. More stringent means
• With respect to patient privacy, a state law is
  more stringent when it provides consumers greater
  privacy protections.
• With respect to patient access, a state law is
  more stringent when it provides consumers greater
  access to medical records.
• For review of state law, see the appendix of the
  Health Privacy Projects The State of Health
  Privacy http//www.georgetown.edu/research/ihcrp/p
  rivacy/statereport.pdf

28
Interaction with Federal Law (1)

• Covered entities subject to the HIPAA Privacy
  Rule are also subject to other federal statutes
  and regulations.
• There should be few conflicts between a federal
  statute or regulation and the HIPAA Privacy Rule.
  
• In cases where a potential conflict appears, HHS
  would attempt to resolve it so that both laws
  apply.

29
Interaction with Federal Law (2)

• Our issue brief provides an overview of four
  federal health care laws/regulations
• Medicaid Managed Care Regulation
• ERISA Claims Procedures Regulation
• Nursing Home Rights Law
• Medicare Choice Regulation

30
Filing Complaints (1)

• There is no private cause of action under the
  regulation itself.
• Consumer may file a complaint with the Secretary
  of HHS
• Three requirements to filing a complaint
• filed in writing (paper or electronically)
• name the entity and describe how the entity
  violated the regulation (by acts or omissions)
• filed within 180 days of when the complainant
  knew (or should have known) that the regulation
  was violated. The secretary can waive this if
  there is a showing of good cause.

31
Filing Complaints (2)

• After complaint is filed, HHS may
• conduct an investigation
• attempt to solve the matter informally
• impose 100-25,000 civil penalty per year for
  each standard violated
• Impose criminal penalties for certain wrongful
  disclosures
• Helpful Complaint Form is Available from the
  Health Privacy Project at www.healthprivacy.org

32
Helpful Resources (1)

• Rights to Access Medical Records Under the HIPAA
  Privacy Regulation http//www.healthassistancepart
  nership.org
• HIPAA Privacy Regulation Questions and Answers
  for Consumer Health Assistance Programs
  http//www.healthassistancepartnership.org
• The complete HIPAA privacy regulation text
  (unofficial version) http//www.hhs.gov/ocr/combin
  edregtext.pdf

33
Helpful Resources (2)

• HHS HIPAA Privacy Website, http//www.hhs.gov/ocr/
  hipaa/finalreg.html
• HHS decision tool for identifying covered
  entities http//www.cms.hhs.gov/hipaa/hipaa2/suppo
  rt/tools/decisionsupport/default.asp
• The Health Privacy Projects Summary of HIPAA
  Privacy Regulation http//www.healthprivacy.org/us
  r_doc/RegSummary2002.pdf

34
Our Contact Information

• Sonya Schwartz sschwartz_at_healthassistancepartnersh
  ip.org
• Cheryl Fish-Parcham cparcham_at_healthassistancepartn
  ership.org
• Health Assistance Partnership
• A Project of Families USA
• 1334 G Street, NW
• Washington, DC 20005
• (202) 737-6340
• www.healthassistancepartnership.org