Educational Presentation by the HIPAA Collaborative of Wisconsin HIPAA COW Original Version April 2003 Updated September 2017 1 HIPAA Collaborative of Wisconsin HIPAA COW holds the Copyright to this ID: 747018
Download Presentation The PPT/PDF document "PATIENT PRIVACY RIGHTS UNDER HIPAA" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
PATIENT PRIVACY RIGHTS UNDER HIPAA
Educational Presentation by the HIPAA Collaborative of Wisconsin – HIPAA COW
Original Version: April 2003; Updated September 2017
1Slide2HIPAA Collaborative of Wisconsin (“HIPAA COW”) holds the Copyright © to this
Presentation(“Document”). HIPAA COW retains full copyright ownership, rights and protection in all material contained in this Document. You may use this Document for your own non-commercial purposes. It may be redistributed in its entirety only if (i) the copyright notice is not removed or modified, and (ii) this Document is provided to the recipient free of charge. If information is excerpted from this Document and incorporated into another work-product, attribution shall be given to HIPAA COW (e.g., reference HIPAA COW as a resource). This Document may not be sold for profit or used in commercial documents or applications. This Document is provided “as is” without any express or implied warranty. This Document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Document. Therefore, this Document may need to be modified in order to comply with Wisconsin/State law.
DISCLAIMER
2Slide3In 2003, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule established
patient privacy rights with regard to protected health information (PHI). Protected Health Information (PHI): The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
HIPAA PRIVACY RULE
3Slide4“Individually identifiable health information” is information, including demographic data, that relates to
:The individual’s past, present or future physical or mental health or condition,The provision of health care to the individual, orThe
past, present, or future payment for the provision of health care to the individual,and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the
individual.PHI – FURTHER DEFINED4Slide5HIPAA covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA-covered entities
. HIPAA-covered entities include health plans, clearinghouses, and certain health care providers (hospitals, clinics, physicians, pharmacies, nursing homes, etc.)COVERED ENTITY
5Slide6
Right to Receive Notice of Privacy Practices.Right to Request Restrictions on Use and Disclosure of Protected Health Information.
Right to receive Confidential Communications
Right to Access, Inspect and Copy Protected Health InformationRight to Amend Protected Health Information
Right to receive an
Accounting
of
Disclosures of Protected Health Information
PATIENT PRIVACY RIGHTS
6Slide7Each covered entity (CE) must
provide a notice of its privacy practices. The notice must describe the ways in which the CE may use and disclose PHI. The notice must state the CE’S duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the CE if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to
the CE. Covered entities must act in accordance with their notices.
RIGHT TO RECEIVE NOTICE OF PRIVACY PRACTICES7Slide8Individuals have the right to request that a
CE restrict use or disclosure of PHI for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death. RIGHT TO REQUEST RESTRICTIONS
8Slide9A CE is under no obligation to agree to requests for restrictions
.A CE that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergencyRIGHT TO REQUEST RESTRICTIONS - CONTINUED
9Slide10Effective in 2013 was an update to the HIPAA Privacy Rule clarifying the right for a patient to prevent a provider from reporting information to a health insurer if the patient
pays in full.This provision presents a information management challenge for healthcare providers.
RESTRICTION: SELF-PAY OPTION
10Slide11A patient has the firm right to demand that a health care provider not disclose the patient’s
PHI to the patient’s health plan if these conditions are met: The patient makes a Request to Restrict disclosure;The disclosure is to a health plan for payment or health care operations;The disclosure is not required by law, andThe PHI pertains solely to health care for which the patient (or someone on behalf of the patient) has paid for in full out of pocket
.RESTRICTION: SELF-PAY
OPTION CONTINUED11Slide12CE’s must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically
employs. For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the CE send communications in a closed envelope rather than a post card. CE’s must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the PHI could endanger the individual.
RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONS
12Slide13The CE may require this request in writing
.The CE may evaluate this request based on:Information on how payment will be handledSpecification of an alternate addressAdded costs and logistics required to accommodate the request.
The CE cannot require a reason for the request.
CONFIDENTIAL COMMUNICATIONS - CONTINUED13Slide14Except in certain circumstances, individuals have the right to review and obtain a copy of their
PHI in a CE’s designated record set.The “designated record set” is that group of records maintained by or for a CE that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudi-cation, and case or medical
record systems.RIGHT TO ACCESS, INSPECT, AND COPY PHI
14Slide15The Rule excludes from
the right of access the following protected health information: Psychotherapy notesInformation compiled for civil, criminal, or legal proceedingsLaboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories.
RIGHT TO ACCESS, INSPECT, AND COPY
PHI - CONTINUED15Slide16For information included within the right of access,
CE’s may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion. RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
16Slide17
A Covered Entity may deny access without the opportunity for review when:Access is protected by the Federal Privacy Act
PHI was obtained under promised of confidentiality and access would reveal the source of the PHI
RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
17Slide18A CE may deny access and give an individual the right to appeal when
:A licensed healthcare professional believes the request may likely endanger the life or physical safety of the individual or another person.The PHI references another person and a licensed professional believes that access would cause substantial harm to that other person.
Access is requested by an individual’s representative and a licensed professional believes access would cause substantial harm to the individual or another person.
RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED18Slide19A requesting individual may appeal a denial of his/her right to access PHI
and:The appointed reviewer cannot have participated in the decision to deny accessThe CE must act on the request within 30 days. Added response time of an additional 30 or 60 days is allowed in special circumstances.
RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
19Slide20When agreeing to provide access the CE
:Must provide inspection or copies as requestedMust provide PHI in the format requestedMust provide PHI in a timely manner
May collect cost based fees for copying, postage, preparation, etc. (provided the CE had informed the individual of such fees
RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED20Slide21If the CE denies access, it must:
Provide access to other PHI where access was not denied.Provide a timely denial in plain language including basis for the denial, listing review rights and complaint procedures. Identify the keeper of the PHI requested – if not this CE.If requested, designate a licensed professional to review the decision to deny, and inform the individual of that review decision in a timely way.
RIGHT TO ACCESS, INSPECT, AND COPY PHI -
CONTINUED21Slide22Individuals have the right to request CE’s
amend their PHI in a designated record set when that information is inaccurate or incomplete. If a CE accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the CE knows might rely on the information to the individual’s detriment.
RIGHT TO REQUEST AMENDMENT
22Slide23If the amendment request
is denied, the CE must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. The Privacy Rule specifies processes for requesting and responding to a request for amendment. A CE must amend protected health information in its designated record set upon receipt of notice to amend from another CE.
RIGHT TO REQUEST AMENDMENT -
CONTINUED23Slide24A CE
may deny the request if the PHI:Was not created by the CE.Is not part of the individual’s designated record set.Would not be available for inspection
(e.g., psychotherapy notes).Is
determined accurate and completeRIGHT TO REQUEST AMENDMENT - CONTINUED
24Slide25In reviewing amendment requests the CE
:May require requests in writingMay require a reason to support the requestMust act on the request within 60 days (with 30 day extension in certain circumstances)
RIGHT TO REQUEST AMENDMENT - CONTINUED
25Slide26If accepting the amendment, the CE must
:Identify records amended and provide a link to the amendment location. Inform the individual of the amendment.Inform other affected persons as designated by the individual or business associates who may rely on the information.
RIGHT TO REQUEST AMENDMENT - CONTINUED
26Slide27If denying the amendment the CE must
:Provide a timely denial in plain languageInclude the basis for the denialAllow for a statement of disagreement from the individual
Allow for a statement reflecting the request with subsequent disclosures of the PHIIdentify the complaint process
RIGHT TO REQUEST AMENDMENT - CONTINUED27Slide28
The individual may submit a statement of disagreement with the denial.The CE may issue a rebuttal of the statement of disagreement and give the individual a copy.The CE must record in the record and create links to any requests, denials, disagreements and rebuttals.
RIGHT TO REQUEST AMENDMENT - CONTINUED
28Slide29
Future disclosures of PHI that have been the subject of a denied request for amendment must include documents related to the request.Accepted amendments must be shared among CE’s so all appropriate records are amended.
A CE must document persons responsible for processing amendment requests and must retain documents for at least 6 years.
RIGHT TO REQUEST AMENDMENT - CONTINUED29Slide30Individuals have a right to an accounting of the disclosures of their PHI by a CE or the CE’s business associates.
The maximum disclosure accounting period is the six years immediately preceding the accounting request. RIGHT TO REQUEST AN ACCOUNTING OF DISCLOSURES30Slide31The Privacy Rule does not require accounting for
disclosures for:Treatment, payment, or health care operationsThe individual or the individual’s personal representativeFor notification of or to persons involved in an individual’s health care or payment for health
careFor disaster relief
, or for facility directories; (d) pursuant to an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities.
RIGHT TO REQUEST AN ACCOUNTING -
CONTINUED
31Slide32The Privacy Rule does not require accounting for disclosures
for:Use in the facility directoryFor national security or intelligence purposesTo correctional facilities or law enforcement on behalf of inmates
As part of a limited data set
RIGHT TO REQUEST AN ACCOUNTING - CONTINUED32Slide33DISCLOSURES REQUIRING ACCOUNTING
INCLUDE:Required by lawFor public health activitiesVictims of abuse, neglect, violence.Health oversight activitiesJudicial/Admin proceedings
Law enforcement purposes
About decedentsOrgan/eye/tissue donationsResearch PurposesTo avert threat to health and safetyFor specialized government functionsWorkers’ compensationSlide34
A CE must suspend accounting of disclosures to an agency or law enforcement if the accounting is likely to impede the agency’s activity.An individual may request an accounting for disclosures as far back as six years before the time of the request - but to start no earlier than April 14, 2003.RIGHT TO REQUEST AN ACCOUNTING -
CONTINUED
34Slide35
The accounting must include:Date of disclosureName and address (if known) of recipientBrief description of PHI disclosed
Brief reason for disclosure or copy of request
Multiple disclosures to the same requestor may be batched – as appropriate.
RIGHT TO REQUEST AN ACCOUNTING -
CONTINUED
35Slide36When related to research with 50 or more people, the accounting should provide:
Name of research protocolPurpose of research and how records selectedDescription of PHI that was disclosedDates disclosures occurred
Contact information for research sponsor
Statement about possible disclosure of PHIAssistance in contacting the research sponsor RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
36Slide37
A CE should routinely respond to a request for accounting within 60 days (30 day extension allowed in certain situations).The first in a 12 month period is free. Subsequent requests may have a cost based fee (if previously stated). The requestor may modify the request based on the fee.
RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
37Slide38A
Covered Entity must document and keep six (6) years:Information required in the accountingThe written accounting that is provided
Titles of persons or offices responsible for processing accounting requests
RIGHT TO REQUEST AN ACCOUNTING - CONTINUED38Slide39Summary of the HIPAA Privacy Rule @ HHS.gov
HIPAA Collaborative of Wisconsin (HIPAA COW) – Multiple Policies, Presentations, and Other DeliverablesRESOURCES39Slide402003 Version:
Primary Author: Richard Reynolds, FHIMSS Review Group: Karen Bauer, Joan Benson, MBA, Anthony Cooper, FHFMA, CFE, William Jensen , MBA, Tammy
Kritz, MBA, Jennifer Laughlin, RHIA, Christine Lidbury, Beth Zallar, MS, RHIA
2017 Update:Nancy Davis, MS, RHIA, CHPSChrisann Lemery, MS, RHIA, CHPS
VERSION HISTORY
40