PATIENT PRIVACY RIGHTS UNDER HIPAA - PowerPoint Presentation

Slide1

PATIENT PRIVACY RIGHTS UNDER HIPAA

Educational Presentation by the HIPAA Collaborative of Wisconsin – HIPAA COW

Original Version: April 2003; Updated September 2017

1Slide2
HIPAA Collaborative of Wisconsin (“HIPAA COW”) holds the Copyright © to this 

Presentation(“Document”).  HIPAA COW retains full copyright ownership, rights and protection in all material contained in this Document. You may use this Document for your own non-commercial purposes. It may be redistributed in its entirety only if (i) the copyright notice is not removed or modified, and (ii) this Document is provided to the recipient free of charge. If information is excerpted from this Document and incorporated into another work-product, attribution shall be given to HIPAA COW (e.g., reference HIPAA COW as a resource). This Document may not be sold for profit or used in commercial documents or applications. This Document is provided “as is” without any express or implied warranty. This Document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Document. Therefore, this Document may need to be modified in order to comply with Wisconsin/State law.

DISCLAIMER

2Slide3
In 2003, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule established

patient privacy rights with regard to protected health information (PHI). Protected Health Information (PHI): The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

HIPAA PRIVACY RULE

3Slide4
“Individually identifiable health information” is information, including demographic data, that relates to

:The individual’s past, present or future physical or mental health or condition,The provision of health care to the individual, orThe

past, present, or future payment for the provision of health care to the individual,and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the

individual.PHI – FURTHER DEFINED4Slide5
HIPAA covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA-covered entities

. HIPAA-covered entities include health plans, clearinghouses, and certain health care providers (hospitals, clinics, physicians, pharmacies, nursing homes, etc.)COVERED ENTITY

5Slide6

Right to Receive Notice of Privacy Practices.Right to Request Restrictions on Use and Disclosure of Protected Health Information.

Right to receive Confidential Communications

Right to Access, Inspect and Copy Protected Health InformationRight to Amend Protected Health Information

Right to receive an

Accounting

of

Disclosures of Protected Health Information

PATIENT PRIVACY RIGHTS

6Slide7
Each covered entity (CE) must

provide a notice of its privacy practices. The notice must describe the ways in which the CE may use and disclose PHI. The notice must state the CE’S duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the CE if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to

the CE. Covered entities must act in accordance with their notices.

RIGHT TO RECEIVE NOTICE OF PRIVACY PRACTICES7Slide8
Individuals have the right to request that a

CE restrict use or disclosure of PHI for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death. RIGHT TO REQUEST RESTRICTIONS

8Slide9
A CE is under no obligation to agree to requests for restrictions

.A CE that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergencyRIGHT TO REQUEST RESTRICTIONS - CONTINUED

9Slide10
Effective in 2013 was an update to the HIPAA Privacy Rule clarifying the right for a patient to prevent a provider from reporting information to a health insurer if the patient

pays in full.This provision presents a information management challenge for healthcare providers.  

RESTRICTION: SELF-PAY OPTION

10Slide11
A patient has the firm right to demand that a health care provider not disclose the patient’s

PHI to the patient’s health plan if these conditions are met: The patient makes a Request to Restrict disclosure;The disclosure is to a health plan for payment or health care operations;The disclosure is not required by law, andThe PHI pertains solely to health care for which the patient (or someone on behalf of the patient) has paid for in full out of pocket

.RESTRICTION: SELF-PAY

OPTION CONTINUED11Slide12
CE’s must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically

employs. For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the CE send communications in a closed envelope rather than a post card. CE’s must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the PHI could endanger the individual.

RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONS

12Slide13
The CE may require this request in writing

.The CE may evaluate this request based on:Information on how payment will be handledSpecification of an alternate addressAdded costs and logistics required to accommodate the request.

The CE cannot require a reason for the request.

CONFIDENTIAL COMMUNICATIONS - CONTINUED13Slide14
Except in certain circumstances, individuals have the right to review and obtain a copy of their

PHI in a CE’s designated record set.The “designated record set” is that group of records maintained by or for a CE that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudi-cation, and case or medical

record systems.RIGHT TO ACCESS, INSPECT, AND COPY PHI

14Slide15
The Rule excludes from

the right of access the following protected health information: Psychotherapy notesInformation compiled for civil, criminal, or legal proceedingsLaboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories.

RIGHT TO ACCESS, INSPECT, AND COPY

PHI - CONTINUED15Slide16
For information included within the right of access,

CE’s may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion. RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED

16Slide17

A Covered Entity may deny access without the opportunity for review when:Access is protected by the Federal Privacy Act

PHI was obtained under promised of confidentiality and access would reveal the source of the PHI

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED

17Slide18
A CE may deny access and give an individual the right to appeal when

:A licensed healthcare professional believes the request may likely endanger the life or physical safety of the individual or another person.The PHI references another person and a licensed professional believes that access would cause substantial harm to that other person.

Access is requested by an individual’s representative and a licensed professional believes access would cause substantial harm to the individual or another person.

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED18Slide19
A requesting individual may appeal a denial of his/her right to access PHI

and:The appointed reviewer cannot have participated in the decision to deny accessThe CE must act on the request within 30 days. Added response time of an additional 30 or 60 days is allowed in special circumstances.

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED

19Slide20
When agreeing to provide access the CE

:Must provide inspection or copies as requestedMust provide PHI in the format requestedMust provide PHI in a timely manner

May collect cost based fees for copying, postage, preparation, etc. (provided the CE had informed the individual of such fees

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED20Slide21
If the CE denies access, it must:

Provide access to other PHI where access was not denied.Provide a timely denial in plain language including basis for the denial, listing review rights and complaint procedures. Identify the keeper of the PHI requested – if not this CE.If requested, designate a licensed professional to review the decision to deny, and inform the individual of that review decision in a timely way.

RIGHT TO ACCESS, INSPECT, AND COPY PHI -

CONTINUED21Slide22
Individuals have the right to request CE’s

amend their PHI in a designated record set when that information is inaccurate or incomplete. If a CE accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the CE knows might rely on the information to the individual’s detriment.

RIGHT TO REQUEST AMENDMENT

22Slide23
If the amendment request

is denied, the CE must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. The Privacy Rule specifies processes for requesting and responding to a request for amendment. A CE must amend protected health information in its designated record set upon receipt of notice to amend from another CE.

RIGHT TO REQUEST AMENDMENT -

CONTINUED23Slide24
A CE

may deny the request if the PHI:Was not created by the CE.Is not part of the individual’s designated record set.Would not be available for inspection

(e.g., psychotherapy notes).Is

determined accurate and completeRIGHT TO REQUEST AMENDMENT - CONTINUED

24Slide25
In reviewing amendment requests the CE

:May require requests in writingMay require a reason to support the requestMust act on the request within 60 days (with 30 day extension in certain circumstances)

RIGHT TO REQUEST AMENDMENT - CONTINUED

25Slide26
If accepting the amendment, the CE must

:Identify records amended and provide a link to the amendment location. Inform the individual of the amendment.Inform other affected persons as designated by the individual or business associates who may rely on the information.

RIGHT TO REQUEST AMENDMENT - CONTINUED

26Slide27
If denying the amendment the CE must

:Provide a timely denial in plain languageInclude the basis for the denialAllow for a statement of disagreement from the individual

Allow for a statement reflecting the request with subsequent disclosures of the PHIIdentify the complaint process

RIGHT TO REQUEST AMENDMENT - CONTINUED27Slide28

The individual may submit a statement of disagreement with the denial.The CE may issue a rebuttal of the statement of disagreement and give the individual a copy.The CE must record in the record and create links to any requests, denials, disagreements and rebuttals.

RIGHT TO REQUEST AMENDMENT - CONTINUED

28Slide29

Future disclosures of PHI that have been the subject of a denied request for amendment must include documents related to the request.Accepted amendments must be shared among CE’s so all appropriate records are amended.

A CE must document persons responsible for processing amendment requests and must retain documents for at least 6 years.

RIGHT TO REQUEST AMENDMENT - CONTINUED29Slide30
Individuals have a right to an accounting of the disclosures of their PHI by a CE or the CE’s business associates.

The maximum disclosure accounting period is the six years immediately preceding the accounting request. RIGHT TO REQUEST AN ACCOUNTING OF DISCLOSURES30Slide31
The Privacy Rule does not require accounting for

disclosures for:Treatment, payment, or health care operationsThe individual or the individual’s personal representativeFor notification of or to persons involved in an individual’s health care or payment for health

careFor disaster relief

, or for facility directories; (d) pursuant to an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities.

RIGHT TO REQUEST AN ACCOUNTING -

CONTINUED

31Slide32
The Privacy Rule does not require accounting for disclosures

for:Use in the facility directoryFor national security or intelligence purposesTo correctional facilities or law enforcement on behalf of inmates

As part of a limited data set

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED32Slide33
DISCLOSURES REQUIRING ACCOUNTING

INCLUDE:Required by lawFor public health activitiesVictims of abuse, neglect, violence.Health oversight activitiesJudicial/Admin proceedings

Law enforcement purposes

About decedentsOrgan/eye/tissue donationsResearch PurposesTo avert threat to health and safetyFor specialized government functionsWorkers’ compensationSlide34

A CE must suspend accounting of disclosures to an agency or law enforcement if the accounting is likely to impede the agency’s activity.An individual may request an accounting for disclosures as far back as six years before the time of the request - but to start no earlier than April 14, 2003.RIGHT TO REQUEST AN ACCOUNTING -

CONTINUED

34Slide35

The accounting must include:Date of disclosureName and address (if known) of recipientBrief description of PHI disclosed

Brief reason for disclosure or copy of request

Multiple disclosures to the same requestor may be batched – as appropriate.

RIGHT TO REQUEST AN ACCOUNTING -

CONTINUED

35Slide36
When related to research with 50 or more people, the accounting should provide:

Name of research protocolPurpose of research and how records selectedDescription of PHI that was disclosedDates disclosures occurred

Contact information for research sponsor

Statement about possible disclosure of PHIAssistance in contacting the research sponsor RIGHT TO REQUEST AN ACCOUNTING - CONTINUED

36Slide37

A CE should routinely respond to a request for accounting within 60 days (30 day extension allowed in certain situations).The first in a 12 month period is free. Subsequent requests may have a cost based fee (if previously stated). The requestor may modify the request based on the fee.

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED

37Slide38
A

Covered Entity must document and keep six (6) years:Information required in the accountingThe written accounting that is provided

Titles of persons or offices responsible for processing accounting requests

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED38Slide39
Summary of the HIPAA Privacy Rule @ HHS.gov

HIPAA Collaborative of Wisconsin (HIPAA COW) – Multiple Policies, Presentations, and Other DeliverablesRESOURCES39Slide40
2003 Version:

Primary Author: Richard Reynolds, FHIMSS Review Group: Karen Bauer, Joan Benson, MBA, Anthony Cooper, FHFMA, CFE, William Jensen , MBA, Tammy

Kritz, MBA, Jennifer Laughlin, RHIA, Christine Lidbury, Beth Zallar, MS, RHIA

2017 Update:Nancy Davis, MS, RHIA, CHPSChrisann Lemery, MS, RHIA, CHPS

VERSION HISTORY

40