;)
February 9th, 2016
As reported on this blog previously, the White House, through executive action, has modified HIPAA, otherwise known as the “Privacy Rule.” The new guidelines can be found at the U.S. Department of Human Services. For anyone attempting to secure a copy of their private health information (PHI), they should refer to these guidelines, as they will undoubtedly provide valuable insight.
Some major media outlets, such as the New York Times, are heralding the HIPAA amendments as fostering the cost effective and timely production of a patient’s PHI. “The Obama administration is tearing down barriers that make it difficult for patients to get access to their own medical records, telling doctors and hospitals that in most cases they must provide copies of these records within 30 days of receiving a request."
Indeed, the changes to HIPAA should facilitate the cost effective and timely production of a patient’s PHI. For instance, while the Privacy Rule allows covered entities (doctors, hospitals, nursing homes, etc.) to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not require an individual:
Who wants a copy of his/her medical record mailed to his/her home address to physically come to the doctor’s office to request access and provide proof of identity in person?
· To use a web portal for requesting access, as not all individuals will have ready access to the portal.
· To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.
Also, the Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form or other form and format as agreed to by the covered entity and individual. In certain circumstances, the covered entity also may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided in addition to that PHI.
At what cost?
The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information). The fee may include only the cost of:
· Labor for copying the PHI requested by the individual, whether in paper or electronic form;
· Supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;
· Postage, when the individual requests that the copy, or the summary or explanation, be mailed; and,
· Preparation of an explanation or summary of the PHI, if agreed to by the individual.
The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.
How long does a covered entity have to produce the records?
In providing access to the individual, a covered entity (in most cases) must provide access to the PHI requested, in whole, or in part, no later than 30 calendar days from receiving the individual’s request. If the information is archived offsite and not readily accessible -- the covered entity may extend the time by no more than an additional 30 days.
Under certain limited circumstances, a covered entity may deny an individual’s request for access to all or a portion of the PHI requested. In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny
What records are available to patients and/or their personal representative?
Patients and/or their personal representatives are entitled to the PHI contained in an individuals’ "Designated Record Set" (DRS), which is comprised of the following:
· Medical records and billing records about individuals maintained by or for a covered health care provider;
· Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
· Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
Note: an individual does not have a right to access protected health information (PHI) that is not used to make decisions about individuals. For example, quality assessment or improvement records, patient safety activity records, or business planning, development, and management records are generally excluded from a DRS.
When is your PHI not private?
Importantly, there are two (2) categories of information are expressly excluded from the right of access are:
· Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record.
· Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
That being said, the HIPAA Privacy Rule permits a covered entity to disclose psychotherapy notes, when the covered entity has a good faith belief that the disclosure:
· It is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others; and,
· Is to a person(s) reasonably able to prevent or lessen the threat.
45 CFR 164.512 (j)
To some mental health professionals, the fact that your PHI is not necessarily private is troubling. “The practice of reporting a client to the police if they disclose abuse issues or other criminal behavior is one of the most serious and widespread rights violations we as consumers face today. The reason this practice has been allowed to continue is that the population of individuals who are mentally ill and who have confided in their provider that they have behaviors which may be criminal in nature are very unlikely to file complaints because the complaint process usually involves further disclosure of their private statements.” In other words, many mental health professionals are concerned that individuals who may suffer from mental illness will not seek treatment because of a lack of privacy. Only time will tell whether these concerns have substantial merit. Nonetheless, consumers of mental health services should be aware of their rights before embarking on such treatment.
