| |
 Click on Sample Forms/Policies in these guidelines for sample patient access/amendment policies and sample Request for Amendment Form
Patient’s Right of Access, HIPAA §164.524
HIPAA provides all individuals with the right to access their protected health information (PHI), maintained in a designated record set by health plans, covered health care providers, and health care clearinghouses (also referred to as “Covered Entities”), which create or receive an individual’s PHI, not including business associates of another covered entity. The right must be provided for as long as PHI is maintained in a designated record set.
A “designated record set” is one containing information utilized and maintained for the purpose of making decisions about an individual’s healthcare. The idea is that individuals have a right to PHI used to make decisions about them, including for example, information upon which health care decisions are based and information to determine payment on insurance claims. Information maintained, but not for utilization to make decisions about the individual, falls outside the designated record set and is exempt from access.
CE obligations:
CEs must permit an individual to request access to inspect/obtain a copy of PHI maintained in the individual’s designated record set. The CE may require that requests be in writing, if it informs individuals of that requirement.
Timeliness Requirements: A CE must act on a request for access within 30 days of receipt if information is accessible on site, and within 60 days of receipt if information is not accessible or maintained on site. If the CE is unable to act on the request within the applicable time limits, it may have one (and only one), 30-day extension by providing the individual with a written explanation of the reasons for delay and the date the CE will complete its action on the request.
|
Implementation Tip: The CE has up to 60 days to provide information located on site, and up to 90 for information located off-site. Notice of an extension must be provided to the individual within the standard deadline time. |
The CE accepts the request:
If access is granted, in whole or in part, the CE must inform the individual of acceptance and provide the access requested within the required time frame at a convenient time and place for the individual to inspect and copy the PHI, or mail a copy of the PHI if the individual requests.
Fees? If the individual requests copies, or agrees to a summary or explanation, The CE may impose a reasonable, cost-based fee that includes only the cost of copying, including supplies and labor, postage and/or the cost to prepare a summary or explanation.
Providing a summary: The CE may provide a summary or an explanation of the PHI requested, in lieu of access to the PHI if:
|
1) |
The individual agrees in advance; and |
|
|
|
|
2) |
The individual agrees in advance to any fees imposed for such summary or explanation. |
|
|
|
|
|
Implementation Tip: If the same PHI requested is maintained in more than one designated record set or at multiple locations, the CE need only produce the PHI once in response to the request. |
|
|
|
|
|
Implementation Tip: The CE may discuss other aspects of the request with the individual as necessary for timely provision. |
|
|
|
|
|
Implementation Tip: If the PHI is not readily producible in the form requested by the individual, it must be provided in a readable hard copy form or other form agreed to by the parties. |
The CE denies the request, in whole or in part:
The CE must provide the individual with a timely, written denial in plain language which includes:
|
1) |
The basis for denial; |
|
|
|
|
2) |
A statement of review rights and how the individual may exercise such rights (if applicable); and |
|
|
|
|
3) |
A procedural description, including the name, title, and phone number of a contact person or office, for the individual to complain to the CE or the Secretary. |
The CE must provide the individual (if possible), with access to any other PHI requested, after excluding that to which access is being denied. If the CE doesn’t maintain the PHI requested, but knows where it is maintained, the CE must inform the individual of where to request it.
|
Implementation Tip: A CE must document the designated record sets subject to access by individuals, the titles of persons or offices responsible to receive and process requests for access, and must retain such documentation as required. |
Exceptions to the Right of Access:
Even if information is maintained in a designated record set, a CE is not required to provide access to:
| |
1) |
Psychotherapy notes; |
| |
|
|
| |
2) |
Information compiled in reasonable anticipation of, or for use in, civil, criminal or administrative actions/proceedings; and |
| |
|
|
| |
3) |
Certain PHI maintained by the CE that is subject to, or exempted from, the Clinical Laboratory Improvements Amendments of 1988 (CLIA) |
| |
|
|
| |
|
Implementation Tip: A CE may provide access to the excepted material above; however, review is not available if the CE denies access based on one of the exceptions. |
Denial of access WITHOUT providing an opportunity for review:
No review need be provided to an individual if access is denied for any of the following reasons:
| |
1) |
Information is covered under an exception stated above; |
| |
|
|
| |
2) |
The CE is a correctional institution or healthcare provider acting under direction of the correctional institution to deny an inmate’s request to obtain a copy of PHI that would jeopardize the health, safety, security, custody or rehabilitation of the inmate, other inmates, safety of an officer, employee or person responsible to transport the inmate; |
| |
|
|
| |
|
Implementation Tip: This exception pertains to the denial of a request to copy, but inmates may still inspect records unless another exception applies. |
| |
|
|
| |
3) |
The PHI was obtained by the CE in the course of research in progress that includes treatment of research participants, provided that: (a) the individual agreed to the denial of access in the consent to participate in the research; and (b) was notified that right to access is reinstated at completion of research; |
| |
|
|
| |
|
Implementation Tip: Access doesn’t have to be denied and may actually be necessary for the welfare of a participant, in which case, access should be given. |
| |
|
|
| |
4) |
The PHI requested is also subject to the Privacy Act and denial is permitted by the Privacy Act regulations; or |
| |
|
|
| |
5) |
The PHI is obtained from someone other than a healthcare provider under a promise of confidentiality and access would reasonably likely reveal the source of that information. |
| |
|
|
| |
|
Implementation Tip: This exception does not cover confidentiality promises to other healthcare providers. |
CE denial of access WITH opportunity for review:
There are three circumstances when access may harm the individual or others. In these circumstances a CE may deny access but must provide an opportunity for review:
| |
1) |
A licensed healthcare professional determines, exercising professional judgment, that access is reasonably likely to endanger the life/physical safety of the individual or another person; |
| |
|
|
| |
2) |
The requested PHI makes reference to another person who is not a healthcare provider and a licensed healthcare professional exercising professional judgment, determines that the access requested is reasonably likely to cause serious harm to the other person (ie., may apply to situations such as group therapy sessions, where information given by one person may be relevant to the care of another); |
| |
|
|
| |
3) |
The request for PHI is by a personal representative of an individual, and a licensed professional, exercising professional judgment, determines that access to the requested information is reasonably likely to cause substantial harm to the individual or to another person (ie., a situation may arise where the CI determines that treating the PR as the individual will cause harm to the individual or another person, perhaps finding that the PR may inflict domestic violence, abuse or neglect, etc. |
| |
|
|
| |
|
Implementation Tip: A licensed healthcare professional must make the determination based on the particular circumstances and the current medical professional standards of harm for any of these three standards of harm to apply. |
| |
|
|
| |
|
Implementation Tip: A CE may deny access in whole or in part considering particular circumstances, but is not required to deny access. |
Review:
If a CE denies a request for which review is available, the individual has the right to have the denial reviewed by a licensed health care professional designated by the CE to act as reviewing official (and who did not participate in the original decision to deny). The CE must then provide or deny access in accordance with the reviewing official’s decision. The procedure for review is:
|
1) |
The CE promptly refers the request to the designated reviewing official; |
|
|
|
|
2) |
The official determines, within a reasonable period of time, whether or not to deny access based on the allowed reviewable grounds; and |
|
|
|
|
3) |
The CE promptly provides written notice to the individual of the official’s determination and takes appropriate other action required to carry out the determination. |
 Top
Patient Amendment of PHI, HIPAA §164.526
Patient request:
An individual has the right to have PHI, or a record in the designated record set, amended by the CE for as long as PHI is maintained in the designated set, subject to the exceptions set forth below. The CE must permit an individual to request an amendment to PHI in a designated record set and (as long as individuals are informed in advance), may require that requests be in writing, with reasons provided to support the amendment.
|
Implementation Tip:
Develop a standard form to be used when a patient requests amendment to his/her record. See the OAHHS HIPAA Compliance Guidelines at www.oahhs.org and click on Sample Forms for an example of a Patient Request for Amendment Form. |
CE timeliness obligations: The CE must act in a timely fashion on a request to amend within 60 days of receipt. The CE must inform the individual of its acceptance or denial of the request to amend, in whole or in part, and take appropriate actions based on acceptance or denial. If the CE is unable to act on the request within the applicable time limits, it may have one (and only one), 30-day extension by providing the individual with a written explanation of the reasons for delay and the date the CE will complete its action on the request.
|
Implementation Tip: Notice of an extension must be provided to the individual within the standard deadline time. |
|
Implementation Tip: Covered providers, health plans, and health care clearinghouses that create or receive PHI, other than as a business associate, must comply with these requirements. |
|
Implementation Tip: The CE must document the titles of persons/offices responsible for receiving/processing requests for amendments and retain such information as required by §164.530(j), in written or electronic form for six years from the date of its creation, or the date when it last was in effect, whichever is later. |
Acceptance of the request:
| |
1) |
At a minimum, the CE must make the appropriate change to the PHI covered in the request, and identify the amended/corrected entries, showing the location of the amended/corrected entries; |
| |
|
|
| |
|
Implementation Tip : CEs are not required to expunge PHI, unless their own record keeping practices or other applicable law require it. In fact, it would be wise to retain the original record. When you amend a patient's record, do not white out or otherwise eliminate the original record. Rather, include a new page containing the amended information. |
| |
|
|
| |
2) |
Informing the individual – the CE must timely inform the individual of the decision to amend/correct, in accordance with the same timely action requirements as for requests to amend. The CE must obtain individual’s identification of, and consent to share amended/corrected PHI with relevant persons; and |
| |
|
|
| |
3) |
Informing Others – if the individual agrees, The CE must make reasonable efforts to notify, within a reasonable time: (a) entities identified by the individual as needing the amendment information; and, (b) entities the covered provider knows received the erroneous/incomplete PHI information and who may have relied, or foreseeably could rely, on such information to the individual’s detriment. |
| |
|
|
| |
|
Implementation Tip:
If you are releasing information to entities the patient did not specifically identify, but that you believe may have relied on the information, be sure to obtain patient authorization for this release. |
Action necessary after notice of amendment:
A CE that receives proper notification from another CE of an amendment to PHI, must have procedures in place to make the necessary amendment to the subject PHI in the designated record set maintained by the receiving entity.
|
Implementation Tip: CEs must require business associates receiving notifications of amended PHI to incorporate such information into their own record sets maintained on behalf of the covered entity. |
Denial of the request:
Reasons: The CE may deny the request for amendment if it finds that:
|
1) |
The PHI was not created by the CE (unless the individual provides a reasonable basis to claim that the originator of the PHI is no longer available); |
|
|
|
|
2) |
The PHI is not part of designated record set; |
|
|
|
|
3) |
The PHI would not be available for inspection under §164.526, dealing with rules of access to PHI; or |
|
|
|
|
4) |
The PHI is accurate and complete as is. |
Denial procedures:
The CE must timely inform the individual of the decision to deny the requested amendment, in accordance with the same timely action requirements as for requests to amend. Denial must be written and in plain language, to include:
| |
1) |
The basis for denial, in accordance with Denial of Amendment standards of this section; |
| |
|
|
| |
2) |
The individual’s right to disagree in writing and the process to submit such a statement of disagreement; |
| |
|
|
| |
3) |
Notification of the individual’s right to have requests for amendment and denials included with any future disclosures of the PHI at issue (if the individual fails to submit a disagreement statement); |
| |
|
|
| |
|
Implementation Tip: See §164.530(d), §160.306 and §164.530(a)(1)(ii) for a description of how the individual may make a complaint to the CE and the Secretary. |
Response to denial:
The CE must allow the individual to submit a written statement disagreeing with the denial and may reasonably limit the length of such a statement. The CE may, in turn, prepare a written rebuttal to the statement of disagreement, providing a copy of such rebuttal to the individual. The CE must then identify the PHI that is the subject of the disputed amendment and include, or show the location of the request for amendment, the denial, statement of disagreement (if any), and rebuttal.
If a statement of disagreement is submitted by the individual, then all appended information (or an accurate summary if the CE elects), concerning the request and denial of amendment must be included in future disclosures of the subject PHI. However, if no statement of disagreement is submitted, then such appended information must be included in future disclosures only if requested by the individual.
|
Implementation Tip: If a future disclosure is a “standard transaction” as defined by §162 of HIPAA, and unable to accommodate the required additional materials, such materials may be separately disclosed to the recipient. |
Top
Accounting of Disclosures, HIPAA§164.528
For a list of disclosures hospitals must account for click here.
An individual has the right to an accounting of all disclosures of PHI made in the six years prior to the request (unless a shorter duration is specified by the individual), by the CE {for purposes other than treatment, payment and health care operations. excepting disclosures:}
Exceptions:
| |
1) |
Disclosures for purposes of treatment, payment and healthcare operations; |
| |
|
For a sample Accounting for Disclosures form click here. |
| |
|
|
| |
2) |
Disclosures made to individuals about themselves (see §164.502); |
| |
|
|
| |
3) |
Disclosures for the facility’s own directory, persons involved in the individual’s care or other disclosures for notification purposes (see §164.510); |
| |
|
|
| |
4) |
Disclosures for national security or intelligence purposes (see §164.512(k)(2)); |
| |
|
|
| |
5) |
Disclosures to correctional institutions or law enforcement officials (see §164.512(k)(5)); or |
| |
|
|
| |
6) |
Disclosures that occurred prior to the compliance date for the covered entity. |
| |
|
|
| |
|
Implementation Tip: Specific cross sections referred to should be consulted to ascertain the details of what the exception to disclosure includes/omits. For example, disclosures made for facility directories are excepted from the disclosure requirements; however, the individual must have been informed that certain information could be included in a directory and that certain disclosures may be made, and given the opportunity to object, etc. |
Suspension of accounting: A CE must temporarily suspend an individual’s right to an accounting of disclosures of PHI made to a health oversight agency or law enforcement official (see §164.512(d)), for a time period specified by the agency or official, if the authority provides the CE with a written statement stating:
| |
1) |
That disclosure of the requested information in an accounting would likely impede the agency or official’s activities; and |
| |
|
|
| |
2) |
The specific time period for the suspension. |
If the agency or official statement is oral, the CE must: (a) document the statement and identity of the agency or official making it; (b) temporarily suspend inclusion of the subject statement in an individual’s accounting of disclosures; and (c) limit the suspension to 30 days or less from the date of the oral suspension, unless a written statement follows with the information specified above.
Content/scope of the accounting:
A CE must provide a written accounting of disclosures of PHI occurring during six years (or for a shorter duration if specified by the individual) prior to the date of the request for an accounting, including disclosures to or by business associates. For each disclosure, the accounting must include:
| |
1) |
The date of the disclosure; |
| |
|
|
| |
2) |
The entity name or name of person name receiving PHI, along with their address, if known; |
| |
|
|
| |
3) |
A brief description of PHI disclosed; |
| |
|
|
| |
4) |
A brief statement of purpose., reasonably informing the individual of the basis for disclosure; or, alternatively, a copy of the individual’s written authorization (in accordance with §164.508), or a copy of written request for disclosure (in accordance with §§164.502(a)(2)(ii) or 164.512, if any). |
If multiple disclosures are made during the covered accounting period to the same person or entity for a single purpose under §§164.502(a)(2)(ii) or 164.512, or under a single authorization per §164.508, the accounting may provide the same information required for single disclosures, along with the frequency, periodicity, or number of disclosures made during the accounting period, and the date of the last such disclosure during the accounting period.
|
Implementation Tip:
If you are part of an organized health care arrangement of affiliated entity, a request for accounting likely includes disclosures by all participants in the arrangement. This is a question you may want to ask the individual. He/she may not want all these disclosures. |
|
Implementation Tip:
It may be a good idea to have your system account for all disclosures rather than distinguish between disclosures for treatment, payment or healthcare operations (not subject to accounting) and other disclosures. There are two reasons for this: |
|
1) |
I may be easier for your system to simply account for all disclosures rather than attempt to distinguish between the different reasons for disclosure; and |
|
2) |
If a patient later amends his/her record, you will need to notify those who received the original record of the amendment. |
|
Implementation Tip: Disclosures made to business associates are included in the accounting requirement. Your business associate agreements must require the associate to account for disclosures they have made of PHI the associate holds on your behalf. |
Timeliness requirements:
The CE must act on a request for an accounting within 60 days of receipt. The CE must either provide the accounting requested, or, if unable to do so, one 30-day extension is allowed, upon notifying the individual in writing, within the initial 60 day period, of the reason for delay and the date by which the entity will complete its action. The CE provides the first accounting in any 12 month period at no charge to the requesting individual, and may impose a reasonable, cost-based fee for subsequent requests by the same individual within the 12 month period, provided that the CE informs the individual in advance of the fee and provides an opportunity to withdraw/modify the subsequent request to reduce the fee.
|
Implementation Tip: In accordance with the administrative requirements of §164.530(j), The CE must document and retain information required for disclosures of PHI that are subject to an accounting, the written accounting provided to the individual, and the titles of persons/offices receiving and processing requests for accountings by individuals. |
Top
|
