This document provides an overview of HIPAA privacy rules regarding access to medical records. It defines key terms like covered entity, business associate, and protected health information. It explains that patients have rights under HIPAA to access, inspect, and obtain copies of their medical records, as well as request amendments. There are additional rules for mental health and psychotherapy notes. Covered entities may charge reasonable fees for copying and mailing records.
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
HIPAA Access Medical Records by Sainsbury-Wong
1. HIPAA Privacy
and the Omnibus Rule:
Accessing Medical Records
Lorianne M. Sainsbury-Wong, Esq.
MBA Health Law Section Council, Chair
Health Law Advocates, Inc.
Litigation Director & Compliance Atty.
sainsbury_wong@hla-inc.org
This presentation is intended for educational purposes only and does not constitute legal advice.
2. Welcome and Introduction
HIPAA OVERVIEW & DEFINITIONS
THE PRIVACY RULE
ACCESS TO MEDICAL RECORDS
MENTAL HEALTH & PSYCHOTHERAPY NOTES
PATIENT AMENDMENTS & CORRECTIONS
QUESTIONS AND ANSWERS
2
3. • HIPAA
– Health Insurance Portability and Accountability Act of 1996, 45 C.F.R.
Parts 160 and 164 (HIPAA), P.L. No. 104-191, 110 Stat. 1938 (1996)
– The U.S. Department of Health and Human Services (HHS) Office for
Civil Rights (OCR)
– The Privacy Rules, 45 C.F.R 164.500 (2003)
– The Security Rules, 45 C.F.R 164.300 (2005)
– The Health Information Technology for Economic and Clinical Health
Act (HITECH Act) is part of the American Recovery and Reinvestment
Act of 2009 (ARRA)
– HIPAA’s Omnibus Rule, 78 FR 5566 (Jan. 25, 2013), became effective
on March 26, 2013 and imposed a September 23, 2013 compliance date
HIPAA addresses the standards that most providers, health plans, or healthcare
clearinghouses must implement if they conduct certain health care
administrative transactions electronically, including claims, eligibility, or
remittance.
3
HIPAA
4. • Covered Entity (CE): (i) health plans, (ii) healthcare clearinghouses, and
(iii) healthcare providers.
• Health plans include health, dental, or long term plans, HMOs,
Medicare, MassHealth, etc.
• Healthcare clearinghouses in general include billing services,
repricing companies, community health management information
systems, community health information systems, and “value-
added” networks.
• Healthcare providers are hospitals, academic medical centers,
physicians, psychologists, clinicians, pharmacies, etc., that
electronically transmit claims transaction information directly or
through an intermediary to a health plan
– In connection with healthcare operations, a CE is an organization
transmits health information in an electronic format. See 45 C.F.R.
160.103
Note: Life, disability, or workers compensation insurers and many
employers are generally not CEs.
4
HIPAA Definitions
5. • Business Associate (BA): “In general, a business associate is a person or
organization, other than a member of a covered entity's workforce, that
performs certain functions or activities on behalf of, or provides certain
services to, a covered entity that involve the use or disclosure of
individually identifiable health information.” (OCR Guidance, 2000).
– The BA creates, receives, maintains, or transmits PHI on behalf of a
CE.
– Under the Omnibus Rule, a BA is directly liable under HIPAA. Note:
HIPAA applies even if the BA does not access any PHI.
– BA includes contractors, subcontractors or others to whom the BA
delegates duties.
– BA agreement is required with the CE or other BAs, whereby BA
acknowledges and discloses its HIPAA responsibilities.
Practice tip: Even if your client is not subject to HIPAA, so long as it
maintains health information, then the client should be counseled to
safeguard data under considerations of a de facto assumption of standard
of care. 5
HIPAA Definitions
6. • Protected health information (PHI) or individually identifiable health
information.
– PHI is created, received, or maintained by a CE or BA;
AND
– Identifies an individual’s past, present or future medical condition,
whether physical, mental health or other condition; or
– Relates to the provision of health care to an individual; or
– Relates to the past, present or future payment for the individual's
procurement of healthcare services;
AND
– Identifies the individual or reasonably can be said to identify the
individual.
• Examples of PHI include an individual’s SS #, address, health plan #,
medical record #, driver’s license #, date of birth, etc. Note: De-identified
health information that does not designate a person is not PHI.
• Practice tip: Consider the degree and extent to which data can be merged or
combined with other health information to identify a specific person.
6
HIPAA Definitions
7. • HIPAA’s Privacy Rule establishes Federal standards to protect and safeguard the privacy
of PHI in any format (written, electronic, or oral) while also permitting certain
unauthorized access to PHI in order to provide and promote high quality health care. See
45 C.F.R. §164.502, et seq.
• The Privacy Rule governs CEs and BAs and their use and disclosure of PHI. CEs and
BAs must maintain the privacy and confidentiality of PHI according to HIPAA’s national
standards, which are enforceable by the U.S. Department of Health and Human Services’
Office for Civil Rights or the Massachusetts Attorney General’s Office.
• CE (and BA pursuant to its contract) may use or disclose PHI only as follows: (i) to the
individual or his/her authorized representative; (ii) for treatment, payment, healthcare
operations, or otherwise in compliance with the rules; and (iii) incident to a use or
disclosure that is otherwise permitted or required by the rules.
• Minimum Necessary Standard: When using or disclosing PHI (or when requesting PHI
from another CE or BA), a CE or BA must make reasonable efforts to limit PHI to the
minimum necessary to accomplish the intended purpose of the use, disclosure, or
request, unless otherwise authorized under the rules, e.g. requests from a provider for
treatment purposes. See 45 C.F.R. §§ 160 and 164.
• Practice tip: Employers with self-funded plans (e.g. employers that bear the risk and pay
for the healthcare services of their employees) are subject to HIPAA Privacy Rules. In
addition, employers that offer fully insured health plans but wherein the employer takes
a hands-on approach and receives PHI from the plan would also be subject to HIPAA. 7
The Privacy Rule
8. • The Privacy Rule provides patients’ rights to review, inspect and
receive a copy of their medical and billings records (including an
accounting of disclosures of PHI, if requested) and to make certain
corrections. Only the patient or his/her personal representative has
the right to access the records.
• 45 C.F.R. § 164.524 provides, “an individual has a right of access to
inspect and obtain a copy of protected health information about the
individual in a designated record set, for as long as the protected
health information is maintained in the designated record set.”
• CEs are the owners of the medical records and must maintain the
originals.
• CEs must provide a copy of an individual’s PHI in a format that is
requested by the individual, including electronic form, if it is readily
producible.
• Practice tip: Under the Omnibus Rule, an individual can request that
a CE release copies of his/her medical records to an attorney, as the
individual’s designated recipient.
8
Access to Medical Records
9. • Mental Health Records
– In general, the Privacy Rule allows for the disclosure of a patient’s mental
health records, pursuant to authorization received by the CE from the
patient.
– Certain kinds of mental health records may be governed by other state or
federal laws, such as the substance abuse treatment confidentiality law, 42
U.S.C. § 290dd-2.
• Psychotherapy Notes
– Psychotherapy notes "are kept separate from the patient’s medical and
billing records." See 45 C.F.R. §§ 164.508, 164.524, and 164.526.
– Psychotherapy notes consist of “session” notes, or notes made for the
benefit of the therapist during an individual, family or group sessions.
– CE should generally deny patient access to psychotherapy records, which
consist of a mental health professional’s notes taken during conversations
with a patient that relate to his/her treatment, if those notes are maintained
separately from the patient’s medical record.
Practice tip: The issue of access to mental health records necessarily
implicates state law. Legal services organizations, such as the NAMI Mass. or
the Mental Health Legal Advisors Committee, should be consulted.
9
Mental Health Records
10. • HIPAA
– The Privacy Rule permits CE to charge a patient the actual costs of
copying, labor, supplies, and mailing, if applicable, the medical record.
No fees can be assessed for searching or retrieving medical records.
See 45 C.F.R. § 164.524 (c)(4).
– HIPAA stipulates that any charge must be a reasonable, cost-based fee.
– Under HIPAA, a provider has thirty (30) days from the date received to
release a copy of the patient’s medical records. If such records are kept
offsite, then a CE may have up to sixty (60) days.
• Massachusetts
– Massachusetts law also allows nonHIPAA health care providers to
charge patients a $15 base fee plus a copying charge of $0.50 per page
for the first 100 pages and $0.25 per page in excess of 100 for medical
records requested. See also M.G.L. ch. 111 §70E
– In addition, some Massachusetts HIPAA providers charge added fees
(or waive fees), depending on the intended use of the medical records.
10
Costs to Access Medical Records
11. 45 C.F.R. §164.526 provides as follows:
• “An individual has the right to have a covered entity amend
protected health information or a record about the individual in a
designated record set for as long as the protected health information
is maintained in the designated record set.”
• “The covered entity must permit an individual to request that the
covered entity amend the protected health information maintained in
the designated record set. The covered entity may require
individuals to make requests for amendment in writing and to
provide a reason to support a requested amendment, provided that it
informs individuals in advance of such requirements.”
• CEs must respond to amendment requests within sixty (60) days. It
may deny a patient’s request to amend, where the disputed record (i)
was not created by the CE that received the amendment request; (ii)
is accurate or complete; or (iii) other justifications.
11
Amendments to Medical Records
12. • Practice tip: Although no HIPAA right of action exists, Covered Entity or
Business Associate violations may give rise to state tort-based claims, such
as invasion of privacy or negligent infliction of emotional distress.
• Please feel free to provide comments or questions.
Thank you.
12
Q&A