SlideShare a Scribd company logo

HIPAA Access Medical Records by Sainsbury-Wong

Download as PPTX, PDF
Lorianne Sainsbury-Wong
Lorianne Sainsbury-Wong

This document provides an overview of HIPAA privacy rules regarding access to medical records. It defines key terms like covered entity, business associate, and protected health information. It explains that patients have rights under HIPAA to access, inspect, and obtain copies of their medical records, as well as request amendments. There are additional rules for mental health and psychotherapy notes. Covered entities may charge reasonable fees for copying and mailing records.

Healthcare
1 of 12
HIPAA Privacy and the Omnibus Rule: Accessing Medical Records Lorianne M. Sainsbury-Wong, Esq. MBA Health Law Section Council, Chair Health Law Advocates, Inc. Litigation Director & Compliance Atty. sainsbury_wong@hla-inc.org This presentation is intended for educational purposes only and does not constitute legal advice.
Welcome and Introduction HIPAA OVERVIEW & DEFINITIONS THE PRIVACY RULE ACCESS TO MEDICAL RECORDS MENTAL HEALTH & PSYCHOTHERAPY NOTES PATIENT AMENDMENTS & CORRECTIONS QUESTIONS AND ANSWERS 2
• HIPAA – Health Insurance Portability and Accountability Act of 1996, 45 C.F.R. Parts 160 and 164 (HIPAA), P.L. No. 104-191, 110 Stat. 1938 (1996) – The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – The Privacy Rules, 45 C.F.R 164.500 (2003) – The Security Rules, 45 C.F.R 164.300 (2005) – The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA) – HIPAA’s Omnibus Rule, 78 FR 5566 (Jan. 25, 2013), became effective on March 26, 2013 and imposed a September 23, 2013 compliance date HIPAA addresses the standards that most providers, health plans, or healthcare clearinghouses must implement if they conduct certain health care administrative transactions electronically, including claims, eligibility, or remittance. 3 HIPAA
• Covered Entity (CE): (i) health plans, (ii) healthcare clearinghouses, and (iii) healthcare providers. • Health plans include health, dental, or long term plans, HMOs, Medicare, MassHealth, etc. • Healthcare clearinghouses in general include billing services, repricing companies, community health management information systems, community health information systems, and “value- added” networks. • Healthcare providers are hospitals, academic medical centers, physicians, psychologists, clinicians, pharmacies, etc., that electronically transmit claims transaction information directly or through an intermediary to a health plan – In connection with healthcare operations, a CE is an organization transmits health information in an electronic format. See 45 C.F.R. 160.103 Note: Life, disability, or workers compensation insurers and many employers are generally not CEs. 4 HIPAA Definitions
• Business Associate (BA): “In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.” (OCR Guidance, 2000). – The BA creates, receives, maintains, or transmits PHI on behalf of a CE. – Under the Omnibus Rule, a BA is directly liable under HIPAA. Note: HIPAA applies even if the BA does not access any PHI. – BA includes contractors, subcontractors or others to whom the BA delegates duties. – BA agreement is required with the CE or other BAs, whereby BA acknowledges and discloses its HIPAA responsibilities. Practice tip: Even if your client is not subject to HIPAA, so long as it maintains health information, then the client should be counseled to safeguard data under considerations of a de facto assumption of standard of care. 5 HIPAA Definitions
• Protected health information (PHI) or individually identifiable health information. – PHI is created, received, or maintained by a CE or BA; AND – Identifies an individual’s past, present or future medical condition, whether physical, mental health or other condition; or – Relates to the provision of health care to an individual; or – Relates to the past, present or future payment for the individual's procurement of healthcare services; AND – Identifies the individual or reasonably can be said to identify the individual. • Examples of PHI include an individual’s SS #, address, health plan #, medical record #, driver’s license #, date of birth, etc. Note: De-identified health information that does not designate a person is not PHI. • Practice tip: Consider the degree and extent to which data can be merged or combined with other health information to identify a specific person. 6 HIPAA Definitions
• HIPAA’s Privacy Rule establishes Federal standards to protect and safeguard the privacy of PHI in any format (written, electronic, or oral) while also permitting certain unauthorized access to PHI in order to provide and promote high quality health care. See 45 C.F.R. §164.502, et seq. • The Privacy Rule governs CEs and BAs and their use and disclosure of PHI. CEs and BAs must maintain the privacy and confidentiality of PHI according to HIPAA’s national standards, which are enforceable by the U.S. Department of Health and Human Services’ Office for Civil Rights or the Massachusetts Attorney General’s Office. • CE (and BA pursuant to its contract) may use or disclose PHI only as follows: (i) to the individual or his/her authorized representative; (ii) for treatment, payment, healthcare operations, or otherwise in compliance with the rules; and (iii) incident to a use or disclosure that is otherwise permitted or required by the rules. • Minimum Necessary Standard: When using or disclosing PHI (or when requesting PHI from another CE or BA), a CE or BA must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, unless otherwise authorized under the rules, e.g. requests from a provider for treatment purposes. See 45 C.F.R. §§ 160 and 164. • Practice tip: Employers with self-funded plans (e.g. employers that bear the risk and pay for the healthcare services of their employees) are subject to HIPAA Privacy Rules. In addition, employers that offer fully insured health plans but wherein the employer takes a hands-on approach and receives PHI from the plan would also be subject to HIPAA. 7 The Privacy Rule
• The Privacy Rule provides patients’ rights to review, inspect and receive a copy of their medical and billings records (including an accounting of disclosures of PHI, if requested) and to make certain corrections. Only the patient or his/her personal representative has the right to access the records. • 45 C.F.R. § 164.524 provides, “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” • CEs are the owners of the medical records and must maintain the originals. • CEs must provide a copy of an individual’s PHI in a format that is requested by the individual, including electronic form, if it is readily producible. • Practice tip: Under the Omnibus Rule, an individual can request that a CE release copies of his/her medical records to an attorney, as the individual’s designated recipient. 8 Access to Medical Records
• Mental Health Records – In general, the Privacy Rule allows for the disclosure of a patient’s mental health records, pursuant to authorization received by the CE from the patient. – Certain kinds of mental health records may be governed by other state or federal laws, such as the substance abuse treatment confidentiality law, 42 U.S.C. § 290dd-2. • Psychotherapy Notes – Psychotherapy notes "are kept separate from the patient’s medical and billing records." See 45 C.F.R. §§ 164.508, 164.524, and 164.526. – Psychotherapy notes consist of “session” notes, or notes made for the benefit of the therapist during an individual, family or group sessions. – CE should generally deny patient access to psychotherapy records, which consist of a mental health professional’s notes taken during conversations with a patient that relate to his/her treatment, if those notes are maintained separately from the patient’s medical record. Practice tip: The issue of access to mental health records necessarily implicates state law. Legal services organizations, such as the NAMI Mass. or the Mental Health Legal Advisors Committee, should be consulted. 9 Mental Health Records
• HIPAA – The Privacy Rule permits CE to charge a patient the actual costs of copying, labor, supplies, and mailing, if applicable, the medical record. No fees can be assessed for searching or retrieving medical records. See 45 C.F.R. § 164.524 (c)(4). – HIPAA stipulates that any charge must be a reasonable, cost-based fee. – Under HIPAA, a provider has thirty (30) days from the date received to release a copy of the patient’s medical records. If such records are kept offsite, then a CE may have up to sixty (60) days. • Massachusetts – Massachusetts law also allows nonHIPAA health care providers to charge patients a $15 base fee plus a copying charge of $0.50 per page for the first 100 pages and $0.25 per page in excess of 100 for medical records requested. See also M.G.L. ch. 111 §70E – In addition, some Massachusetts HIPAA providers charge added fees (or waive fees), depending on the intended use of the medical records. 10 Costs to Access Medical Records
45 C.F.R. §164.526 provides as follows: • “An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set.” • “The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements.” • CEs must respond to amendment requests within sixty (60) days. It may deny a patient’s request to amend, where the disputed record (i) was not created by the CE that received the amendment request; (ii) is accurate or complete; or (iii) other justifications. 11 Amendments to Medical Records
• Practice tip: Although no HIPAA right of action exists, Covered Entity or Business Associate violations may give rise to state tort-based claims, such as invasion of privacy or negligent infliction of emotional distress. • Please feel free to provide comments or questions. Thank you. 12 Q&A

Recommended

A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 

Recommended

A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019Jose Ivan Delgado, Ph.D.
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basicsMichaelRodriguesdosS1
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesCMDLMS
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAAManas Deep
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Armor
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI Risk Services
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewClearDATACloud
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rulecomplianceonline123
 
Hi103 week 5 chpt 12
Hi103 week 5 chpt 12Hi103 week 5 chpt 12
Hi103 week 5 chpt 12BealCollegeOnline
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideWirehead Technology
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 

More Related Content

What's hot

HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesCMDLMS
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAAManas Deep
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Armor
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewClearDATACloud
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rulecomplianceonline123
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 

What's hot (19)

HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
HIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An OverviewHIPAA Compliant Cloud Computing, An Overview
HIPAA Compliant Cloud Computing, An Overview
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rule
 
Hi103 week 5 chpt 12
Hi103 week 5 chpt 12Hi103 week 5 chpt 12
Hi103 week 5 chpt 12
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare Guide
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 

Similar to HIPAA Access Medical Records by Sainsbury-Wong

health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
hipaa by roy.pptx
hipaa by roy.pptxhipaa by roy.pptx
hipaa by roy.pptxSubhamRoy63
 
Health Insurance Portability & Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)Health Insurance Portability & Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)Arpitha Aarushi
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
Hipaa rahul thore 1
Hipaa rahul thore 1Hipaa rahul thore 1
Hipaa rahul thore 1RahulThore
 
Hipaa in clinical trails
Hipaa in clinical trailsHipaa in clinical trails
Hipaa in clinical trailsTejaswi Reddy
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiAtlantic Training, LLC.
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPAtlantic Training, LLC.
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersLawgical
 
Health Insurance Portability and Accountability Act of 1996.docx
Health Insurance Portability and Accountability Act of 1996.docxHealth Insurance Portability and Accountability Act of 1996.docx
Health Insurance Portability and Accountability Act of 1996.docxAlesandriaPablo
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 
Hipaa and patient medical record confidentiality
Hipaa and patient medical record confidentialityHipaa and patient medical record confidentiality
Hipaa and patient medical record confidentialityvflores007
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
Privacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slidesPrivacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slidesZakCooper1
 

Similar to HIPAA Access Medical Records by Sainsbury-Wong (20)

Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
hipaa by roy.pptx
hipaa by roy.pptxhipaa by roy.pptx
hipaa by roy.pptx
 
Health Insurance Portability & Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)Health Insurance Portability & Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
Hipaa rahul thore 1
Hipaa rahul thore 1Hipaa rahul thore 1
Hipaa rahul thore 1
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
Hipaa in clinical trails
Hipaa in clinical trailsHipaa in clinical trails
Hipaa in clinical trails
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
 
Introduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUPIntroduction to HIPAA for Healthcare Professionals by OUP
Introduction to HIPAA for Healthcare Professionals by OUP
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process Servers
 
Health Insurance Portability and Accountability Act of 1996.docx
Health Insurance Portability and Accountability Act of 1996.docxHealth Insurance Portability and Accountability Act of 1996.docx
Health Insurance Portability and Accountability Act of 1996.docx
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
 
Hipaa and patient medical record confidentiality
Hipaa and patient medical record confidentialityHipaa and patient medical record confidentiality
Hipaa and patient medical record confidentiality
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
Privacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slidesPrivacy, Confidentiality, and Security Lecture 2_slides
Privacy, Confidentiality, and Security Lecture 2_slides
 

Recently uploaded

Call Girls Patiala Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Patiala Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Patiala Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Patiala Just Call 8250077686 Top Class Call Girl Service AvailableDipal Arora
 
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...Gfnyt.com
 
Nanded Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Nanded Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetNanded Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Nanded Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.ktanvi103
 
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...Sheetaleventcompany
 
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near MeVIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Memriyagarg453
 
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetTirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
VIP Call Girl Sector 10 Noida Call Me: 9711199171
VIP Call Girl Sector 10 Noida Call Me: 9711199171VIP Call Girl Sector 10 Noida Call Me: 9711199171
VIP Call Girl Sector 10 Noida Call Me: 9711199171Call Girls Service Gurgaon
 
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In RaipurCall Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipurgragmanisha42
 
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetErnakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Chandigarh
 
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅gragmanisha42
 
Enjoyment ★ 8854095900 Indian Call Girls In Dehradun 🍆🍌 By Dehradun Call Girl ★
Enjoyment ★ 8854095900 Indian Call Girls In Dehradun 🍆🍌 By Dehradun Call Girl ★Enjoyment ★ 8854095900 Indian Call Girls In Dehradun 🍆🍌 By Dehradun Call Girl ★
Enjoyment ★ 8854095900 Indian Call Girls In Dehradun 🍆🍌 By Dehradun Call Girl ★indiancallgirl4rent
 
Jaipur Call Girls 9257276172 Call Girl in Jaipur Rajasthan
Jaipur Call Girls 9257276172 Call Girl in Jaipur RajasthanJaipur Call Girls 9257276172 Call Girl in Jaipur Rajasthan
Jaipur Call Girls 9257276172 Call Girl in Jaipur Rajasthanindiancallgirl4rent
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meetpriyashah722354
 
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...chandigarhentertainm
 
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...Gfnyt.com
 
❤️♀️@ Jaipur Call Girls ❤️♀️@ Meghna Jaipur Call Girls Number CRTHNR Call G...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Meghna Jaipur Call Girls Number CRTHNR Call G...❤️♀️@ Jaipur Call Girls ❤️♀️@ Meghna Jaipur Call Girls Number CRTHNR Call G...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Meghna Jaipur Call Girls Number CRTHNR Call G...Gfnyt.com
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...indiancallgirl4rent
 
Sambalpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Sambalpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetSambalpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Sambalpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near MeVIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Memriyagarg453
 

Recently uploaded (20)

Call Girls Patiala Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Patiala Just Call 8250077686 Top Class Call Girl Service AvailableCall Girls Patiala Just Call 8250077686 Top Class Call Girl Service Available
Call Girls Patiala Just Call 8250077686 Top Class Call Girl Service Available
 
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
❤️♀️@ Jaipur Call Girl Agency ❤️♀️@ Manjeet Russian Call Girls Service in Jai...
 
Nanded Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Nanded Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetNanded Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Nanded Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
 
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
Punjab❤️Call girls in Mohali ☎️7435815124☎️ Call Girl service in Mohali☎️ Moh...
 
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near MeVIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
 
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetTirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
VIP Call Girl Sector 10 Noida Call Me: 9711199171
VIP Call Girl Sector 10 Noida Call Me: 9711199171VIP Call Girl Sector 10 Noida Call Me: 9711199171
VIP Call Girl Sector 10 Noida Call Me: 9711199171
 
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In RaipurCall Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
 
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetErnakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ernakulam Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
Russian Call Girls Kota * 8250192130 Service starts from just ₹9999 ✅
 
Enjoyment ★ 8854095900 Indian Call Girls In Dehradun 🍆🍌 By Dehradun Call Girl ★
Enjoyment ★ 8854095900 Indian Call Girls In Dehradun 🍆🍌 By Dehradun Call Girl ★Enjoyment ★ 8854095900 Indian Call Girls In Dehradun 🍆🍌 By Dehradun Call Girl ★
Enjoyment ★ 8854095900 Indian Call Girls In Dehradun 🍆🍌 By Dehradun Call Girl ★
 
Jaipur Call Girls 9257276172 Call Girl in Jaipur Rajasthan
Jaipur Call Girls 9257276172 Call Girl in Jaipur RajasthanJaipur Call Girls 9257276172 Call Girl in Jaipur Rajasthan
Jaipur Call Girls 9257276172 Call Girl in Jaipur Rajasthan
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
 
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
 
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
 
❤️♀️@ Jaipur Call Girls ❤️♀️@ Meghna Jaipur Call Girls Number CRTHNR Call G...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Meghna Jaipur Call Girls Number CRTHNR Call G...❤️♀️@ Jaipur Call Girls ❤️♀️@ Meghna Jaipur Call Girls Number CRTHNR Call G...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Meghna Jaipur Call Girls Number CRTHNR Call G...
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
 
Sambalpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Sambalpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetSambalpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Sambalpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near MeVIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
 

HIPAA Access Medical Records by Sainsbury-Wong

  • 1. HIPAA Privacy and the Omnibus Rule: Accessing Medical Records Lorianne M. Sainsbury-Wong, Esq. MBA Health Law Section Council, Chair Health Law Advocates, Inc. Litigation Director & Compliance Atty. sainsbury_wong@hla-inc.org This presentation is intended for educational purposes only and does not constitute legal advice.
  • 2. Welcome and Introduction HIPAA OVERVIEW & DEFINITIONS THE PRIVACY RULE ACCESS TO MEDICAL RECORDS MENTAL HEALTH & PSYCHOTHERAPY NOTES PATIENT AMENDMENTS & CORRECTIONS QUESTIONS AND ANSWERS 2
  • 3. • HIPAA – Health Insurance Portability and Accountability Act of 1996, 45 C.F.R. Parts 160 and 164 (HIPAA), P.L. No. 104-191, 110 Stat. 1938 (1996) – The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – The Privacy Rules, 45 C.F.R 164.500 (2003) – The Security Rules, 45 C.F.R 164.300 (2005) – The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA) – HIPAA’s Omnibus Rule, 78 FR 5566 (Jan. 25, 2013), became effective on March 26, 2013 and imposed a September 23, 2013 compliance date HIPAA addresses the standards that most providers, health plans, or healthcare clearinghouses must implement if they conduct certain health care administrative transactions electronically, including claims, eligibility, or remittance. 3 HIPAA
  • 4. • Covered Entity (CE): (i) health plans, (ii) healthcare clearinghouses, and (iii) healthcare providers. • Health plans include health, dental, or long term plans, HMOs, Medicare, MassHealth, etc. • Healthcare clearinghouses in general include billing services, repricing companies, community health management information systems, community health information systems, and “value- added” networks. • Healthcare providers are hospitals, academic medical centers, physicians, psychologists, clinicians, pharmacies, etc., that electronically transmit claims transaction information directly or through an intermediary to a health plan – In connection with healthcare operations, a CE is an organization transmits health information in an electronic format. See 45 C.F.R. 160.103 Note: Life, disability, or workers compensation insurers and many employers are generally not CEs. 4 HIPAA Definitions
  • 5. • Business Associate (BA): “In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.” (OCR Guidance, 2000). – The BA creates, receives, maintains, or transmits PHI on behalf of a CE. – Under the Omnibus Rule, a BA is directly liable under HIPAA. Note: HIPAA applies even if the BA does not access any PHI. – BA includes contractors, subcontractors or others to whom the BA delegates duties. – BA agreement is required with the CE or other BAs, whereby BA acknowledges and discloses its HIPAA responsibilities. Practice tip: Even if your client is not subject to HIPAA, so long as it maintains health information, then the client should be counseled to safeguard data under considerations of a de facto assumption of standard of care. 5 HIPAA Definitions
  • 6. • Protected health information (PHI) or individually identifiable health information. – PHI is created, received, or maintained by a CE or BA; AND – Identifies an individual’s past, present or future medical condition, whether physical, mental health or other condition; or – Relates to the provision of health care to an individual; or – Relates to the past, present or future payment for the individual's procurement of healthcare services; AND – Identifies the individual or reasonably can be said to identify the individual. • Examples of PHI include an individual’s SS #, address, health plan #, medical record #, driver’s license #, date of birth, etc. Note: De-identified health information that does not designate a person is not PHI. • Practice tip: Consider the degree and extent to which data can be merged or combined with other health information to identify a specific person. 6 HIPAA Definitions
  • 7. • HIPAA’s Privacy Rule establishes Federal standards to protect and safeguard the privacy of PHI in any format (written, electronic, or oral) while also permitting certain unauthorized access to PHI in order to provide and promote high quality health care. See 45 C.F.R. §164.502, et seq. • The Privacy Rule governs CEs and BAs and their use and disclosure of PHI. CEs and BAs must maintain the privacy and confidentiality of PHI according to HIPAA’s national standards, which are enforceable by the U.S. Department of Health and Human Services’ Office for Civil Rights or the Massachusetts Attorney General’s Office. • CE (and BA pursuant to its contract) may use or disclose PHI only as follows: (i) to the individual or his/her authorized representative; (ii) for treatment, payment, healthcare operations, or otherwise in compliance with the rules; and (iii) incident to a use or disclosure that is otherwise permitted or required by the rules. • Minimum Necessary Standard: When using or disclosing PHI (or when requesting PHI from another CE or BA), a CE or BA must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, unless otherwise authorized under the rules, e.g. requests from a provider for treatment purposes. See 45 C.F.R. §§ 160 and 164. • Practice tip: Employers with self-funded plans (e.g. employers that bear the risk and pay for the healthcare services of their employees) are subject to HIPAA Privacy Rules. In addition, employers that offer fully insured health plans but wherein the employer takes a hands-on approach and receives PHI from the plan would also be subject to HIPAA. 7 The Privacy Rule
  • 8. • The Privacy Rule provides patients’ rights to review, inspect and receive a copy of their medical and billings records (including an accounting of disclosures of PHI, if requested) and to make certain corrections. Only the patient or his/her personal representative has the right to access the records. • 45 C.F.R. § 164.524 provides, “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” • CEs are the owners of the medical records and must maintain the originals. • CEs must provide a copy of an individual’s PHI in a format that is requested by the individual, including electronic form, if it is readily producible. • Practice tip: Under the Omnibus Rule, an individual can request that a CE release copies of his/her medical records to an attorney, as the individual’s designated recipient. 8 Access to Medical Records
  • 9. • Mental Health Records – In general, the Privacy Rule allows for the disclosure of a patient’s mental health records, pursuant to authorization received by the CE from the patient. – Certain kinds of mental health records may be governed by other state or federal laws, such as the substance abuse treatment confidentiality law, 42 U.S.C. § 290dd-2. • Psychotherapy Notes – Psychotherapy notes "are kept separate from the patient’s medical and billing records." See 45 C.F.R. §§ 164.508, 164.524, and 164.526. – Psychotherapy notes consist of “session” notes, or notes made for the benefit of the therapist during an individual, family or group sessions. – CE should generally deny patient access to psychotherapy records, which consist of a mental health professional’s notes taken during conversations with a patient that relate to his/her treatment, if those notes are maintained separately from the patient’s medical record. Practice tip: The issue of access to mental health records necessarily implicates state law. Legal services organizations, such as the NAMI Mass. or the Mental Health Legal Advisors Committee, should be consulted. 9 Mental Health Records
  • 10. • HIPAA – The Privacy Rule permits CE to charge a patient the actual costs of copying, labor, supplies, and mailing, if applicable, the medical record. No fees can be assessed for searching or retrieving medical records. See 45 C.F.R. § 164.524 (c)(4). – HIPAA stipulates that any charge must be a reasonable, cost-based fee. – Under HIPAA, a provider has thirty (30) days from the date received to release a copy of the patient’s medical records. If such records are kept offsite, then a CE may have up to sixty (60) days. • Massachusetts – Massachusetts law also allows nonHIPAA health care providers to charge patients a $15 base fee plus a copying charge of $0.50 per page for the first 100 pages and $0.25 per page in excess of 100 for medical records requested. See also M.G.L. ch. 111 §70E – In addition, some Massachusetts HIPAA providers charge added fees (or waive fees), depending on the intended use of the medical records. 10 Costs to Access Medical Records
  • 11. 45 C.F.R. §164.526 provides as follows: • “An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set.” • “The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements.” • CEs must respond to amendment requests within sixty (60) days. It may deny a patient’s request to amend, where the disputed record (i) was not created by the CE that received the amendment request; (ii) is accurate or complete; or (iii) other justifications. 11 Amendments to Medical Records
  • 12. • Practice tip: Although no HIPAA right of action exists, Covered Entity or Business Associate violations may give rise to state tort-based claims, such as invasion of privacy or negligent infliction of emotional distress. • Please feel free to provide comments or questions. Thank you. 12 Q&A