• Eight HIPAA Patient Right’s That Can Potentially Bury You!

  • Earlier this month, I briefly wrote about this second set of guidance for HIPAA (Health Insurance Portability and Accountability Act) released on February 25th, by Director Jocelyn Samuels, Office for Civil Rights (OCR).

    This set addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.

    I have compiled a list of those outlined in the FAQ, which, from my experience, covered entities or their employees have potentially been in violation of their patients’ rights.

    Designated Record Set: (45 CFR 164.501) gives the rights to an individual to access their PHI in a “designated record set” and receive any part of their records. This comprises of:

    • Medical records and billing records about individuals maintained by or for a covered health care provider;

    • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; and,

    • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. 

    Unreasonable Measures: (45 CFR 164.312(d)) recognizes that the Privacy Rule allows covered entities to require that individuals request access in writing and requires verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.  For example, a doctor may not require an individual:

    • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person;

    • To use a web portal for requesting access, as not all individuals will have ready access to the portal; and, 

    • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access. 

    “While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.”

    Form and format: (45 CFR 164.524(c)(2)(i)) an individual requests a paper copy of PHI maintained by the covered entity either electronically or on paper, it is expected that the covered entity will be able to provide the individual with the paper copy requested.

    Requests for Electronic Copies: when requesting an electronic copy of PHI that a covered entity maintains only on paper, the covered entity is required to provide the individual with an electronic copy if it is readily producible electronically. Where an individual requests an electronic copy of PHI that a covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format.

    Timeliness in Providing Access: (45 CFR 164.524(b)(2)) provides access to the individual, a covered entity must provide access to the PHI requested, in whole, or in part no later than 30 calendar days from receiving the individual’s request.  See 45 CFR 164.524(b)(2).  The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible. 

    Fees for Copies: (45 CFR 164.524(c)(4)) covered entities may impose a reasonable, cost-based fee if the individual requests a copy of the PHI. The fee may include only the cost of:

    • Labor for copying the PHI requested by the individual, whether in paper or electronic form;

    • Supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;

    • Postage, when the individual requests that the copy, or the summary or explanation, be mailed;

    • Preparation of an explanation or summary of the PHI, if agreed to by the individual.  See 45 CFR 164.524(c)(4); 

    • The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.

    Individual’s Right to Direct the PHI to Another Person: (45 CFR 164.524(c)(3)) individuals have the right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual.  The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI.  A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature. 

    State Laws: State laws which provide individuals with greater rights of access to their PHI than the Privacy Rule, or that are not contrary to the Privacy Rule, are not preempted by HIPAA and thus still apply.  For example, a covered entity subject to a State law that requires that access to PHI be provided to an individual in a shorter time frame than that required in the Privacy Rule must provide such access within the shorter time frame because the State law is not contrary to the Privacy Rule.

    “Unless an exemption exists in the HIPAA Rules, State laws that are contrary to the Privacy Rule access provisions – such as those that prohibit certain laboratories from disclosing test reports directly to an individual – are preempted by HIPAA. See 45 CFR 160.203.  Thus, these State laws do not apply when an individual exercises her HIPAA right of access.  See 45 CFR Part 160, Subpart B.”

    “HIPAA’s right of access is critical to enabling individuals to take ownership of their health and well-being – but this core right is rendered meaningless when individuals cannot afford to pay the fees, states Director Samuels. These new FAQs clarify that individuals can be charged only a reasonable, cost-based fee for the labor and supplies associated with making the copy, whether on paper or in electronic form.”

    Communicating and understanding the patient rights provided by HIPAA is an element to creating your “Culture of Compliance.”

    Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult