Accessing Medical Records and the HIPAA Privacy Regulation Cheryl Fish-Parcham and Sonya Schwartz Health Assistance Partnership Prepared for the NAPAS Conference May 31, 2003

Health Assistance Partnership2 HIPAA Privacy Regulation Myths HIPAA is a large herbivorous 4-toed mammal. Consumers will not be able to access their own medical records. Advocates will no longer be able to access medical records for their clients.

Health Assistance Partnership3 Presentation Overview HIPAA Privacy Regulation Authority and Basics Consumers Right to Access Records Rights of P & A Advocates, Other Advocates, Family Members and Personal Representatives to Access Records Consumers Right to Amend Records HIPAA Privacy Regulations Interaction with State and Federal Law Complaints Resources

Health Assistance Partnership4 Authority The HIPAA Privacy Regulation Arises out of the Administrative Simplification measures of the the Health Insurance Portability and Accountability Act of 1996 The HIPAA Privacy Regulation can be found at 45 CFR Part 160 and 164 HIPAA Privacy Regulation Compliance Deadlines –April 14, 2003 for all covered entities –April 14, 2004 for small health plans

Health Assistance Partnership5 HIPAA Privacy Regulation Basics Applies only to personal health information. Applies to covered entities. Protects the privacy of health information. Provides access to health information.

Health Assistance Partnership6 Basics: Personal Health Information (PHI) The HIPAA Privacy Regulation only applies to PHI, which must be both: 1.Health information – any oral or recorded information relating to past, present or future physical or mental health of an individual; AND 2.Individually identifiable – identifies or can reasonably be used to identify the individual, and not information where the identity has been removed

Health Assistance Partnership7 Basics: Covered Entity 1.A Health plan – The regulation is very broad here and includes individual or group plan that provides or pays for medical care, including private and government plans. (However, employers who sponsor plans are not covered entities); OR 2.A Health Care Clearinghouse – A term of art that refers to entities that translates health information received from other entities in a standard format; OR 3.A Certain Health Care Provider – Providers are defined broadly (homeopaths, pharmacists…) but must electronically transmit (not fax) health information in standard format.

Health Assistance Partnership8 Basics: Privacy Protections Generally, covered entities cannot use or disclose PHI. However, covered entities may disclose PHI: –pursuant to an authorization (described later), –for treatment, payment or health care operations, –for public health and other specific purposes, –pursuant to a business associate agreement, Covered entities must disclose PHI: –to the individual, –when required by HHS to determine compliance

Health Assistance Partnership9 Basics: Access Protections Consumers have a right to access their own medical records. P & A advocates acting within their mandate have a right to access medical records. Other consumer advocates or P & A advocates acting outside of their mandate may also access medical records with a written authorization from the patient. Certain personal representatives have a right to access medical records without a written authorization.

Health Assistance Partnership10 Consumers Rights to Access Records (1) Consumers have a right to inspect, obtain a copy records within 30 days from the date the request is received. Under certain conditions (see next slides), a covered entity can deny access to certain information, but it must give the consumer a written denial in 30 days containing: 1.the basis for the denial; AND 2.a statement about review rights; AND 3.information about how to file a complaint with HHS

Health Assistance Partnership11 Consumers Rights to Access Records (2) A covered entity does not have to provide access or allow consumers to review decisions about the following (there is no right to appeal): –Psychotherapy notes (see definition ahead) –Information compiled for use in a civil, criminal or administrative action or proceeding –PHI maintained by a covered entity required by the Clinical Laboratory Improvements Amendments –Information requested by an inmate under certain circumstances

Health Assistance Partnership12 Consumers Rights to Access Records (3) A covered entity does not have to provide access or allow consumers to review decisions about the following (there is no right to appeal): –Research that includes treatment –Information contained in records subject to Privacy Act –Information obtained by the covered entity from someone other than a health care provider under a promise of confidentiality and access to which would be reasonably likely to reveal the source of the information

Health Assistance Partnership13 Consumers Rights to Access Records (4) A covered entity does not have to provide access to the following, but may release it to a health care provider, if a licensed health care professional determines that (there is a right to appeal): –It is reasonably likely that access to the requested information would endanger the life of the consumer; OR –The information makes reference to another person, it is reasonably likely to cause substantial harm to the consumer or another person; OR –B/c the consumers personal representative requested the information, it is reasonably likely to cause substantial harm to the consumer or another person

Health Assistance Partnership14 Psychotherapy Notes Definition: Notes by a mental health professional about a counseling session, separated from the rest of the medical record. Requires separate authorization. No individual right of access. Disclosure to oversight entity may be required by laws governing investigation of health, safety, death or oversight of the psychotherapist.

Health Assistance Partnership15 Fees A Covered Entity can charge reasonable cost-based fees, including the labor and supply providing costs of copying the information Covered entities may not charge for the labor or handling of the information or for processing the request A few tips: –Fees for copying and postage under state law are presumed reasonable and state law may also provide for the release of medical records for free for low-income individuals. –A helpful doctor (with consumers authorization) can often get their patients medical records for free. You may want to ask a doctor to request the medical records for you and then release them to you to avoid paying fees.

Health Assistance Partnership16 Rights of P & A Advocates (1) Covered entities may use or disclose PHI to the extent that such use is required by law and the use or disclosure complies with and is limited to the relevant requirements of the law. (45 CFR (a)) Other laws give P&As rights to access: Records of individuals not competent to consent who have no guardian if P&A has received a complaint and has probable cause to suspect abuse or neglect;

Health Assistance Partnership17 Rights of P & A Advocates (2) When there is a guardian and the agency has unsuccessfully attempted to resolve the concern through the guardian, access to records without the guardians consent if probable cause that the health or safety of an individual is in serious or immediate jeopardy. When operating outside of its mandates to investigate abuse and neglect, P&As may be subject to general HIPAA use and disclosure rules.

Health Assistance Partnership18 Rights of Other Types of Consumer Advocates Consumer advocates may access medical records with a proper authorization (next slide).

Health Assistance Partnership19 Authorization ( 1) 1.Must be separate from other general authorization forms; and 2.A description of the information that may be disclosed (can be very general and request the entire record of a particular provider); and 3.The covered entity, person or persons authorized to disclose the information; and 4.The name of the person(s) authorized to receive the information; and 5.An expiration date or event (ex. Until completion of my appeal); and

Health Assistance Partnership20 Authorization (2) 6. The signature of the consumer and the date (may also be signed by the personal representative along w/ a description of their authority); and 7. A statement of the individuals right to revoke the authorization; and 8. A statement that information disclosed may be subject to redisclosure if the recipient is not a covered entity under HIPAA*

Health Assistance Partnership21 Rights of Personal Representatives Personal Representatives Step into the Shoes of the Consumer and May Access Records Without An Authorization –authority is limited to information that is relevant to such personal representation Personal representatives are: 1.Parents of minor and unemancipated children; OR 2.Individuals who have authority under other law to act on behalf of the consumer in making decisions related to health care.

Health Assistance Partnership22 Rights of Family Members May be given information relevant to their involvement in care or payment for care if the individual is present and doesnt object. If they are the personal representative (e.g., parent of minor; legal guardian) step into individuals shoes. Can be denied access if entity believes the individual may be subject to violence, abuse, neglect, or endangerment by representative.

Health Assistance Partnership23 General Directory Information A facility can disclose an individuals location and general condition to people asking about the individual by name. The individual can opt not to have this information disclosed.

Health Assistance Partnership24 Consumers Rights to Amend or Supplement Records (1) Consumers have a right that covered entities amend their personal health information within 60 days from the date the request is received This deadline may be extended 30 days if the covered entity provides a written statement with reason for the delay

Health Assistance Partnership25 Consumers Rights to Amend or Supplement Records (2) The Amendment may be denied if the record: 1.was not created by the covered entity unless the originator of the PHI is no longer available to make the amendment; OR 2.was not part of the record set; OR 3.is available for inspection If an entity accepts the request, it must: 1.make the amendment; AND 2.inform the consumer; AND 3.provide amendment to entities identified by consumer and other entities known to have received erroneous information

Health Assistance Partnership26 Interaction with State Law? (1) The HIPAA privacy regulation establishes a federal floor for protecting privacy and providing access to medical records State laws that are contrary to federal law, and will not remain in effect. Contrary means: –A covered entity would find it impossible to comply with both the state and federal requirements; OR –The state law conflicts with the HIPAA Statutes provisions on privacy

Health Assistance Partnership27 Interaction with State Law? (2) State laws more stringent than the federal rule will remain in effect. More stringent means: –With respect to patient privacy, a state law is more stringent when it provides consumers greater privacy protections. –With respect to patient access, a state law is more stringent when it provides consumers greater access to medical records. For review of state law, see the appendix of the Health Privacy Projects The State of Health Privacy eport.pdf eport.pdf

Health Assistance Partnership28 Interaction with Federal Law (1) Covered entities subject to the HIPAA Privacy Rule are also subject to other federal statutes and regulations. There should be few conflicts between a federal statute or regulation and the HIPAA Privacy Rule. In cases where a potential conflict appears, HHS would attempt to resolve it so that both laws apply.

Health Assistance Partnership29 Interaction with Federal Law (2) Our issue brief provides an overview of four federal health care laws/regulations: –Medicaid Managed Care Regulation –ERISA Claims Procedures Regulation –Nursing Home Rights Law –Medicare + Choice Regulation

Health Assistance Partnership30 Filing Complaints (1) There is no private cause of action under the regulation itself. Consumer may file a complaint with the Secretary of HHS Three requirements to filing a complaint: 1.filed in writing (paper or electronically) 2.name the entity and describe how the entity violated the regulation (by acts or omissions) 3.filed within 180 days of when the complainant knew (or should have known) that the regulation was violated. The secretary can waive this if there is a showing of good cause.

Health Assistance Partnership31 Filing Complaints (2) After complaint is filed, HHS may: –conduct an investigation –attempt to solve the matter informally –impose $100-$25,000 civil penalty per year for each standard violated –Impose criminal penalties for certain wrongful disclosures Helpful Complaint Form is Available from the Health Privacy Project at

Health Assistance Partnership32 Helpful Resources (1) Rights to Access Medical Records Under the HIPAA Privacy Regulation HIPAA Privacy Regulation: Questions and Answers for Consumer Health Assistance Programs The complete HIPAA privacy regulation text (unofficial version)

Health Assistance Partnership33 Helpful Resources (2) HHS HIPAA Privacy Website, HHS decision tool for identifying covered entities ols/decisionsupport/default.asp ols/decisionsupport/default.asp The Health Privacy Projects Summary of HIPAA Privacy Regulation ary2002.pdf ary2002.pdf

Health Assistance Partnership34 Our Contact Information Sonya Schwartz Cheryl Fish-Parcham Health Assistance Partnership A Project of Families USA 1334 G Street, NW Washington, DC (202)