PATIENT PRIVACY RIGHTS UNDER HIPAA Educational Presentation by

PATIENT PRIVACY RIGHTS UNDER HIPAA Educational Presentation by the HIPAA Collaborative of Wisconsin – HIPAA COW Original Version: April 2003; Updated September 2017 1

DISCLAIMER HIPAA Collaborative of Wisconsin (“HIPAA COW”) holds the Copyright © to this Presentation(“Document”). HIPAA COW retains full copyright ownership, rights and protection in all material contained in this Document. You may use this Document for your own noncommercial purposes. It may be redistributed in its entirety only if (i) the copyright notice is not removed or modified, and (ii) this Document is provided to the recipient free of charge. If information is excerpted from this Document and incorporated into another work -product, attribution shall be given to HIPAA COW (e. g. , reference HIPAA COW as a resource). This Document may not be sold for profit or used in commercial documents or applications. This Document is provided “as is” without any express or implied warranty. This Document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Document. Therefore, this Document may need to be modified in order to comply with Wisconsin/State law. 2

HIPAA PRIVACY RULE In 2003, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule established patient privacy rights with regard to protected health information (PHI). Protected Health Information (PHI): The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. 3

PHI – FURTHER DEFINED “Individually identifiable health information” is information, including demographic data, that relates to: § § The individual’s past, present or future physical or mental health or condition, The provision of health care to the individual, or The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 4

COVERED ENTITY § § HIPAA covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA-covered entities include health plans, clearinghouses, and certain health care providers (hospitals, clinics, physicians, pharmacies, nursing homes, etc. ) 5

PATIENT PRIVACY RIGHTS 1. Right to Receive Notice of Privacy Practices. 2. Right to Request Restrictions on Use and Disclosure of Protected Health Information. 3. Right to receive Confidential Communications 4. Right to Access, Inspect and Copy Protected Health Information 5. Right to Amend Protected Health Information 6. Right to receive an Accounting of Disclosures of Protected Health Information 6

RIGHT TO RECEIVE NOTICE OF PRIVACY PRACTICES Each covered entity (CE) must provide a notice of its privacy practices. The notice must describe the ways in which the CE may use and disclose PHI. The notice must state the CE’S duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the CE if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the CE. Covered entities must act in accordance with their notices. 7

RIGHT TO REQUEST RESTRICTIONS Individuals have the right to request that a CE restrict use or disclosure of PHI for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death. 8

RIGHT TO REQUEST RESTRICTIONS - CONTINUED A CE is under no obligation to agree to requests for restrictions. A CE that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency 9

RESTRICTION: SELF-PAY OPTION Effective in 2013 was an update to the HIPAA Privacy Rule clarifying the right for a patient to prevent a provider from reporting information to a health insurer if the patient pays in full. This provision presents a information management challenge for healthcare providers. 10

RESTRICTION: SELF-PAY OPTION CONTINUED A patient has the firm right to demand that a health care provider not disclose the patient’s PHI to the patient’s health plan if these conditions are met: The patient makes a Request to Restrict disclosure; The disclosure is to a health plan for payment or health care operations; The disclosure is not required by law, and The PHI pertains solely to health care for which the patient (or someone on behalf of the patient) has paid for in full out of pocket. 11

RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONS CE’s must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs. For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the CE send communications in a closed envelope rather than a post card. CE’s must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the PHI could endanger the individual. 12

CONFIDENTIAL COMMUNICATIONS - CONTINUED The CE may require this request in writing. The CE may evaluate this request based on: § Information on how payment will be handled § Specification of an alternate address § Added costs and logistics required to accommodate the request. The CE cannot require a reason for the request. 13

RIGHT TO ACCESS, INSPECT, AND COPY PHI Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a CE’s designated record set. The “designated record set” is that group of records maintained by or for a CE that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical record systems. 14

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED The Rule excludes from the right of access the following protected health information: § § § Psychotherapy notes Information compiled for civil, criminal, or legal proceedings Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories. 15

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED For information included within the right of access, CE’s may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion. 16

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED A Covered Entity may deny access without the opportunity for review when: § Access is protected by the Federal Privacy Act § PHI was obtained under promised of confidentiality and access would reveal the source of the PHI 17

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED A CE may deny access and give an individual the right to appeal when: § § § A licensed healthcare professional believes the request may likely endanger the life or physical safety of the individual or another person. The PHI references another person and a licensed professional believes that access would cause substantial harm to that other person. Access is requested by an individual’s representative and a licensed professional believes access would cause substantial harm to the individual or another person. 18

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED A requesting individual may appeal a denial of his/her right to access PHI and: § § The appointed reviewer cannot have participated in the decision to deny access The CE must act on the request within 30 days. Added response time of an additional 30 or 60 days is allowed in special circumstances. 19

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED When agreeing to provide access the CE: § Must provide inspection or copies as requested § Must provide PHI in the format requested § Must provide PHI in a timely manner § May collect cost based fees for copying, postage, preparation, etc. (provided the CE had informed the individual of such fees 20

RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED If the CE denies access, it must: § § Provide access to other PHI where access was not denied. Provide a timely denial in plain language including basis for the denial, listing review rights and complaint procedures. Identify the keeper of the PHI requested – if not this CE. If requested, designate a licensed professional to review the decision to deny, and inform the individual of that review decision in a timely way. 21

RIGHT TO REQUEST AMENDMENT Individuals have the right to request CE’s amend their PHI in a designated record set when that information is inaccurate or incomplete. If a CE accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the CE knows might rely on the information to the individual’s detriment. 22

RIGHT TO REQUEST AMENDMENT - CONTINUED If the amendment request is denied, the CE must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. The Privacy Rule specifies processes for requesting and responding to a request for amendment. A CE must amend protected health information in its designated record set upon receipt of notice to amend from another CE. 23

RIGHT TO REQUEST AMENDMENT - CONTINUED A CE may deny the request if the PHI: § § Was not created by the CE. Is not part of the individual’s designated record set. Would not be available for inspection (e. g. , psychotherapy notes). Is determined accurate and complete 24

RIGHT TO REQUEST AMENDMENT - CONTINUED In reviewing amendment requests the CE: § May require requests in writing § May require a reason to support the request § Must act on the request within 60 days (with 30 day extension in certain circumstances) 25

RIGHT TO REQUEST AMENDMENT - CONTINUED If accepting the amendment, the CE must: § § § Identify records amended and provide a link to the amendment location. Inform the individual of the amendment. Inform other affected persons as designated by the individual or business associates who may rely on the information. 26

RIGHT TO REQUEST AMENDMENT - CONTINUED If denying the amendment the CE must: § § § Provide a timely denial in plain language Include the basis for the denial Allow for a statement of disagreement from the individual Allow for a statement reflecting the request with subsequent disclosures of the PHI Identify the complaint process 27

RIGHT TO REQUEST AMENDMENT - CONTINUED § The individual may submit a statement of disagreement with the denial. § The CE may issue a rebuttal of the statement of disagreement and give the individual a copy. § The CE must record in the record and create links to any requests, denials, disagreements and rebuttals. 28

RIGHT TO REQUEST AMENDMENT - CONTINUED § Future disclosures of PHI that have been the subject of a denied request for amendment must include documents related to the request. § Accepted amendments must be shared among CE’s so all appropriate records are amended. § A CE must document persons responsible for processing amendment requests and must retain documents for at least 6 years. 29

RIGHT TO REQUEST AN ACCOUNTING OF DISCLOSURES Individuals have a right to an accounting of the disclosures of their PHI by a CE or the CE’s business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request. 30

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED The Privacy Rule does not require accounting for disclosures for: § § Treatment, payment, or health care operations The individual or the individual’s personal representative For notification of or to persons involved in an individual’s health care or payment for health care For disaster relief 31

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED The Privacy Rule does not require accounting for disclosures for: § § Use in the facility directory For national security or intelligence purposes To correctional facilities or law enforcement on behalf of inmates As part of a limited data set 32

DISCLOSURES REQUIRING ACCOUNTING INCLUDE: ◦ Required by law ◦ For public health activities ◦ Victims of abuse, neglect, violence. ◦ Health oversight activities ◦ Judicial/Admin proceedings ◦ Law enforcement purposes ◦ About decedents ◦ Organ/eye/tissue donations ◦ Research Purposes ◦ To avert threat to health and safety ◦ For specialized government functions ◦ Workers’ compensation

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED § A CE must suspend accounting of disclosures to an agency or law enforcement if the accounting is likely to impede the agency’s activity. § An individual may request an accounting for disclosures as far back as six years before the time of the request - but to start no earlier than April 14, 2003. 34

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED The accounting must include: § § Date of disclosure Name and address (if known) of recipient Brief description of PHI disclosed Brief reason for disclosure or copy of request Multiple disclosures to the same requestor may be batched – as appropriate. 35

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED When related to research with 50 or more people, the accounting should provide: § § § § Name of research protocol Purpose of research and how records selected Description of PHI that was disclosed Dates disclosures occurred Contact information for research sponsor Statement about possible disclosure of PHI Assistance in contacting the research sponsor 36

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED § A CE should routinely respond to a request for accounting within 60 days (30 day extension allowed in certain situations). § The first in a 12 month period is free. Subsequent requests may have a cost based fee (if previously stated). The requestor may modify the request based on the fee. 37

RIGHT TO REQUEST AN ACCOUNTING - CONTINUED A Covered Entity must document and keep six (6) years: § § § Information required in the accounting The written accounting that is provided Titles of persons or offices responsible for processing accounting requests 38

RESOURCES § § Summary of the HIPAA Privacy Rule @ HHS. gov HIPAA Collaborative of Wisconsin (HIPAA COW) – Multiple Policies, Presentations, and Other Deliverables 39

VERSION HISTORY 2003 Version: ◦ Primary Author: Richard Reynolds, FHIMSS ◦ Review Group: Karen Bauer, Joan Benson, MBA, Anthony Cooper, FHFMA, CFE, William Jensen , MBA, Tammy Kritz, MBA, Jennifer Laughlin, RHIA, Christine Lidbury, Beth Zallar, MS, RHIA 2017 Update: ◦ Nancy Davis, MS, RHIA, CHPS ◦ Chrisann Lemery, MS, RHIA, CHPS 40