Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015

Transcription

1 Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, Step One Gather the facts Who is the requestor? Why are they requesting (purpose)? What type of PHI are they asking for? (record type) Step Two Which law(s) apply? Look at the type of record requested and determine which law(s) apply Can be multiple 2 Step Three Resources Copies of laws Bookmark WI statutes page HIPAA COW Pre-emption grid Step Four Assume the requestor will require an authorization unless legal exception found Based on record type, purpose, requestor Pre-emption follow greatest protection 3 1

2 Child Protective Services requesting ED records and tells you that they are investigating suspected child abuse. Identifies the child s record by name. Step One who /why / type of record? CPS Child abuse investigation ED Patient Health Care Record 4 Step Two which laws apply? ED record = Patient Health Care Record = HIPAA Privacy Rule also applies Step Three resources Locate the list of exceptions Locate the section in Privacy Rule re child abuse (b) (1) (ii) Pre emption grid (2) (a) To a county department, as defined under s (2g), a sheriff or police department or a district attorney for purposes of investigation of threatened or suspected child abuse or neglect or suspected unborn child abuse or for purposes of prosecution of alleged child abuse or neglect, if the person conducting the investigation or prosecution identifies the subject of the record by name. The health care provider may release information by initiating contact with a county department, sheriff or police department or district attorney without receiving a request for release of the information. A person to whom a report or record is disclosed under this subdivision may not further disclose it, except to the persons, for the purposes and under the conditions specified in s (7). 6 2

3 HIPAA (b)(1)(ii) (b) Standard: uses and disclosures for public health activities--(1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to: (ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; 7 Both state law and HIPAA would allow the disclosure without authorization Pre-emption directs that we follow state law Disclosure to CPS allowable without authorization as long as the subject of the record is identified by name 8 Subpoenas Generally subpoena alone not allowable to disclose Subpoena signed by a judge = court order Attorney issued / look for an authorization Out-of-state generally not valid Consider requestor and purpose does it meet an exception to allow disclosure? 9 3

4 Department of Safety and Professional Services Grand Jury Subpoena May fit (2) (a) 5 5. In response to a written request by any federal or state governmental agency to perform a legally authorized function, 10 Court Orders Not all court orders are valid Determine federal versus state Federal court order could be valid in WI even if out-of-state issued WI issued court order generally valid Out-of-state state court orders generally not valid 11 Omnibus Rule On January 25, 2014 the DHHS published the Omnibus Final Rule which modified HIPAA regulations in accordance with HITECH. 12 4

5 45 CFR Access of individuals to PHI CE must act on a request for access no later than 30 days after receipt of the request as follows. If the CE grants the request, in whole or in part, it must: inform the individual of the acceptance of the request provide the access requested in the form or format requested IF it readily producible in such form or format. If not, in a readable hard copy form as agreed to by CE and individual CFR Access of individuals to PHI If the CE denies the request, in whole or in part, it must provide the individual with a written denial and CE to extent possible give the individual access to any other PHI requested after excluding the PHI to which the CE has a ground to deny access CE must provide a timely, written denial to the individual in plain language and contain: Basis for denial Description of how individual may complain to CE and to whom CFR Access of individuals to PHI What must the patient provide? A hand written or typed request authorizing the disclosure and the name and address to where information is released Does not have to be HIPAA compliant or on hospital authorization Unless sensitive or federally protected information is contained in the record 15 5

6 Result of and the individual An increase of over 20% of individuals exercising their right of access to a third party An increase in number of records pages/image of PHI 16 History of Fee Provisions HIPAA permits a CE to impose reasonable, cost-based fees including the labor and supply costs for responding to requests made by an individual (patient or legal representative) for copies of protected health information (PHI). CEs are not permitted to charge for retrieving or handling the request to the individual. Fees for copying and postage under state law are presumed reasonable but no search or retrieval fee under state law is permitted. 18 6

7 HITECH Act (c)(4) Fees If the individual requests a copy of the PHI or agrees to a summary of such information, the CE may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: i. Labor for copying the PHI requested by the individual, whether in paper or electronic form; ii. Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided iii. Postage, when the individual has requested the copy, or the summary be mailed; and iv. (iv) Preparing an explanation or summary of the PHI, if agreed to by the individual 19 HITECH Act - Patient Access to Electronic Health Record (EHR) Under the HITECH Act, when a CE maintains an EHR with respect to PHI of an individual The right to obtain a copy of EHR in electronic format The individual has the right to direct the CE to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous and specific Any fee that the CE may impose for providing such information shall not be greater than the entity s labor costs in responding to the request. The CE disclosing the PHI is required to make the minimum necessary determination for the amount of information required for the purpose of the disclosure

8 22 How did you calculate that labor cost? What did you do for the hybrid records? What were the charges? How many were patient directed requests? 23 Please note that 45 C.F.R (c)(4) does not require that covered entities use a specific method to calculate what constitutes a reasonable, cost-based fee, such as multiplying hourly rate of pay for the worker performing the task by the time that worker spent making a copy. HIPAA regulations do not prohibit averaging labor and supply costs across all records requests rather calculating labor time spent for each record request on an individualized basis. 24 8

9 Omnibus did not provide an equation so what to consider? 25 [Wis. Stats (3f) (b)] has a mandatory fee for requests and these fees must be charged to the third party as long as the third party requests the record. Paper copies: $1.02/pg for pages 1-25; $0.70/pg for pages 26-50; $0.51/pg for pages ; and $0.30/pg for pages Microfiche or microfilm copies: $1.52 per page. Print of an X-ray: $10.15 per image. A single $8.12 charge for certification of copies, if the requester is not the patient or a person authorized by the patient. A single retrieval fee of $20.30 for all copies requested, if the requester is not the patient or a person authorized by the patient. Actual shipping costs and any applicable taxes. If a patient requests their medical records be sent to a third party via a patient directive (request letter), then the CE must charge patient rates under the Omnibus rule. 26 In states that have a mandatory fee structure, like WI, CEs must only charge the patient the lesser rate. IOD charges for records delivered through mail on paper or CD $0.39/per pg (1-100) $0.31/per pg ( ) Wisconsin state tier $0.12/ per pg (201+) *Max charge of $

10 Keep in mind your tiered rate scale and apply those page ranges as set forth in the state 28 What were we faced with in ROI as a result of Omnibus Rule? 29 Omnibus copy fee complaints 30 10

11 What are we seeing in ROI? 31 Train ROI Staff Need a separate directive by the Patient or personal representative HHS has distinguished a patient s or personal representative s directive to a covered entity to transmit a copy of protected health information (PHI) to a designated individual different than an authorization. Patient Directive is covered by 45 C.F.R (c)(3)(ii) Patient authorization is addressed by 45 C.F.R (c). 32 A directive to transmit a copy of PHI to a designated individual is distinct from an authorization form, such that a CE is permitted to release information to a third party pursuant to such a directive without an accompanying patient authorization, since the request for information is from the patient himself/herself and not from a third party. See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Nondiscrimination Act; Other Modifications to the HIPAA Rules ( Omnibus Final Rule ), 78 FR 5566, 5635 (January 25, 2013)

12 (c)(4) Fees 45 C.F.R (c)(4) Fees: only applies to requests by individuals, rather than requests by third parties. The individual is a defined term under HIPAA referring to the person who is the subject of protected health information. 45 C.F.R The fees will also apply to requests by those who qualify as personal representatives under 45 C.F.R (g), which will not apply to an attorney requestor unless such attorney has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, 45 C.F.R (g)(1)(2), which is generally not the case. POA, Executor of Estate, etc. 34 Scenario: Your facility receives a request from a law firm with a patient authorization attached. The law firm quotes the HITECH rule and that they would like a copy of the electronic record sent to them on a CD at labor costs to produce the record. 35 Response: your firm submitted to the CE an executed authorization from the individual, authorizing the release of records and your firm requesting a copy of the individual s medical records be sent to your law firm. Response: In accordance with the Omnibus Final Rule, our facility does not recognize your records request as covered by 45 C.F.R (c)(3)(ii), since HHS guidance is clear that a directive under 45 C.F.R (c)(3)(ii) is distinct from an authorization. Had you law firm instead submitted a separate directive compliant with 45 C.F.R (c)(3)(ii), our facility would have processed the request at patient rates

13 Response: Because the request originates from you (a third party) rather than the individual, the request will be subject to the fee schedule established under State law at. Based on this law, we estimate a charge for this copy of. Please note that, even with an electronic copy, our facility charges this amount in accordance with State law to cover the extensive release of information process in which a professional reviews each page of the requested records to ensure that only appropriate information is provided. 37 Response: You indicate that your request falls under the fee limitations at 42 U.S.C (e) of the HITECH Act and 45 C.F.R (c) of HIPAA. These sections only pertain to requests by individuals, not requests by third parties. For example, (c)(4) states that [i]f the individual requests a copy of the PHI, then the request is subject to certain fee limitations. On its face, the regulation does not address requests by persons other than the individual. And while (c)(3)(ii) provides that an individual may direct the CE to transmit a copy of the record to a third party, the subsection similarly begins with an individual s request. In the preamble commentary to HIPAA s 2013 regulatory amendments, HHS makes plain that only applies when the request was clearly made by the individual and not a third party: 38 Response: Section (c)(3) of the Privacy Rule currently requires the CE to provide the access requested by the individual in a timely manner, which includes arranging with the individual for a convenient time and place to inspect or obtain a copy of the PHI, or mailing the copy of PHI at the individual s request. The Department had previously interpreted this provision as requiring a CE to mail the copy of PHI to an alternative address requested by the individual, provided the request was clearly made by the individual and not a third party. Section 13405(e)(1) of the HITECH Act provides that if the individual chooses, he or she has a right to direct the CE to transmit an electronic copy of PHI in an EHR directly to an entity or person designated by the individual, provided that such choice is clear, conspicuous, and specific

14 Response: Based on section 13405(e)(1) of the HITECH Act and our authority under section 264(c) of HIPAA, we proposed to expand (c)(3) to expressly provide that, if requested by an individual, a CE must transmit the copy of PHI directly to another person designated by the individual. This proposed amendment is consistent with the Department s prior interpretation on this issue and would apply without regard to whether the PHI is in electronic or paper form. 40 Response: Your request, on its face, is clearly from your law firm rather than from the patient. It is on firm letterhead, indicates that it is coming from your firm, and is signed by you. While the request includes a statement that is signed by the patient, this does not transform the request into a patient request. To conclude otherwise would mean that any third party requestor could avoid the requirements to provide a HIPAA-compliant authorization (which include substantial content requirements to ensure the individual s rights are safeguarded), and could instead merely add a sentence and the individual s signature to the third-party s request. 41 HITECH/Omnibus rates only apply to requests from the Individual or his/her Personal Representative Who is a Personal Representative under HIPAA? 42 14

15 A person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual s personal representative. 45 CFR (g) requires covered entities to treat an individual s personal representative as the individual with respect to uses and disclosures of the individual s protected health information, as well as the individual s rights under the Rule. Who are personal representatives? Health care POA, Court appointed legal guardian, General POA or durable POA that includes the power to make health care decisions A parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child An Executor or administrator of the estate of a deceased patient Next of kin or other family member (if relevant law provides authority) 43 HIPAA defines an individual as the person who is the subject of protected health information. 5 HIPAA further provides that, generally, a covered entity (or its business associate) must treat a personal representative as the individual for purposes of [the HIPAA administrative simplification regulations]. 6 An attorney will only qualify as a personal representative if, under applicable law, the attorney has authority to act on behalf of an individual in making decisions related to health care C.F.R (definition of individual ) C.F.R (g)(1) C.F.R (g)(2), (3), and (4). 44 Be cautious and Read the request letters! Look out for: Attorney Requests on their letterhead signed by the patient Handwritten patient letters to their attorney Handwritten or typed patient letter with attorney authorization attached All = patient directive = actual cost and labor 45 15

16 46 16