Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015

Similar documents
BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

Right to Request Access to Designated Record Set

Although we encourage your participation during the presentation, it is entirely voluntary.

THE UNIVERSITY OF TEXAS SYSTEM ADMINISTRATION HIPAA PRIVACY MANUAL Section 7.2: Right to Access Protected Health Information Page: 1 of 5

Technical Corrections to the HIPAA Privacy, Security, and Enforcement Rules. AGENCY: Office for Civil Rights, Department of Health and Human Services.

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

Model Business Associate Agreement

Sales Order (Processing Services)

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

RENOWN HEALTH NETWORK POLICY

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

Cops and Docs: Law Enforcement Access to Patients and Information

WASHINGTON COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

Investigating Privacy Breaches under HITECH and HIPAA

HIPAA DATA USE AGREEMENT

TRICARE Operations Manual M, April 1, 2015 Administration. Chapter 1 Section 5

BUSINESS ASSOCIATE AGREEMENT

Dr. Richard M. Powers POWER OF ATTORNEY AND MEDICAL RELEASE

POLICY REGARDING INDIVIDUAL RIGHTS TO REQUEST ACCESS TO INSPECT/COPY PROTECTED HEALTH INFORMATION

Patient Any person who consults or is seen by a physician to receive medical care

A Compliance Guide for Covered Entities and Business Associates

BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)

BUSINESS ASSOCIATE AGREEMENT

MEEKER COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

SAMPLE. Medical Records and. Published by: the Court System. E-book Series, 3 of 12

Introduction to Health Insurance Portability and Accountability Act (HIPAA): How It Affects Law Enforcement. Prepared by:

BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance During Litigation and Discovery

Site Access Agreement. (hereinafter referred to as the

Access to Public Records and Property

BUSINESS ASSOCIATE AGREEMENT

Current Developments in Privacy and Security Rule Enforcement

HIPAA Privacy Rule Compliance Issues

POLICY REGARDING INDIVIDUAL RIGHT TO REQUEST AMENDMENT OF PROTECTED HEALTH INFORMATION. 1. Request to Amend PHI

RENOWN HEALTH NETWORK POLICY

MICHIGAN FREEDOM OF INFORMATION ACT (FOIA) Flint Community Schools (FCS) Procedures and Guidelines

Procedure 4.4: Production of Public Records for Inspection and Charge for Copies of Public Records

Health Information Privacy Code 1994

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

HIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans

Breach Notification and Enforcement

Law Enforcement Access to Patients and Information

[Enter Organization Logo] DISCLOSURES OF SUBSTANCE USE DISORDER PATIENT RECORDS. Policy Number: [Enter] Effective Date: [Enter]

RESOLUTION AGREEMENT. I. Recitals

Privacy Officer Director Health Information Management. The Hybrid and Affiliate Covered Entity of The University of Toledo

Responding to Requests for the Release of Minors Health Information: Guidelines for N.C. Local Health Departments. Jill Moore UNC School of Government

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

What is Left of State Privacy Laws: Louisiana, New Mexico, Oklahoma & Texas

Disclosing Medical Information to Law Enforcement Officials WENDY S. CEDOZ, J.D., RN CHIEF LEGAL OFFICER/GENERAL COUNSEL GENESIS HEALTHCARE SYSTEM

CREIGHTON UNIVERSITY HANDLING PATIENT / PATIENT REPRESENTATIVE REQUESTS TO AMEND A HEALTH RECORD

The. the KEY DEFINITIONS. authority and. Superintendent. Person means an. corporations. and or other. Written Request

NC General Statutes - Chapter 36F 1

Limited Data Set Data Use Agreement

The Lawyer s Ethical and Legal Duties to protect Private Information

- 79th Session (2017) Assembly Bill No. 474 Committee on Health and Human Services

SUPREME COURT OF PENNSYLVANIA BY THE CRIMINAL PROCEDURAL RULES COMMITTEE NOTICE OF PROPOSED RULEMAKING

Agent/Agency Agreement

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

Marc D. Goldstone, Esq.

County Sheriff s Office

DEPARTMENT OF DEFENSE BILLING CODE

STATE BOARD FOR TECHNICAL AND COMPREHENSIVE EDUCATION PROCEDURE FREEDOM OF INFORMATION

PUBLIC RECORDS POLICY OF COVENTRY TOWNSHIP, SUMMIT COUNTY

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

Frequently Asked Questions for Municipalities LOCAL GOVERNMENT BODIES RECORDS

UCL Freedom of Information Policy

THE ERIE WESTERN-PENNSYLVANIA PORT AUTHORITY RULES AND REGULATIONS GOVERNING THE RELEASE OF PUBLIC RECORDS UNDER THE PENNSYLVANIA RIGHT-TO-KNOW LAW

PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.

HIPAA Enforcement Rule. Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006

FINAL RULES: Long-Term Care Ombudsman Program 1

DEPARTMENT OF DEFENSE BILLING CODE Defense Contract Audit Agency (DCAA) Privacy Act Program

HIPAA COLLABORATIVE OF WISCONSIN LAW ENFORCEMENT GRID Updates

Lauren Ordner, MS, LPC 1220 State Route 31 N, Suite 17 Lebanon, New Jersey (908)

PERSONAL INFORMATION PROTECTION ACT REVIEW QUESTIONNAIRE

KENTUCKY OPEN MEETING LAW

FREEDOM OF INFORMATION ACT (FOIA) PROCEDURES AND GUIDELINES

BILL NO. 42. Health Information Act

Beth S. Dixon District Court Judge District 19C

Navajo Children s Code Rules of Procedure

FREEDOM OF INFORMATION/PRIVACY ACT POLICIES AND PROCEDURES WITHIN THE OFFICE OF THE JUDGE ADVOCATE GENERAL

Approved: Effective: May 18, 2018 Review: December 27, 2016 Office: Director of Administration Topic No.: l MEMBERSHIP DUES

Hospital and Law Enforcement Guide to Health Care Related Disclosure Eighth Edition November 2017

AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017

EXECUTIVE ORDER (Revised )

The Health Information Protection Act

Provider Electronic Trading Partner Agreement

Page M.1 APPENDIX M NOAA ADMINISTRATIVE ORDER

EARLY INTERVENTION SERVICES INTERAGENCY AGREEMENT BETWEEN LAKE STEVENS SCHOOL DISTRICT AND SNOHOMISH COUNTY

H.R./S. In the A BILL. To protect the privacy of personal information of consumers, the promotion

Individual Rights (Data Privacy) Policy

MUNICIPAL IMMIGRANT PROTECTION ORDINANCE

General Conditions for Non-Construction Contracts Section I (With or without Maintenance Work)

PERSONAL INFORMATION PROTECTION ACT

CHAPTER 44 HOUSE BILL 2434 AN ACT

Security Breach Notification Chart

ACCESS TO INFORMATION AND PROTECTION OF PRIVACY ACT CONSOLIDATION OF ACCESS TO INFORMATION AND PROTECTION OF PRIVACY REGULATIONS R

Transcription:

Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015 1 Step One Gather the facts Who is the requestor? Why are they requesting (purpose)? What type of PHI are they asking for? (record type) Step Two Which law(s) apply? Look at the type of record requested and determine which law(s) apply Can be multiple 2 Step Three Resources Copies of laws Bookmark WI statutes page http://www.legis.state.wi.us/rsb/stats.html HIPAA COW Pre-emption grid Step Four Assume the requestor will require an authorization unless legal exception found Based on record type, purpose, requestor Pre-emption follow greatest protection 3 1

Child Protective Services requesting ED records and tells you that they are investigating suspected child abuse. Identifies the child s record by name. Step One who /why / type of record? CPS Child abuse investigation ED Patient Health Care Record 4 Step Two which laws apply? ED record = Patient Health Care Record = 146.82 HIPAA Privacy Rule also applies Step Three resources Locate the 146.82 list of exceptions Locate the section in Privacy Rule re child abuse 164.512 (b) (1) (ii) Pre emption grid 5 146.82 (2) (a) 11 11. To a county department, as defined under s. 48.02 (2g), a sheriff or police department or a district attorney for purposes of investigation of threatened or suspected child abuse or neglect or suspected unborn child abuse or for purposes of prosecution of alleged child abuse or neglect, if the person conducting the investigation or prosecution identifies the subject of the record by name. The health care provider may release information by initiating contact with a county department, sheriff or police department or district attorney without receiving a request for release of the information. A person to whom a report or record is disclosed under this subdivision may not further disclose it, except to the persons, for the purposes and under the conditions specified in s. 48.981 (7). 6 2

HIPAA 164.512(b)(1)(ii) (b) Standard: uses and disclosures for public health activities--(1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to: (ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; 7 Both state law and HIPAA would allow the disclosure without authorization Pre-emption directs that we follow state law Disclosure to CPS allowable without authorization as long as the subject of the record is identified by name 8 Subpoenas Generally subpoena alone not allowable to disclose Subpoena signed by a judge = court order Attorney issued / look for an authorization Out-of-state generally not valid Consider requestor and purpose does it meet an exception to allow disclosure? 9 3

Department of Safety and Professional Services Grand Jury Subpoena May fit 146.82 (2) (a) 5 5. In response to a written request by any federal or state governmental agency to perform a legally authorized function, 10 Court Orders Not all court orders are valid Determine federal versus state Federal court order could be valid in WI even if out-of-state issued WI issued court order generally valid Out-of-state state court orders generally not valid 11 Omnibus Rule On January 25, 2014 the DHHS published the Omnibus Final Rule which modified HIPAA regulations in accordance with HITECH. 12 4

45 CFR 164.524 Access of individuals to PHI CE must act on a request for access no later than 30 days after receipt of the request as follows. If the CE grants the request, in whole or in part, it must: inform the individual of the acceptance of the request provide the access requested in the form or format requested IF it readily producible in such form or format. If not, in a readable hard copy form as agreed to by CE and individual. 13 45 CFR 164.524 Access of individuals to PHI If the CE denies the request, in whole or in part, it must provide the individual with a written denial and CE to extent possible give the individual access to any other PHI requested after excluding the PHI to which the CE has a ground to deny access CE must provide a timely, written denial to the individual in plain language and contain: Basis for denial Description of how individual may complain to CE and to whom 14 45 CFR 164.524 Access of individuals to PHI What must the patient provide? A hand written or typed request authorizing the disclosure and the name and address to where information is released Does not have to be HIPAA compliant or on hospital authorization Unless sensitive or federally protected information is contained in the record 15 5

Result of 164.524 and the individual An increase of over 20% of individuals exercising their right of access to a third party An increase in number of records pages/image of PHI 16 History of Fee Provisions 17 2003- HIPAA permits a CE to impose reasonable, cost-based fees including the labor and supply costs for responding to requests made by an individual (patient or legal representative) for copies of protected health information (PHI). CEs are not permitted to charge for retrieving or handling the request to the individual. Fees for copying and postage under state law are presumed reasonable but no search or retrieval fee under state law is permitted. 18 6

HITECH Act 164.524 (c)(4) Fees If the individual requests a copy of the PHI or agrees to a summary of such information, the CE may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: i. Labor for copying the PHI requested by the individual, whether in paper or electronic form; ii. Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided iii. Postage, when the individual has requested the copy, or the summary be mailed; and iv. (iv) Preparing an explanation or summary of the PHI, if agreed to by the individual 19 HITECH Act - Patient Access to Electronic Health Record (EHR) Under the HITECH Act, when a CE maintains an EHR with respect to PHI of an individual The right to obtain a copy of EHR in electronic format The individual has the right to direct the CE to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous and specific Any fee that the CE may impose for providing such information shall not be greater than the entity s labor costs in responding to the request. The CE disclosing the PHI is required to make the minimum necessary determination for the amount of information required for the purpose of the disclosure. 20 21 7

22 How did you calculate that labor cost? What did you do for the hybrid records? What were the charges? How many were patient directed requests? 23 Please note that 45 C.F.R. 164.524(c)(4) does not require that covered entities use a specific method to calculate what constitutes a reasonable, cost-based fee, such as multiplying hourly rate of pay for the worker performing the task by the time that worker spent making a copy. HIPAA regulations do not prohibit averaging labor and supply costs across all records requests rather calculating labor time spent for each record request on an individualized basis. 24 8

Omnibus did not provide an equation so what to consider? 25 [Wis. Stats. 146.83 (3f) (b)] has a mandatory fee for requests and these fees must be charged to the third party as long as the third party requests the record. Paper copies: $1.02/pg for pages 1-25; $0.70/pg for pages 26-50; $0.51/pg for pages 51-100; and $0.30/pg for pages 101 + Microfiche or microfilm copies: $1.52 per page. Print of an X-ray: $10.15 per image. A single $8.12 charge for certification of copies, if the requester is not the patient or a person authorized by the patient. A single retrieval fee of $20.30 for all copies requested, if the requester is not the patient or a person authorized by the patient. Actual shipping costs and any applicable taxes. If a patient requests their medical records be sent to a third party via a patient directive (request letter), then the CE must charge patient rates under the Omnibus rule. 26 In states that have a mandatory fee structure, like WI, CEs must only charge the patient the lesser rate. IOD charges for records delivered through mail on paper or CD $0.39/per pg (1-100) $0.31/per pg (101-200) Wisconsin state tier $0.12/ per pg (201+) *Max charge of $400.00 27 9

Keep in mind your tiered rate scale and apply those page ranges as set forth in the state 28 What were we faced with in ROI as a result of Omnibus Rule? 29 Omnibus copy fee complaints 30 10

What are we seeing in ROI? 31 Train ROI Staff Need a separate directive by the Patient or personal representative HHS has distinguished a patient s or personal representative s directive to a covered entity to transmit a copy of protected health information (PHI) to a designated individual different than an authorization. Patient Directive is covered by 45 C.F.R. 164.524(c)(3)(ii) Patient authorization is addressed by 45 C.F.R. 164.508(c). 32 A directive to transmit a copy of PHI to a designated individual is distinct from an authorization form, such that a CE is permitted to release information to a third party pursuant to such a directive without an accompanying patient authorization, since the request for information is from the patient himself/herself and not from a third party. See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Nondiscrimination Act; Other Modifications to the HIPAA Rules ( Omnibus Final Rule ), 78 FR 5566, 5635 (January 25, 2013). 33 11

164.524 (c)(4) Fees 45 C.F.R. 164.524(c)(4) Fees: only applies to requests by individuals, rather than requests by third parties. The individual is a defined term under HIPAA referring to the person who is the subject of protected health information. 45 C.F.R. 160.103. The fees will also apply to requests by those who qualify as personal representatives under 45 C.F.R. 164.502(g), which will not apply to an attorney requestor unless such attorney has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, 45 C.F.R. 164.502(g)(1)(2), which is generally not the case. POA, Executor of Estate, etc. 34 Scenario: Your facility receives a request from a law firm with a patient authorization attached. The law firm quotes the HITECH rule and that they would like a copy of the electronic record sent to them on a CD at labor costs to produce the record. 35 Response: your firm submitted to the CE an executed authorization from the individual, authorizing the release of records and your firm requesting a copy of the individual s medical records be sent to your law firm. Response: In accordance with the Omnibus Final Rule, our facility does not recognize your records request as covered by 45 C.F.R. 164.524(c)(3)(ii), since HHS guidance is clear that a directive under 45 C.F.R. 164.524(c)(3)(ii) is distinct from an authorization. Had you law firm instead submitted a separate directive compliant with 45 C.F.R. 164.524(c)(3)(ii), our facility would have processed the request at patient rates. 36 12

Response: Because the request originates from you (a third party) rather than the individual, the request will be subject to the fee schedule established under State law at. Based on this law, we estimate a charge for this copy of. Please note that, even with an electronic copy, our facility charges this amount in accordance with State law to cover the extensive release of information process in which a professional reviews each page of the requested records to ensure that only appropriate information is provided. 37 Response: You indicate that your request falls under the fee limitations at 42 U.S.C. 17935(e) of the HITECH Act and 45 C.F.R. 164.524(c) of HIPAA. These sections only pertain to requests by individuals, not requests by third parties. For example, 164.524(c)(4) states that [i]f the individual requests a copy of the PHI, then the request is subject to certain fee limitations. On its face, the regulation does not address requests by persons other than the individual. And while 164.524(c)(3)(ii) provides that an individual may direct the CE to transmit a copy of the record to a third party, the subsection similarly begins with an individual s request. In the preamble commentary to HIPAA s 2013 regulatory amendments, HHS makes plain that 164.524 only applies when the request was clearly made by the individual and not a third party: 38 Response: Section 164.524(c)(3) of the Privacy Rule currently requires the CE to provide the access requested by the individual in a timely manner, which includes arranging with the individual for a convenient time and place to inspect or obtain a copy of the PHI, or mailing the copy of PHI at the individual s request. The Department had previously interpreted this provision as requiring a CE to mail the copy of PHI to an alternative address requested by the individual, provided the request was clearly made by the individual and not a third party. Section 13405(e)(1) of the HITECH Act provides that if the individual chooses, he or she has a right to direct the CE to transmit an electronic copy of PHI in an EHR directly to an entity or person designated by the individual, provided that such choice is clear, conspicuous, and specific. 39 13

Response: Based on section 13405(e)(1) of the HITECH Act and our authority under section 264(c) of HIPAA, we proposed to expand 164.524(c)(3) to expressly provide that, if requested by an individual, a CE must transmit the copy of PHI directly to another person designated by the individual. This proposed amendment is consistent with the Department s prior interpretation on this issue and would apply without regard to whether the PHI is in electronic or paper form. 40 Response: Your request, on its face, is clearly from your law firm rather than from the patient. It is on firm letterhead, indicates that it is coming from your firm, and is signed by you. While the request includes a statement that is signed by the patient, this does not transform the request into a patient request. To conclude otherwise would mean that any third party requestor could avoid the requirements to provide a HIPAA-compliant authorization (which include substantial content requirements to ensure the individual s rights are safeguarded), and could instead merely add a sentence and the individual s signature to the third-party s request. 41 HITECH/Omnibus rates only apply to requests from the Individual or his/her Personal Representative Who is a Personal Representative under HIPAA? 42 14

A person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual s personal representative. 45 CFR 164.502(g) requires covered entities to treat an individual s personal representative as the individual with respect to uses and disclosures of the individual s protected health information, as well as the individual s rights under the Rule. Who are personal representatives? Health care POA, Court appointed legal guardian, General POA or durable POA that includes the power to make health care decisions A parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child An Executor or administrator of the estate of a deceased patient Next of kin or other family member (if relevant law provides authority) 43 HIPAA defines an individual as the person who is the subject of protected health information. 5 HIPAA further provides that, generally, a covered entity (or its business associate) must treat a personal representative as the individual for purposes of [the HIPAA administrative simplification regulations]. 6 An attorney will only qualify as a personal representative if, under applicable law, the attorney has authority to act on behalf of an individual in making decisions related to health care. 7 5-45 C.F.R. 160.103 (definition of individual ). 6-45 C.F.R. 164.502(g)(1). 7-45 C.F.R. 164.502(g)(2), (3), and (4). 44 Be cautious and Read the request letters! Look out for: Attorney Requests on their letterhead signed by the patient Handwritten patient letters to their attorney Handwritten or typed patient letter with attorney authorization attached All = patient directive = actual cost and labor 45 15

46 16

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback