The HIPAA Privacy Rule dictates how covered entities must keep PHI secure, but another key aspect described in the federal legislation is the patient right of access. Individuals have the right to review or obtain copies of their own PHI, albeit with limited exceptions.
The right of access exists regardless of the form that PHI is in at a healthcare organization. Certain provisions may apply slightly differently, such as those related to requests for access, timely action, verification, form or format of access, and denial of access, but individuals have the right to their own medical records.
This week, HealthITSecurity.com will break down the finer points of patient right of access, such as individuals’ right to request access electronically and CE’s electronic provision or denial of access. With more facilities implementing EHRs, it is essential that they understand how an individual’s access rights may be fulfilled within an electronic HIE environment. Moreover, Stage 2 Meaningful Use stated that patients are to be granted the ability to view online, download and transmit their health information within four business days of the information being available to the provider.
Healthcare facility’s need to remain compliant, and keeping PHI secure is a large part of that. However, denying individuals the right to their own PHI could come with its own consequences.
What is patient right of access?
According to the HIPAA Privacy Rule, CEs must disclose PHI in two specific situations:
- To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their PHI
- To HHS when it is undertaking a compliance investigation or review or enforcement action.
Individuals have the right to request access to a “designated record set,” which according to HHS, is a “group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.”
However, certain exceptions will still apply. For example, a CE may deny access if a healthcare professional believes access could cause harm to the individual or another. Moreover, the Privacy Rule has exceptions to PHI access in the following areas:
- Psychotherapy notes
- Information compiled for legal proceedings
- Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access
- Information held by certain research laboratories.
It is also important to note that healthcare providers cannot charge individuals for the right to view or obtain their own records, but they can “impose reasonable, cost-based fees for the cost of copying and postage.”
Both individuals and their personal representatives are able to request patient right of access. In terms of determining when someone has the legal authority to act on behalf of another individual, the Privacy Rule states that it will defer to state law.
What is denial of access?
There are circumstances where CEs can deny access to PHI, and they are divided into situations that are reviewable and those that are not. Unreviewable grounds for denial were mentioned above, and include psychotherapy notes and information needed for legal proceedings.
Reviewable grounds for denial include the following:
- Disclosures which would cause endangerment of the individual or another person
- Situations where the PHI refers to another and disclosure is likely to cause substantial harm
- Requests made by a personal representative where disclosure is likely to cause substantial harm.
Source
No comments:
Post a Comment