Question

in your own words using references as support only) two principles that describe an individual’s rights with respect to their PHI. Once you have chosen the two principles, you are to explain what they mean and their importance not only to the patient, but as a healthcare professional as well.

Answer 1

Answer:

DEFINITION

protected health information (PHI) or personal health information

Protected health information (PHI), also referred to as personal health information, generally refers to demographicinformation, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.

These the the following rights of the patient related to PHI:

3. The right to access and request a copy of medical records

HIPAA gives patients the right to see and receive a copy of their medical records (not the original records).  

Tip: To find out how to request access to a medical record, look at the notice of privacy practices. Patients can always request a copy of the notice, which should provide instructions for requesting records as well as contact information for asking questions or filing complaints.

a. Does this right apply to electronic records?

Yes. Patients have the right to access both paper and electronic records. An individual may request information in a specific format, and the covered entity must comply with the request if the data is readily producible.   If the data is not readily producible in the patient’s specified format, the covered entity and individual can agree on another format. If they can’t reach agreement, the covered entity will produce a hard copy.

For example, a patient might ask her doctor’s office to provide her records on an external portable storage device such as a USB drive. If the doctor’s office doesn’t agree to use the USB drive because it believes it is a security risk, the office and patient may reach agreement about another format. If they don’t agree, the doctor may provide a hard copy.

To learn more about the right to access information in an electronic health environment, see HHS’ publication: The HIPAA Privacy Rule’s Right of Access and Health Information Technology.

b. Can a patient request that someone else be given access to her information?

Yes. Often patients want providers to send their health information to third parties such as another doctor, a relative, or an attorney. To do this, the patient should sign a request that clearly identifies which records to send, the designated person, and where to send the records.

c. Will a patient be charged fees to receive copies of medical records?

Most likely.   HIPAA allows covered entities to charge a “reasonable, cost-based fee.” The covered entity can charge for supplies, staff time for copying and processing, and mailing (if applicable).

The covered entity may charge for the time staff spends copying and processing the record. However, it may not charge for the time a staff member spends searching for the record. In addition, the covered entity should not adopt a policy of charging a flat fee or charging a patient to view a record.

Note that state law may limit a covered entity’s ability to charge for records.

The HIPAA Rule provides the following example. If state law limits costs to 25 cents a page and the actual cost is only four cents per page, then the covered entity may charge only four cents. If the cost is 30 cents per page and state law allows for 25 cents, then the covered entity may charge no more than 25 cents. In short, the consumer is charged the lesser amount.

d. Can patients still access their records if a physician no longer practices medicine?

According to the American Health Information Management Association, state and federal law will dictate how long a physician must retain records (HIPAA does not include a record retention period).

Patients may be able to find their records by contacting:

• the physician’s partners;
• the health information manager or privacy officer at a hospital or facility where the physician practices;
• a local medical society;
• the state medical association; or
• the state department of health.

e. How long does a covered entity have to deliver a patient's requested records?

A covered entity must produce records 30 days from the date of request. HIPAA allows a covered entity one 30-day extension if it provides written notice to the patient stating the reason for the delay and the expected date. This applies to both paper and electronic records.

f. When can patients be denied access to their medical information?

A covered entity may deny a patient's request for access under certain circumstances. Typically the covered entity must issue a written denial letter, and in some cases, an individual may be able to appeal a denial.

As a general rule, patients do not have the right to access their own psychotherapy notes or information a covered entity compiled for legal proceedings.

Individuals may be denied access to their protected health information (PHI) without the right to review the denial in the following situations:

• Correctional institutions may deny an inmate's request for a copy of PHI if it jeopardizes the health, safety, security, custody, or rehabilitation of the individual or other inmates. It may also deny a request that jeopardizes the safety of any person at the correctional institution or those responsible for transporting the inmate.
• If a covered health care provider obtains or creates PHI in the course of research, it may temporarily suspend access while the research is in process. This applies if the individual agreed to the denial when he or she decided to participate in a study and understands that the right will be reinstated when the research is complete.
• If a record that contains PHI is subject to the Privacy Act there are certain circumstances where an individual may not be able to access the record.
• If the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would likely reveal the source of the information, and individual may not be able to access the information.
  

Sometimes individuals have the right to have denials of access reviewed by a licensed healthcare professional.  If so, the patient should receive instructions telling him or her how to appeal the denial. The covered entity will designate a reviewing official who did not participate in the original decision to deny access.  

g. What should patients do when they have trouble accessing or obtaining a copy of their medical records?

We recommend to start a complaint process by first contacting the health care provider’s designated privacy of HIPAA compliance officer. Doing so documents the complaint, and also indicates that the individual has made a good faith effort to resolve the problem.

In addition, there are ten HHS/OCR Regional Offices located throughout the country with staff counselors available to answer patient questions.

If there are further problems or the provider ignores a complaint, the individual may want to proceed with an HHS complaint. Although government agencies cannot represent individuals, consumer complaints often alert agencies to HIPAA violations. HIPAA says people cannot be denied treatment because of a complaint.

HIPAA does not prevent states from passing laws that enhance protections. George Washington University also has a guide, Health Information and the Law, which includes information on state laws.

4. The right to request an amendment to medical records

When patients access a medical record and find information they believe is inaccurate, they may file a written request that the record be corrected. The covered entitymust respond to the request within 60 days. It may decide to take an additional 30 days, but must provide the individual with a written explanation for the delay and a date by which it will complete the action.

If the covered entity denies the request, it must provide the patient with the following information in writing:

• the basis for the denial (for example, the covered entity did not create the record, the information is not part of the designated record set, the individual is not allowed to access the record under another HIPAA provision, or the record is accurate and complete);
• that the individual has a right to submit a written statement disagreeing with the denial;
• that the individual may request that the covered entity provide the request for amendment and the denial with any future disclosures that pertain to the request; and
• how the individual may complain.

5. The right to request special privacy protection for PHI

Under HIPAA, covered entitiesmust allow an individual to make specific privacy requests. While an individual has the right to make a request, in most situations the covered entity is not required to agree.  

If a covered entity agrees to honor an individual's privacy request, it must comply unless the individual needs emergency treatment and the restricted PHI is necessary to provide the treatment. In an emergency situation where the covered entity must disclose information it agreed to restrict, it must request that the information not be further disclosed.  

Tip: Make any special privacy requests in writing and keep a signed copy if the covered entity agrees to follow it.

a. Can a patient pay out of pocket to restrict disclosures of protected health information?

A covered entity such as a doctor must agree to an individual's request to restrict disclosure of her PHI to a health plan if:

• the disclosure is for the purpose of carrying out payment or health care operations and is not required by law; and
• the PHI only pertains to an item or service for which the individual has paid in full.