Page 1
AMC/HIPAA Workgroup
166
Section Four: Consumer Controls
Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau creative-lizzy Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  
Page 2
AMC/HIPAA Workgroup
167
PRIV.43
Notice of privacy practices
§ 164.520(a)
HIPAA Requirement
Standard: notice of privacy practices.
Right to notice. Except as provided by paragraph (a)(2) or (3) of this section, an
individual has a right to adequate notice of the uses and disclosures of protected
health information that may be made by the covered entity, and of the individual's
rights and the covered entity's legal duties with respect to protected health
information.
(2)
Exception for group health plans.
(i) An individual enrolled in a group health plan has a right to notice:
(A) From the group health plan, if, and to the extent that, such an individual does
not receive health benefits under the group health plan through an insurance
contract with a health insurance issuer or HMO; or
(B) From the health insurance issuer or HMO with respect to the group health
plan though which such individuals receive their health benefits under the group
health plan.
(ii) A group health plan that provides health benefits solely through an insurance
contract with a health insurance issuer or HMO, and that creates or receives
protected health information in addition to summary health information as
defined in
§ 164.504(a)
or information on whether the individual is participating
in the group health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan, must:
(A) Maintain a notice under this section; and
(B) Provide such notice upon request to any person. The provisions of paragraph
(c)(1) of this section do not apply to such group health plan.
(iii) A group health plan that provides health benefits solely through an insurance
contract with a health insurance issuer or HMO, and does not create or receive
protected health information other than summary health information as defined in
§ 164.504(a) or information on whether an individual is participating in the
group health plan, or is enrolled in or has disenrolled from a health insurance
issuer or HMO offered by the plan, is not required to maintain or provide a notice
under this section.
(3)
Exception for inmates. An inmate does not have a right to notice under
this section, and the requirements of this section do not apply to a correctional
institution that is a covered entity.
(b)
Implementation specifications: content of notice.
(1) Required
elements. The covered entity must provide a notice that is
written in plain language and that contains the elements required by this
paragraph.
(i) Header. The notice must contain the following statement as a header or
otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL
INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW
YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT
CAREFULLY."
Page 3
AMC/HIPAA Workgroup
168
(ii)
Uses and disclosures. The notice must contain:
(A) A description, including at least one example, of the types of uses and
disclosures that the covered entity is permitted by this subpart to make for each of
the following purposes: treatment, payment, and health care operations.
(B) A description of each of the other purposes for which the covered entity is
permitted or required by this subpart to use or disclose protected health
information without the individual's written consent or authorization.
(C) If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or
(B) of this section is prohibited or materially limited by other applicable law, the
description of such use or disclosure must reflect the more stringent law as
defined in § 160.202.
(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section,
the description must include sufficient detail to place the individual on notice of
the uses and disclosures that are permitted or required by this subpart and other
applicable law.
(E) A statement that other uses and disclosures will be made only with the
individual's written authorization and that the individual may revoke such
authorization as provided by
§ 164.508
(b)(5).
(iii) Separate statements for certain uses or disclosures. If the covered entity
intends to engage in any of the following activities, the description required by
paragraph (b)(1)(ii)(A) of this section must include a separate statement, as
applicable, that:
(A) The covered entity may contact the individual to provide appointment
reminders or information about treatment alternatives or other heath-related
benefits and services that may be of interest to the individual;
(B) The covered entity may contact the individual to raise funds for the covered
entity; or
(C) A group health plan, or a health insurance issuer or HMO with respect to a
group health plan, may disclose protected health information to the sponsor of the
plan.
(iv) Individual
rights. The notice must contain a statement of the individual's
rights with respect to protected health information and a brief description of how
the individual may exercise these rights, as follows:
(A) The right to request restrictions on certain uses and disclosures of protected
health information as provided by
§ 164.522(a
), including a statement that the
covered entity is not required to agree to a requested restriction;
(B) The right to receive confidential communications of protected health
information as provided by
§ 164.522(b),
as applicable;
(C) The right to inspect and copy protected health information as provided by
§ 164.524
;
(D) The right to amend protected health information as provided by
§ 164.526
;
(E) The right to receive an accounting of disclosures of protected health
information as provided by
§ 164.528
; and
(F) The right of an individual, including an individual who has agreed to receive
the notice electronically in accordance with paragraph (c)(3) of this section, to
obtain a paper copy of the notice from the covered entity upon request.
Page 4
AMC/HIPAA Workgroup
169
(v)
Covered entity's duties. The notice must contain:
(A) A statement that the covered entity is required by law to maintain the privacy
of protected health information and to provide individuals with notice of its legal
duties and privacy practices with respect to protected health information;
(B) A statement that the covered entity is required to abide by the terms of the
notice currently in effect; and
(C) For the covered entity to apply a change in a privacy practice that is
described in the notice to protected health information that the covered entity
created or received prior to issuing a revised notice, in accordance with
§ 164.530(i)(
2)(ii), a statement that it reserves the right to change the terms of its
notice and to make the new notice provisions effective for all protected health
information that it maintains. The statement must also describe how it will
provide individuals with a revised notice.
(vi) Complaints. The notice must contain a statement that individuals may
complain to the covered entity and to the Secretary if they believe their privacy
rights have been violated, a brief description of how the individual may file a
complaint with the covered entity, and a statement that the individual will not be
retaliated against for filing a complaint.
(vii) Contact. The notice must contain the name, or title, and telephone
number of a person or office to contact for further information as required by
§ 164.530(a)(
1)(ii).
(viii) Effective
date. The notice must contain the date on which the notice is
first in effect, which may not be earlier than the date on which the notice is
printed or otherwise published.
(2)
Optional elements.
(i) In addition to the information required by paragraph (b)(1) of this section, if a
covered entity elects to limit the uses or disclosures that it is permitted to make
under this subpart, the covered entity may describe its more limited uses or
disclosures in its notice, provided that the covered entity may not include in its
notice a limitation affecting its right to make a use or disclosure that is required
by law or permitted by
§ 164.512(j)(
1)(i).
(ii) For the covered entity to apply a change in its more limited uses and
disclosures to protected health information created or received prior to issuing a
revised notice, in accordance with
§ 164.530(i)(
2)(ii), the notice must include the
statements required by paragraph (b)(1)(v)(C) of this section.
(3)
Revisions to the notice. The covered entity must promptly revise and
distribute its notice whenever there is a material change to the uses or
disclosures, the individual's rights, the covered entity's legal duties, or other
privacy practices stated in the notice. Except when required by law, a material
change to any term of the notice may not be implemented prior to the effective
date of the notice in which such material change is reflected.
(c)
Implementation specifications: provision of notice. A covered entity must
make the notice required by this section available on request to any person and to
individuals as specified in paragraphs (c)(1) through (c)(4) of this section, as
applicable.
Specific requirements for health plans.
Page 5
AMC/HIPAA Workgroup
170
(i) A health plan must provide notice:
(A) No later than the compliance date for the health plan, to individuals then
covered by the plan;
Thereafter, at the time of enrollment, to individuals who are new enrollees; and
Within 60 days of a material revision to the notice, to individuals then covered by
the plan.
(ii) No less frequently than once every three years, the health plan must notify
individuals then covered by the plan of the availability of the notice and how to
obtain the notice.
(iii) The health plan satisfies the requirements of paragraph (c)(1) of this section
if notice is provided to the named insured of a policy under which coverage is
provided to the named insured and one or more dependents.
(iv) If a health plan has more than one notice, it satisfies the requirements of
paragraph (c)(1) of this section by providing the notice that is relevant to the
individual or other person requesting the notice.
(2)
Specific requirements for certain covered health care providers. A
covered health care provider that has a direct treatment relationship with an
individual must:
(i) Provide the notice no later than the date of the first service delivery, including
service delivered electronically, to such individual after the compliance date for
the covered health care provider;
(ii) If the covered health care provider maintains a physical service delivery site:
(A) Have the notice available at the service delivery site for individuals to request
to take with them; and
(B) Post the notice in a clear and prominent location where it is reasonable to
expect individuals seeking service from the covered health care provider to be
able to read the notice; and
(iii) Whenever the notice is revised, make the notice available upon request on or
after the effective date of the revision and promptly comply with the requirements
of paragraph (c)(2)(ii) of this section, if applicable.
(3)
Specific requirements for electronic notice. (i) A covered entity that
maintains a web site that provides information about the covered entity's
customer services or benefits must prominently post its notice on the web site and
make the notice available electronically through the web site.
(ii) A covered entity may provide the notice required by this section to an
individual by e-mail, if the individual agrees to electronic notice and such
agreement has not been withdrawn. If the covered entity knows that the e-mail
transmission has failed, a paper copy of the notice must be provided to the
individual. Provision of electronic notice by the covered entity will satisfy the
provision requirements of paragraph (c) of this section when timely made in
accordance with paragraph (c)(1) or (2) of this section.
(iii) For purposes of paragraph (c)(2)(i) of this section, if the first service delivery
to an individual is delivered electronically, the covered health care provider must
provide electronic notice automatically and contemporaneously in response to the
individual's first request for service.
Page 6
AMC/HIPAA Workgroup
171
(iv) The individual who is the recipient of electronic notice retains the right to
obtain a paper copy of the notice from a covered entity upon request.
(d)
Implementation specifications: joint notice by separate covered entities.
Covered entities that participate in organized health care arrangements may
comply with this section by a joint notice, provided that:
(1)
The covered entities participating in the organized health care
arrangement agree to abide by the terms of the notice with respect to protected
health information created or received by the covered entity as part of its
participation in the organized health care arrangement;
(2)
The joint notice meets the implementation specifications in paragraph (b)
of this section, except that the statements required by this section may be altered
to reflect the fact that the notice covers more than one covered entity; and
(i) Describes with reasonable specificity the covered entities, or class of entities,
to which the joint notice applies;
(ii) Describes with reasonable specificity the service delivery sites, or classes of
service delivery sites, to which the joint notice applies; and
(iii) If applicable, states that the covered entities participating in the organized
health care arrangement will share protected health information with each other,
as necessary to carry out treatment, payment, or health care operations relating
to the organized health care arrangement.
(3)
The covered entities included in the joint notice must provide the notice to
individuals in accordance with the applicable implementation specifications of
paragraph (c) of this section. Provision of the joint notice to an individual by any
one of the covered entities included in the joint notice will satisfy the provision
requirement of paragraph (c) of this section with respect to all others covered by
the joint notice.
(e)
Implementation specifications: documentation. A covered entity must
document compliance with the notice requirements by retaining copies of the
notices issued by the covered entity as required by
§ 164.530(j).
AMC Explanation of HIPAA Regulation
Individuals have the right, except as specifically stated, to be notified of the types of uses and
disclosures of protected health information that may be made by a covered entity. They also
have the right to be notified of their individual rights and the covered entity's legal duties with
respect to that information. This section details the specific requirements for wording of this
notice as well as statements of individual rights and covered entity obligations. In addition, it
addresses the requirements for the provision of this notice (frequency, timing, and
documentation).
Key Issues
How much of an obligation do covered entities have to be sure that individuals
"understand" this notice (e.g. non-English speakers, visually impaired, uncooperative
patients)?
How can this lengthy notice be incorporated into routine care with a minimum burden to
patients, workforce members, and organizations without further complicating an already
confusing "front-end" process?
Page 7
AMC/HIPAA Workgroup
172
How can the process of enabling individuals to exercise the rights required by the
regulations be succinctly communicated as part of this notice?
What if a covered entity, because of medical urgency, is unable to present this notice on
the day of delivery of service as required?
Category I Guidelines-Actions must be taken to address these
Develop a policy and procedure to ensure that the required notices are implemented.
Notices must have all the elements specifically required by the regulations, and comply
with the provision requirements.
Covered entities that maintain a customer service or benefits web site must post their
notices on the web site and make the notice available electronically.
If the entity makes a material change to the notice, the changed notice must be publicized
within a specific timeframe specified.
Category II Guidelines-Actions should be taken to address these
Include a brief, easy-to-read description of the key elements of the notice with the
detailed version, to enhance patients' understanding.
Consider incorporating privacy practices into a covered entity's "patient rights" literature
and process in order to minimize the expense and inconvenience to both patient and
entity and optimize its informational impact.
Consider developing a means of accounting for the delivery of this notice as the covered
entity delivers it.
Roadblocks
Providers may be reluctant to tell patients their rights for fear of retaliation if those rights are
violated. There can also be concern by both providers and patients that "too much" informed
consent is a bad thing.
Many AMCs have decentralized websites, and will have to ensure that all sites have privacy
notices.
Comments
The only documentation of compliance required by this standard is "...by retaining copies of the
notices issued...." More rigorous accounting methods might leave the AMC vulnerable to audit
and in fact be unachievable.
The standard text contains significant details regarding implementation requirements.
References: §§ 160.504, 160.202, 164.508, 164.512, 164.522, 164.524, 164.528, and 164.530.
Page 8
AMC/HIPAA Workgroup
173
PRIV.44
Confidential communications requirements
§ 164.522(b)(1)
HIPAA Requirement
Standard: confidential communications requirements.
(i)
A covered health care provider must permit individuals to request and
must accommodate reasonable requests by individuals to receive communications
of protected health information from the covered health care provider by
alternative means or at alternative locations.
(ii)
A health plan must permit individuals to request and must accommodate
reasonable requests by individuals to receive communications of protected health
information from the health plan by alternative means or at alternative locations,
if the individual clearly states that the disclosure of all or part of that information
could endanger the individual,
(2)
Implementation specifications: conditions on providing confidential
communications.
(i) A covered entity may require the individual to make a request for a
confidential communication described in paragraph (b)(1) of this section in
writing.
(ii) A covered entity may condition the provision of a reasonable accommodation
on:
(A) When appropriate, information as to how payment, if any, will be handled;
and
(B) Specification of an alternative address or other method of contact.
(iii) A covered health care provider may not require an explanation from the
individual as to the basis for the request as a condition of providing
communications on a confidential basis.
(iv) A health plan may require that a request contain a statement that disclosure
of all or part of the information to which the request pertains could endanger the
individual.
AMC Explanation of HIPAA Regulation
This portion of the regulations requires the covered entity to accept requests for
alternative means of communicating with the patient or plan member and to
accommodate such requests if they are reasonable. A
health care provider
may not
require the patient to reveal the reason for the request, but a
health plan
may require a
statement that the plan member believes that disclosure of the protected health
information would endanger the patient.
Key Issues
How many alternative communications schemes can a covered entity practically
accommodate?
How well can a covered entity ensure that the agreed upon alternative is used (and not the
normal means)?
Will some patients avoid care if no reasonable alternative accommodation can be found?
Page 9
AMC/HIPAA Workgroup
174
What liability will covered entities have if they fail to use the agreed alternative means
and a consequent harm befalls the patient?
Category I Guidelines-Actions must be taken to address these
Provide a way for patients or plan members to request alternative means of
communication, and accommodate such requests if there is a reasonable way to do so.
Establish a procedure so all workforce members who are engaging in communications
with a patient who has requested and received an agreement to use alternate means of
communication are aware of the need to use those channels.
Category II Guidelines-Actions should be taken to address these
Consider creating a limited set of alternative communications models and offering these
models to patients or plan members requesting alternative means.
Consider establishing a referral program for patients whose communications needs the
covered entity cannot reasonably accommodate.
Create a method of review to determine the effectiveness of alternative means of
communication.
Consult legal staff about what constitutes a reasonable request.
Roadblocks
Clear definitions of alternative means of communication and their reliable implementation may
be challenging.
Comments
This portion of the regulation creates an accommodation for people whose privacy is not assured
in their daily lives. Shared voice mail, shared mailboxes, shared faxes, and shared emails are
typical in private homes, barracks, and shelters today. Without this accommodation, many of
these patients might not seek needed care. The reliability of using the alternative means is a very
important issue here since, presumably, the likelihood that harm would result to the patient is
high if normal means are used.
Note the distinction between this confidential communications requirement and the "Right of an
individual to request restriction of uses and disclosures" in PRIV.11. In the case of
communications, covered entities are required to accommodate the request if it is reasonable. In
the case of use and disclosure restrictions, the covered entity is not required to agree to the
restriction under any circumstances.
Page 10
AMC/HIPAA Workgroup
175
PRIV.45
Access to protected health information
§ 164.524(a)
HIPAA Requirement
Standard: access to protected health information.
(1)
Right of access. Except as otherwise provided in paragraph (a)(2) or
(a)(3) of this section, an individual has a right of access to inspect and obtain a
copy of protected health information about the individual in a designated record
set, for as long as the protected health information is maintained in the
designated record set, except for:
(i) Psychotherapy
notes;
(ii) Information compiled in reasonable anticipation of, or for use in, a civil,
criminal, or administrative action or proceeding; and
(iii) Protected health information maintained by a covered entity that is:
(A) Subject to the Clinical Laboratory Improvements Amendments of 1988, 42
U.S.C. 263a, to the extent the provision of access to the individual would be
prohibited by law; or
(B) Exempt from the Clinical Laboratory Improvements Amendments of 1988,
pursuant to 42 CFR 493.3(a)(2).
(2)
Unreviewable grounds for denial. A covered entity may deny an
individual access without providing the individual an opportunity for review, in
the following circumstances.
(i) The protected health information is excepted from the right of access by
paragraph (a)(1) of this section.
(ii) A covered entity that is a correctional institution or a covered health care
provider acting under the direction of the correctional institution may deny, in
whole or in part, an inmate's request to obtain a copy of protected health
information, if obtaining such copy would jeopardize the health, safety, security,
custody, or rehabilitation of the individual or of other inmates, or the safety of
any officer, employee, or other person at the correctional institution or
responsible for the transporting of the inmate.
(iii) An individual's access to protected health information created or obtained
by a covered health care provider in the course of research that includes
treatment may be temporarily suspended for as long as the research is in
progress, provided that the individual has agreed to the denial of access when
consenting to participate in the research that includes treatment, and the covered
health care provider has informed the individual that the right of access will be
reinstated upon completion of the research.
(iv) An individual's access to protected health information that is contained in
records that are subject to the Privacy Act, 5 U.S.C. § 552a, may be denied, if the
denial of access under the Privacy Act would meet the requirements of that law.
(v) An individual's access may be denied if the protected health information was
obtained from someone other than a health care provider under a promise of
confidentiality and the access requested would be reasonably likely to reveal the
source of the information.
Page 11
AMC/HIPAA Workgroup
176
(3) Reviewable grounds for denial. A covered entity may deny an individual
access, provided that the individual is given a right to have such denials
reviewed, as required by paragraph (a)(4) of this section, in the following
circumstances:
(i) A licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely to endanger
the life or physical safety of the individual or another person;
(ii) The protected health information makes reference to another person (unless
such other person is a health care provider) and a licensed health care
professional has determined, in the exercise of professional judgment, that the
access requested is reasonably likely to cause substantial harm to such other
person; or
(iii) The request for access is made by the individual's personal representative
and a licensed health care professional has determined, in the exercise of
professional judgment, that the provision of access to such personal
representative is reasonably likely to cause substantial harm to the individual or
another person.
(4)
Review of a denial of access. If access is denied on a ground permitted
under paragraph (a)(3) of this section, the individual has the right to have the
denial reviewed by a licensed health care professional who is designated by the
covered entity to act as a reviewing official and who did not participate in the
original decision to deny. The covered entity must provide or deny access in
accordance with the determination of the reviewing official under paragraph
(d)(4) of this section.
(b)
Implementation specifications: requests for access and timely action.
(1)
Individual's request for access. The covered entity must permit an
individual to request access to inspect or to obtain a copy of the protected health
information about the individual that is maintained in a designated record set.
The covered entity may require individuals to make requests for access in writing,
provided that it informs individuals of such a requirement.
Timely action by the covered entity.
(i) Except as provided in paragraph (b)(2)(ii) of this section, the covered entity
must act on a request for access no later than 30 days after receipt of the request
as follows.
(A) If the covered entity grants the request, in whole or in part, it must inform the
individual of the acceptance of the request and provide the access requested, in
accordance with paragraph (c) of this section.
(B) If the covered entity denies the request, in whole or in part, it must provide the
individual with a written denial, in accordance with paragraph (d) of this section.
(ii) If the request for access is for protected health information that is not
maintained or accessible to the covered entity on-site, the covered entity must
take an action required by paragraph (b)(2)(i) of this section by no later than 60
days from the receipt of such a request.
(iii) If the covered entity is unable to take an action required by paragraph
(b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i)
Page 12
AMC/HIPAA Workgroup
177
or (ii) of this section, as applicable, the covered entity may extend the time for
such actions by no more than 30 days, provided that:
(A) The covered entity, within the time limit set by paragraph (b)(2)(i) or (ii) of
this section, as applicable, provides the individual with a written statement of the
reasons for the delay and the date by which the covered entity will complete its
action on the request; and
(B) The covered entity may have only one such extension of time for action on a
request for access.
(c)
Implementation specifications: provision of access. If the covered entity
provides an individual with access, in whole or in part, to protected health
information, the covered entity must comply with the following requirements.
(1)
Providing the access requested. The covered entity must provide the
access requested by individuals, including inspection or obtaining a copy, or
both, of the protected health information about them in designated record sets. If
the same protected health information that is the subject of a request for access is
maintained in more than one designated record set or at more than one location,
the covered entity need only produce the protected health information once in
response to a request for access.
(2)
Form of access requested.
(i) The covered entity must provide the individual with access to the protected
health information in the form or format requested by the individual, if it is
readily producible in such form or format; or, if not, in a readable hard copy
form or such other form or format as agreed to by the covered entity and the
individual.
(ii) The covered entity may provide the individual with a summary of the
protected health information requested, in lieu of providing access to the
protected health information or may provide an explanation of the protected
health information to which access has been provided, if:
(A) The individual agrees in advance to such a summary or explanation; and
(B) The individual agrees in advance to the fees imposed, if any, by the covered
entity for such summary or explanation.
(3)
Time and manner of access. The covered entity must provide the access as
requested by the individual in a timely manner as required by paragraph (b)(2) of
this section, including arranging with the individual for a convenient time and
place to inspect or obtain a copy of the protected health information, or mailing
the copy of the protected health information at the individual's request. The
covered entity may discuss the scope, format, and other aspects of the request for
access with the individual as necessary to facilitate the timely provision of access.
(4) Fees. If the individual requests a copy of the protected health information
or agrees to a summary or explanation of such information, the covered entity
may impose a reasonable, cost-based fee, provided that the fee includes only the
cost of:
(i) Copying, including the cost of supplies for and labor of copying, the protected
health information requested by the individual;
(ii) Postage, when the individual has requested the copy, or the summary or
explanation, be mailed; and
Page 13
AMC/HIPAA Workgroup
178
(iii) Preparing an explanation or summary of the protected health information, if
agreed to by the individual as required by paragraph (c)(2)(ii) of this section.
(d)
Implementation specifications: denial of access. If the covered entity
denies access, in whole or in part, to protected health information, the covered
entity must comply with the following requirements.
(1)
Making other information accessible. The covered entity must, to the
extent possible, give the individual access to any other protected health
information requested, after excluding the protected health information as to
which the covered entity has a ground to deny access.
(2) Denial. The covered entity must provide a timely, written denial to the
individual, in accordance with paragraph (b)(2) of this section. The denial must
be in plain language and contain:
(i)
The basis for the denial;
(ii) If applicable, a statement of the individual's review rights under paragraph
(a)(4) of this section, including a description of how the individual may exercise
such review rights; and
(iii) A description of how the individual may complain to the covered entity
pursuant to the complaint procedures in
§ 164.530(d)
or to the Secretary
pursuant to the procedures in § 160.306. The description must include the name,
or title, and telephone number of the contact person or office designated in
§ 164.530(a)(
1)(ii).
(3) Other
responsibility. If the covered entity does not maintain the protected
health information that is the subject of the individual's request for access, and
the covered entity knows where the requested information is maintained, the
covered entity must inform the individual where to direct the request for access.
(4)
Review of denial requested. If the individual has requested a review of a
denial under paragraph (a)(4) of this section, the covered entity must designate a
licensed health care professional, who was not directly involved in the denial to
review the decision to deny access. The covered entity must promptly refer a
request for review to such designated reviewing official. The designated
reviewing official must determine, within a reasonable period of time, whether or
not to deny the access requested based on the standards in paragraph (a)(3) of
this section. The covered entity must promptly provide written notice to the
individual of the determination of the designated reviewing official and take other
action as required by this section to carry out the designated reviewing official's
determination.
(e)
Implementation specification: documentation. A covered entity must
document the following and retain the documentation as required by
§ 164.530(j):
(1)
The designated record sets that are subject to access by individuals; and
(2)
The titles of the persons or offices responsible for receiving and
processing requests for access by individuals.
AMC Explanation of HIPAA Regulation
This section provides for the right of an individual to access, inspect, and obtain a copy of the
individual's protected health information in the designated record set. There are exceptions to
Page 14
AMC/HIPAA Workgroup
179
this requirement, time frames for compliance, and specific required processes that must be put
into place as described below.
Key Issues
How will this requirement increase workload?
What are the liability issues relative to release of protected health information to the
patient and how can they be mitigated?
What are the financial considerations to comply with this regulation and can those
obligations be passed on to the recipient of the protected health information?
What requirements will there be to track requests?
Will the covered entity be required to notify a requestor of the inclusion of a new record?
Category I Guidelines-Actions must be taken to address these
Develop and document policies and processes to receive and act upon an individual's
request to access, inspect, and receive a copy of his or her protected health information,
including the denial of such requests.
Respond to requests within the timeframe specified in the regulation.
Category II Guidelines-Actions should be taken to address these
Develop processes to release required protected health information to requestors.
Develop legally defensible grounds for denials.
Develop processes to review denial of requests.
Develop processes to allow for access and appeal of decisions made by the AMC.
Identify the authority to release protected health information and process denials and
appeals.
Consider including a temporary suspension of the patient's right of access to research
records in research consent forms.
Have the privacy official develop and maintain an inventory of the kinds of data the
institution keeps about individuals.
Roadblocks
The liability and cost associated with providing this information may be extensive. The issue
may be further complicated by the actual type of record that is maintained (e.g., residents'
records, medical students' records, actual attending physicians' records). As an example, AMCs
may have information generated by medical students that would be accessible under the rule and
that may not be appropriate for release to patients. Physicians may consider the release of total
patient information to not be in the best interest of the patient and, in fact, to be
counterproductive. Official versus unofficial records need to be identified with consideration
given to residents' and medical students' notes and how those records are to be addressed. The
AMC will want to have working definitions of reasonableness and timeliness.
Comments
Carefully review the definition of "designated record set" covered in § 164.501. Shadow charts
would also be considered designated records sets under this regulation. Things formally
Page 15
AMC/HIPAA Workgroup
180
considered informal records might now be considered part of the designated record set under this
regulation (student 3x5 cards, PDAs, etc.).
Page 16
AMC/HIPAA Workgroup
181
PRIV.46
Right to amend
§ 164.526(a)
HIPAA Requirement
Standard: right to amend.
(1)
Right to amend. An individual has the right to have a covered entity
amend protected health information or a record about the individual in a
designated record set for as long as the protected health information is
maintained in the designated record set.
(2)
Denial of amendment. A covered entity may deny an individual's request
for amendment, if it determines that the protected health information or record
that is the subject of the request:
(i) Was not created by the covered entity, unless the individual provides a
reasonable basis to believe that the originator of protected health information is
no longer available to act on the requested amendment;
(ii)
Is not part of the designated record set;
(iii) Would not be available for inspection under
§ 164.524
; or
(iv) Is accurate and complete.
(b)
Implementation specifications: requests for amendment and timely action.
(1)
Individual's request for amendment. The covered entity must permit an
individual to request that the covered entity amend the protected health
information maintained in the designated record set. The covered entity may
require individuals to make requests for amendment in writing and to provide a
reason to support a requested amendment, provided that it informs individuals in
advance of such requirements.
(2)
Timely action by the covered entity.
(i) The covered entity must act on the individual's request for an amendment no
later than 60 days after receipt of such a request, as follows.
(A) If the covered entity grants the requested amendment, in whole or in part, it
must take the actions required by paragraphs (c)(1) and (2) of this section.
(B) If the covered entity denies the requested amendment, in whole or in part, it
must provide the individual with a written denial, in accordance with paragraph
(d)(1) of this section.
(ii) If the covered entity is unable to act on the amendment within the time
required by paragraph (b)(2)(i) of this section, the covered entity may extend the
time for such action by no more than 30 days, provided that:
(A) The covered entity, within the time limit set by paragraph (b)(2)(i) of this
section, provides the individual with a written statement of the reasons for the
delay and the date by which the covered entity will complete its action on the
request; and
(B) The covered entity may have only one such extension of time for action on a
request for an amendment.
(c)
Implementation specifications: accepting the amendment. If the covered
entity accepts the requested amendment, in whole or in part, the covered entity
must comply with the following requirements.
Page 17
AMC/HIPAA Workgroup
182
(1)
Making the amendment. The covered entity must make the appropriate
amendment to the protected health information or record that is the subject of the
request for amendment by, at a minimum, identifying the records in the
designated record set that are affected by the amendment and appending or
otherwise providing a link to the location of the amendment.
(2)
Informing the individual. In accordance with paragraph (b) of this section,
the covered entity must timely inform the individual that the amendment is
accepted and obtain the individual's identification of and agreement to have the
covered entity notify the relevant persons with which the amendment needs to be
shared in accordance with paragraph (c)(3) of this section.
(3) Informing
others. The covered entity must make reasonable efforts to
inform and provide the amendment within a reasonable time to:
(i) Persons identified by the individual as having received protected health
information about the individual and needing the amendment; and
(ii) Persons, including business associates, that the covered entity knows have the
protected health information that is the subject of the amendment and that may
have relied, or could foreseeably rely, on such information to the detriment of the
individual.
(d)
Implementation specifications: denying the amendment. If the covered
entity denies the requested amendment, in whole or in part, the covered entity
must comply with the following requirements.
(1) Denial. The covered entity must provide the individual with a timely,
written denial, in accordance with paragraph (b)(2) of this section. The denial
must use plain language and contain:
(i) The basis for the denial, in accordance with paragraph (a)(2) of this section;
(ii) The individual's right to submit a written statement disagreeing with the
denial and how the individual may file such a statement;
(iii) A statement that, if the individual does not submit a statement of
disagreement, the individual may request that the covered entity provide the
individual's request for amendment and the denial with any future disclosures of
the protected health information that is the subject of the amendment; and
(iv) A description of how the individual may complain to the covered entity
pursuant to the complaint procedures established in
§ 164.530(d)
or to the
Secretary pursuant to the procedures established in § 160.306. The description
must include the name, or title, and telephone number of the contact person or
office designated in
§164.530(a)(
1)(ii).
(2)
Statement of disagreement. The covered entity must permit the individual
to submit to the covered entity a written statement disagreeing with the denial of
all or part of a requested amendment and the basis of such disagreement. The
covered entity may reasonably limit the length of a statement of disagreement.
(3) Rebuttal
statement. The covered entity may prepare a written rebuttal to
the individual's statement of disagreement. Whenever such a rebuttal is
prepared, the covered entity must provide a copy to the individual who submitted
the statement of disagreement.
(4) Recordkeeping. The covered entity must, as appropriate, identify the
record or protected health information in the designated record set that is the
Page 18
AMC/HIPAA Workgroup
183
subject of the disputed amendment and append or otherwise link the individual's
request for an amendment, the covered entity's denial of the request, the
individual's statement of disagreement, if any, and the covered entity's rebuttal, if
any, to the designated record set.
(5) Future
disclosures.
(i) If a statement of disagreement has been submitted by the individual, the
covered entity must include the material appended in accordance with paragraph
(d)(4) of this section, or, at the election of the covered entity, an accurate
summary of any such information, with any subsequent disclosure of the protected
health information to which the disagreement relates.
(ii) If the individual has not submitted a written statement of disagreement, the
covered entity must include the individual's request for amendment and its denial,
or an accurate summary of such information, with any subsequent disclosure of
the protected health information only if the individual has requested such action
in accordance with paragraph (d)(1)(iii) of this section.
(iii) When a subsequent disclosure described in paragraph (d)(5)(i) or (ii) of this
section is made using a standard transaction under part 162 of this subchapter
that does not permit the additional material to be included with the disclosure, the
covered entity may separately transmit the material required by paragraph
(d)(5)(i) or (ii) of this section, as applicable, to the recipient of the standard
transaction.
(e)
Implementation specification: actions on notices of amendment. A
covered entity that is informed by another covered entity of an amendment to an
individual's protected health information, in accordance with paragraph (c)(3) of
this section, must amend the protected health information in designated record
sets as provided by paragraph (c)(1) of this section.
(f)
Implementation specification: documentation. A covered entity must
document the titles of the persons or offices responsible for receiving and
processing requests for amendments by individuals and retain the documentation
as required by
§ 164.530(j).
AMC Explanation of HIPAA Regulation
An individual has the right to request amendment of his or her protected health information.
Under specified conditions, the entity has the right to deny the request. If none of these
conditions apply, then the entity must make the amendment. Specific requirements for
addressing these requests, including timely action, accepting the amendment, and informing the
individual and others are detailed. In addition, requirements for denying an amendment are
outlined.
Key Issues
How will workload increase?
What guidelines need to be in place to manage an individual's expectations?
What will the amendment and correction process involve to track grievances, and to
correct and amend records?
Who has the right to amend a record?
What is the level of effort required to develop and publicize fair information policies?
Page 19
AMC/HIPAA Workgroup
184
How will covered entities manage the "whistleblower provision?"
Will a covered entity permit a person to see who has viewed his or her record (audit trail
reports)?
How will the amended record be distributed to all those who need to know about the
amendment?
Category I Guidelines-Actions must be taken to address these
Develop and document policies and processes to receive and act upon an individual's
request to amend their protected health information, including the denial of such requests.
Respond to requests within the timeframe specified in the regulation.
Category II Guidelines-Actions should be taken to address these
Consider the provision of resources to assist patients with record reviews.
Have the privacy official identify processes for retrieving protected health information
about individuals pursuant to their request to revise that information.
Have the privacy official define a process for evaluating, and accepting or rejecting,
requests for correction and implementing corrections.
Consider how to deal with the amendment process for paper and electronic records
(including requests for removal of a record).
Should have a procedure well documented so that it can be executed by workforce
members who are unfamiliar with it who do not do it very often.
Consider date-stamping requests.
Roadblocks
AMCs may have inadequate document control processes, making obtaining a record in a timely
manner difficult.
Comments
It might be worthwhile for a covered entity to look at the ISO document control processes as a
source of useful guidance for making and maintaining record control processes (ISO 9001:1994
Sections 4.5.1 and 4.5.2 ISO 9001:2000 Section 4.2.3;
www.iso.ch
).
Page 20
AMC/HIPAA Workgroup
185
PRIV.47
Right to an accounting of disclosures of protected health information
§ 164.528(a)
HIPAA Requirement
Standard: right to an accounting of disclosures of protected health information.
(1)
An individual has a right to receive an accounting of disclosures of
protected health information made by a covered entity in the six years prior to the
date on which the accounting is requested, except for disclosures:
(i) To carry out treatment, payment and health care operations as provided in
§ 164.502
;
(ii) To individuals of protected health information about them as provided in
§ 164.502;
(iii) For the facility's directory or to persons involved in the individual's care or
other notification purposes as provided in
§ 164.510
;
(iv) For national security or intelligence purposes as provided in
§ 164.512(k)(
2);
(v) To correctional institutions or law enforcement officials as provided in
§ 164.512(k)(5); or
(vi) That occurred prior to the compliance date for the covered entity.
(2)
(i) The covered entity must temporarily suspend an individual's right to receive
an accounting of disclosures to a health oversight agency or law enforcement
official, as provided in
§ 164.512(d)
or (f), respectively, for the time specified by
such agency or official, if such agency or official provides the covered entity with
a written statement that such an accounting to the individual would be reasonably
likely to impede the agency's activities and specifying the time for which such a
suspension is required.
(ii) If the agency or official statement in paragraph (a)(2)(i) of this section is
made orally, the covered entity must:
(A) Document the statement, including the identity of the agency or official
making the statement;
(B) Temporarily suspend the individual's right to an accounting of disclosures
subject to the statement; and
(C) Limit the temporary suspension to no longer than 30 days from the date of the
oral statement, unless a written statement pursuant to paragraph (a)(2)(i) of this
section is submitted during that time.
(3)
An individual may request an accounting of disclosures for a period of
time less than six years from the date of the request.
(b)
Implementation specifications: content of the accounting. The covered
entity must provide the individual with a written accounting that meets the
following requirements.
(1)
Except as otherwise provided by paragraph (a) of this section, the
accounting must include disclosures of protected health information that occurred
during the six years (or such shorter time period at the request of the individual
as provided in paragraph (a)(3) of this section) prior to the date of the request for
Page 21
AMC/HIPAA Workgroup
186
an accounting, including disclosures to or by business associates of the covered
entity.
(2)
The accounting must include for each disclosure:
(i)
The date of the disclosure;
(ii) The name of the entity or person who received the protected health
information and, if known, the address of such entity or person;
(iii) A brief description of the protected health information disclosed; and
(iv) A brief statement of the purpose of the disclosure that reasonably informs the
individual of the basis for the disclosure; or, in lieu of such statement:
(A) A copy of the individual's written authorization pursuant to
§ 164.508
; or
(B) A copy of a written request for a disclosure under
§§ 164.502(a)(
2)(ii) or
164.512
, if any.
(3)
If, during the period covered by the accounting, the covered entity has
made multiple disclosures of protected health information to the same person or
entity for a single purpose under §§ 164.502(a)(2)(ii) or 164.512, or pursuant to a
single authorization under § 164.508, the accounting may, with respect to such
multiple disclosures, provide:
(i) The information required by paragraph (b)(2) of this section for the first
disclosure during the accounting period;
(ii) The frequency, periodicity, or number of the disclosures made during the
accounting period; and
(iii) The date of the last such disclosure during the accounting period.
(c)
Implementation specifications: provision of the accounting.
(1)
The covered entity must act on the individual's request for an accounting,
no later than 60 days after receipt of such a request, as follows.
(i) The covered entity must provide the individual with the accounting requested;
or
(ii) If the covered entity is unable to provide the accounting within the time
required by paragraph (c)(1) of this section, the covered entity may extend the
time to provide the accounting by no more than 30 days, provided that:
(A) The covered entity, within the time limit set by paragraph (c)(1) of this
section, provides the individual with a written statement of the reasons for the
delay and the date by which the covered entity will provide the accounting; and
(B) The covered entity may have only one such extension of time for action on a
request for an accounting.
(2)
The covered entity must provide the first accounting to an individual in
any 12 month period without charge. The covered entity may impose a
reasonable, cost-based fee for each subsequent request for an accounting by the
same individual within the 12 month period, provided that the covered entity
informs the individual in advance of the fee and provides the individual with an
opportunity to withdraw or modify the request for a subsequent accounting in
order to avoid or reduce the fee.
(d)
Implementation specification: documentation. A covered entity must
document the following and retain the documentation as required by
§ 164.530(j
):
Page 22
AMC/HIPAA Workgroup
187
(1)
The information required to be included in an accounting under
paragraph (b) of this section for disclosures of protected health information that
are subject to an accounting under paragraph (a) of this section;
(2)
The written accounting that is provided to the individual under this
section; and
(3)
The titles of the persons or offices responsible for receiving and
processing requests for an accounting by individuals.
AMC Explanation of HIPAA Regulation
The regulation establishes a right for an individual to request and receive an accounting of
disclosures of his or her protected health information that have occurred either within the last six
years, or since compliance was first required for the covered entity, whichever occurred last.
Exceptions are allowed for disclosures required to carry out treatment, payment, and health care
operations, to the individuals themselves, and for health oversight, national security or
intelligence, correctional institutions, and law enforcement as provided elsewhere. The
regulation requires that reporting be temporarily suspended if requested by a health oversight
agency or law enforcement official. The regulation also permits the covered entity to establish
reasonable charges for these reports.
Key Issues
How do entities match disclosures against individuals requesting reports? Are current
electronic auditing tools satisfactory for computerized records?
How do entities validate requests to suspend reporting?
How do entities track suspension requests and ensure suspension of requested reports?
What does it mean to provide an accounting of disclosures? What information needs to
be included in this? Who will be tasked with doing so?
How does one explain a complicated audit trail produced by an information system to a
patient? Who will do this?
Will an organization permit a person to see who viewed his or her record (i.e. provide
audit trail reports)?
Category I Guidelines-Actions must be taken to address these
Establish policies and procedures to ensure that disclosure records are retained.
Maintain a record of all individuals requesting reports of disclosure and the disposition of
those requests.
On a case-by-case basis, determine whether disclosures must, may, or must not be
reported.
Establish a process to ensure that all covered disclosures are reported in a timely period.
If an extension of the time limit is needed, ensure that the individual is notified of the
delay as required by the regulation, and that the extension does not exceed permissible
limits.
Category II Guidelines-Actions should be taken to address these
Provide a system to audit access control with the ability to report all accesses of a patients
record.
Page 23
AMC/HIPAA Workgroup
188
Publish the covered entity's fair information policy.
Establish incident procedures that include reporting and response procedures.
Maintain a list of those who access a record.
Respond to requests within the timeframe specified in the regulation.
Determine if the covered entity will charge for these reports and, if so, establish a basis
for all such charges.
Roadblocks
The paper vs. electronic environment presents many issues, particularly to AMCs where both
paper and electronic records are often managed in a decentralized way with no common
repository that contains all logs of all releases. This will present a problem when patients request
a disclosure history and expect it to be produced in a timely manner.
Comments
None.