Presentation is loading. Please wait.

Presentation is loading. Please wait.

PATIENT PRIVACY RIGHTS UNDER HIPAA

Published byDoris Waters Modified over 6 years ago

Similar presentations

Presentation on theme: "PATIENT PRIVACY RIGHTS UNDER HIPAA"— Presentation transcript:

1 PATIENT PRIVACY RIGHTS UNDER HIPAA
Educational Presentation by the HIPAA Collaborative of Wisconsin – HIPAA COW Original Version: April 2003; Updated September 2017

2 DISCLAIMER HIPAA Collaborative of Wisconsin (“HIPAA COW”) holds the Copyright © to this Presentation(“Document”).  HIPAA COW retains full copyright ownership, rights and protection in all material contained in this Document. You may use this Document for your own non- commercial purposes. It may be redistributed in its entirety only if (i) the copyright notice is not removed or modified, and (ii) this Document is provided to the recipient free of charge. If information is excerpted from this Document and incorporated into another work-product, attribution shall be given to HIPAA COW (e.g., reference HIPAA COW as a resource). This Document may not be sold for profit or used in commercial documents or applications. This Document is provided “as is” without any express or implied warranty. This Document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Document. Therefore, this Document may need to be modified in order to comply with Wisconsin/State law.

3 HIPAA PRIVACY RULE In 2003, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule established patient privacy rights with regard to protected health information (PHI). Protected Health Information (PHI): The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

4 PHI – FURTHER DEFINED “Individually identifiable health information” is information, including demographic data, that relates to: The individual’s past, present or future physical or mental health or condition, The provision of health care to the individual, or The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

5 COVERED ENTITY HIPAA covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA-covered entities. HIPAA-covered entities include health plans, clearinghouses, and certain health care providers (hospitals, clinics, physicians, pharmacies, nursing homes, etc.)

6 PATIENT PRIVACY RIGHTS
Right to Receive Notice of Privacy Practices. Right to Request Restrictions on Use and Disclosure of Protected Health Information. Right to receive Confidential Communications Right to Access, Inspect and Copy Protected Health Information Right to Amend Protected Health Information Right to receive an Accounting of Disclosures of Protected Health Information

7 RIGHT TO RECEIVE NOTICE OF PRIVACY PRACTICES
Each covered entity (CE) must provide a notice of its privacy practices. The notice must describe the ways in which the CE may use and disclose PHI. The notice must state the CE’S duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the CE if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the CE. Covered entities must act in accordance with their notices.

8 RIGHT TO REQUEST RESTRICTIONS
Individuals have the right to request that a CE restrict use or disclosure of PHI for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual’s general condition, location, or death.

9 RIGHT TO REQUEST RESTRICTIONS - CONTINUED
A CE is under no obligation to agree to requests for restrictions. A CE that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency

10 RESTRICTION: SELF-PAY OPTION
Effective in 2013 was an update to the HIPAA Privacy Rule clarifying the right for a patient to prevent a provider from reporting information to a health insurer if the patient pays in full. This provision presents a information management challenge for healthcare providers.

11 RESTRICTION: SELF-PAY OPTION CONTINUED
A patient has the firm right to demand that a health care provider not disclose the patient’s PHI to the patient’s health plan if these conditions are met: The patient makes a Request to Restrict disclosure; The disclosure is to a health plan for payment or health care operations; The disclosure is not required by law, and The PHI pertains solely to health care for which the patient (or someone on behalf of the patient) has paid for in full out of pocket.

12 RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONS
CE’s must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs. For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the CE send communications in a closed envelope rather than a post card. CE’s must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the PHI could endanger the individual.

13 CONFIDENTIAL COMMUNICATIONS - CONTINUED
The CE may require this request in writing. The CE may evaluate this request based on: Information on how payment will be handled Specification of an alternate address Added costs and logistics required to accommodate the request. The CE cannot require a reason for the request.

14 RIGHT TO ACCESS, INSPECT, AND COPY PHI
Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a CE’s designated record set. The “designated record set” is that group of records maintained by or for a CE that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudi- cation, and case or medical record systems.

15 RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
The Rule excludes from the right of access the following protected health information: Psychotherapy notes Information compiled for civil, criminal, or legal proceedings Laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories.

16 RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
For information included within the right of access, CE’s may deny an individual access in certain specified situations, such as when a health care professional believes access could cause harm to the individual or another. In such situations, the individual must be given the right to have such denials reviewed by a licensed health care professional for a second opinion.

17 RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
A Covered Entity may deny access without the opportunity for review when: Access is protected by the Federal Privacy Act PHI was obtained under promised of confidentiality and access would reveal the source of the PHI

18 RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
A CE may deny access and give an individual the right to appeal when: A licensed healthcare professional believes the request may likely endanger the life or physical safety of the individual or another person. The PHI references another person and a licensed professional believes that access would cause substantial harm to that other person. Access is requested by an individual’s representative and a licensed professional believes access would cause substantial harm to the individual or another person.

19 RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
A requesting individual may appeal a denial of his/her right to access PHI and: The appointed reviewer cannot have participated in the decision to deny access The CE must act on the request within 30 days. Added response time of an additional 30 or 60 days is allowed in special circumstances.

20 RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
When agreeing to provide access the CE: Must provide inspection or copies as requested Must provide PHI in the format requested Must provide PHI in a timely manner May collect cost based fees for copying, postage, preparation, etc. (provided the CE had informed the individual of such fees

21 RIGHT TO ACCESS, INSPECT, AND COPY PHI - CONTINUED
If the CE denies access, it must: Provide access to other PHI where access was not denied. Provide a timely denial in plain language including basis for the denial, listing review rights and complaint procedures. Identify the keeper of the PHI requested – if not this CE. If requested, designate a licensed professional to review the decision to deny, and inform the individual of that review decision in a timely way.

22 RIGHT TO REQUEST AMENDMENT
Individuals have the right to request CE’s amend their PHI in a designated record set when that information is inaccurate or incomplete. If a CE accepts an amendment request, it must make reasonable efforts to provide the amendment to persons that the individual has identified as needing it, and to persons that the CE knows might rely on the information to the individual’s detriment.

23 RIGHT TO REQUEST AMENDMENT - CONTINUED
If the amendment request is denied, the CE must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. The Privacy Rule specifies processes for requesting and responding to a request for amendment. A CE must amend protected health information in its designated record set upon receipt of notice to amend from another CE.

24 RIGHT TO REQUEST AMENDMENT - CONTINUED
A CE may deny the request if the PHI: Was not created by the CE. Is not part of the individual’s designated record set. Would not be available for inspection (e.g., psychotherapy notes). Is determined accurate and complete

25 RIGHT TO REQUEST AMENDMENT - CONTINUED
In reviewing amendment requests the CE: May require requests in writing May require a reason to support the request Must act on the request within 60 days (with 30 day extension in certain circumstances)

26 RIGHT TO REQUEST AMENDMENT - CONTINUED
If accepting the amendment, the CE must: Identify records amended and provide a link to the amendment location. Inform the individual of the amendment. Inform other affected persons as designated by the individual or business associates who may rely on the information.

27 RIGHT TO REQUEST AMENDMENT - CONTINUED
If denying the amendment the CE must: Provide a timely denial in plain language Include the basis for the denial Allow for a statement of disagreement from the individual Allow for a statement reflecting the request with subsequent disclosures of the PHI Identify the complaint process

28 RIGHT TO REQUEST AMENDMENT - CONTINUED
The individual may submit a statement of disagreement with the denial. The CE may issue a rebuttal of the statement of disagreement and give the individual a copy. The CE must record in the record and create links to any requests, denials, disagreements and rebuttals.

29 RIGHT TO REQUEST AMENDMENT - CONTINUED
Future disclosures of PHI that have been the subject of a denied request for amendment must include documents related to the request. Accepted amendments must be shared among CE’s so all appropriate records are amended. A CE must document persons responsible for processing amendment requests and must retain documents for at least 6 years.

30 RIGHT TO REQUEST AN ACCOUNTING OF DISCLOSURES
Individuals have a right to an accounting of the disclosures of their PHI by a CE or the CE’s business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request.

31 RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
The Privacy Rule does not require accounting for disclosures for: Treatment, payment, or health care operations The individual or the individual’s personal representative For notification of or to persons involved in an individual’s health care or payment for health care For disaster relief , or for facility directories; (d) pursuant to an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures. Accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended on their written representation that an accounting would likely impede their activities.

32 RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
The Privacy Rule does not require accounting for disclosures for: Use in the facility directory For national security or intelligence purposes To correctional facilities or law enforcement on behalf of inmates As part of a limited data set

33 DISCLOSURES REQUIRING ACCOUNTING INCLUDE:
About decedents Organ/eye/tissue donations Research Purposes To avert threat to health and safety For specialized government functions Workers’ compensation Required by law For public health activities Victims of abuse, neglect, violence. Health oversight activities Judicial/Admin proceedings Law enforcement purposes See SS

34 RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
A CE must suspend accounting of disclosures to an agency or law enforcement if the accounting is likely to impede the agency’s activity. An individual may request an accounting for disclosures as far back as six years before the time of the request - but to start no earlier than April 14, 2003.

35 RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
The accounting must include: Date of disclosure Name and address (if known) of recipient Brief description of PHI disclosed Brief reason for disclosure or copy of request Multiple disclosures to the same requestor may be batched – as appropriate.

36 RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
When related to research with 50 or more people, the accounting should provide: Name of research protocol Purpose of research and how records selected Description of PHI that was disclosed Dates disclosures occurred Contact information for research sponsor Statement about possible disclosure of PHI Assistance in contacting the research sponsor

37 RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
A CE should routinely respond to a request for accounting within 60 days (30 day extension allowed in certain situations). The first in a 12 month period is free. Subsequent requests may have a cost based fee (if previously stated). The requestor may modify the request based on the fee.

38 RIGHT TO REQUEST AN ACCOUNTING - CONTINUED
A Covered Entity must document and keep six (6) years: Information required in the accounting The written accounting that is provided Titles of persons or offices responsible for processing accounting requests

39 RESOURCES Summary of the HIPAA Privacy Rule @ HHS.gov
HIPAA Collaborative of Wisconsin (HIPAA COW) – Multiple Policies, Presentations, and Other Deliverables

40 VERSION HISTORY 2003 Version: 2017 Update:
Primary Author: Richard Reynolds, FHIMSS Review Group: Karen Bauer, Joan Benson, MBA, Anthony Cooper, FHFMA, CFE, William Jensen , MBA, Tammy Kritz, MBA, Jennifer Laughlin, RHIA, Christine Lidbury, Beth Zallar, MS, RHIA 2017 Update: Nancy Davis, MS, RHIA, CHPS Chrisann Lemery, MS, RHIA, CHPS

Download ppt "PATIENT PRIVACY RIGHTS UNDER HIPAA"

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
PATIENT RIGHTS UNDER HIPAA HIPAA Collaborative of Wisconsin April 2003.

PATIENT RIGHTS UNDER HIPAA HIPAA Collaborative of Wisconsin April 2003.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
North Carolina State University Health Information Privacy 4/16/03.

North Carolina State University Health Information Privacy 4/16/03.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010.

Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
HIPAA Privacy Rule Patient’s Right to Amend Their Health Information July 18, 2013 David Holtzman, JD, CIPP/G Senior Health Information Technology & Privacy.

HIPAA Privacy Rule Patient’s Right to Amend Their Health Information July 18, 2013 David Holtzman, JD, CIPP/G Senior Health Information Technology & Privacy.

Similar presentations

Ads by Google