Proper Methods of Informing Patients of HIPAA Compliance
article will cover the responsibility of the covered entity to provide the
HIPAA guidelines. We will discuss the specific components to be included, as
well as the means of dissemination.
1. Required Components of the Privacy Notice
have covered the internal changes and documentation that is required to comply
with HIPAA in great detail. Once all internal mechanisms are in place, the
on the policy changes and how they will be carried out by the covered entity on
their behalf. This document is separate from the HIPAA authorization form that
the patient will sign at the time of service, and serves as a notice of the
company's overall policy on patient privacy.
the patient to comprehend, and must contain the following elements:
covered entity must state in the patient notification that it is obligated by
law to protect the privacy of the patient and limit disclosures of protected
must state that the covered entity is required to provide notice of their
privacy practices, as well as state their legal obligation to adhere to
protecting the patient's privacy as outlined therein.
notification should detail the manner in which the patient's protected health
information will be used or transmitted by the covered entity.
access to their records, amendments, and the right to file a complaint with the U.S. Department of Health and Human Services in the case of a privacy breach.
notice must list the name and contact information of the individual responsible
for fielding and resolving privacy complaints received by the covered entity.
Notice of Privacy Practices Distribution
It is the responsibility
of the covered entity to ensure that the privacy practices notice has been
disseminated to all patients. Also, it is required that the covered entity
provide a copy of its privacy practices to any party upon request.
professionals with a "direct treatment relationship" to the patient, such as a
doctor or psychologist, were required to have disseminated their privacy
practice notification to patients by April 14, 2003.
that reasonable efforts are taken to broadcast the notice, the following
guidelines should be met:
- Patients who are seen in person
should be given a copy of the notice at the first service encounter.
- An automatic Web- or email-based
copy of the notice should be furnished to those receiving electronic
services from a covered entity.
- For services delivered by phone,
a copy of the notice should be mailed to the patient immediately after the
- A copy of the privacy notice must
be housed on any informational websites, or online treatment portals
operated by the covered entity.
should be posted in each facility and area in which patients are serviced,
allowing ample opportunity to read and understand the policy.
- In the case of an emergency, it
is not practical to have the patient read the privacy notice before
treatment. In this case, the patient should be provided with a copy of the
privacy notice as soon as is realistic after treatment.
Notice of Privacy Practices
care providers operate within a medical group, or other organized health care
facility, in which there are multiple practitioners. In this instance, the group
can develop and distribute a joint privacy practice notice and be in compliance
with the notification rules.
a joint notice, each practitioner is obligated to adhere to the policies
outlined within, and to take responsibility for the protection of protected health
information, as outlined in the joint privacy practices notification.
Plan Privacy Practices Notification
are also responsible for disseminating a privacy practices notice to members, detailing how they intend to use and safeguard their protected health
information. Each plan has a specific compliance date and all members must be
notified of the policy by that time.
providing notice of its privacy practices, a health plan must ensure that:
- All new plan participants receive
a copy of the privacy practices notice upon enrolling in the health plan
- A reminder is sent to current
upon request for review
- The notice is addressed to the
insured individual by name, which constitutes notice to any dependents
listed with the health plan, such as a spouse or children.
of Receipt From the Patient
In order to
ensure receipt and review of the privacy practices notification, the covered
entity should undertake efforts to secure written acknowledgment from the
patient that they have read and understood the notice. This also serves as
documentation of notification in the case of a patient complaint or audit by
the U.S. Department of Health and Human Services.
acknowledgment form is developed by the covered entity and contains language that affirms the patient's review and understanding of the information listed
in the notice. If, for some reason, the covered entity is unable to secure
acknowledgment from the patient, they are to thoroughly document the steps
they took to notify the patient and the reason for the failure to retain
written acknowledgment of receipt of the privacy notice. It is not required to
attain a written acknowledgment from patients who are being treated on an
emergency basis, as the circumstances usually do not allow it.
Do you think the efforts outlined to disseminate the privacy notices are sufficient?
endows to them?
Almost as weighty was the responsibility to ensure that all Americans receiving
medical care were aware of the change in policy. However, by enforcing patient
education as part of
the law, it is more likely that health care providers will uphold its
Patient Rights and Access to PHI
In this article, we will review patient rights, including the right to access and amend PHI found in their patient records, as well as the right to restrict disclosures and request an accounting of any disclosures made.
Section 1. Patient's Right to Access PHI
Under the privacy rule, the patient reserves the right to freely access their protected health information that is housed in the entity's designated record set. The "designated record set" is composed of the records maintained by the covered entity for the purpose of decision-making, diagnosis, treatment or billing purposes. In the case of a health plan, this would include information regarding enrollment, claim payment data and case management information.
At any time a patient is able to request and review the information held on file by a covered entity to verify accuracy, or to update their own records. Patients should not be restricted from requesting or obtaining their health records, and there should be a clear process and instructions provided to the patient on how to do so.
There are a few cases in which the release of PHI to the patient is restricted, as detailed below:
- The patient is not able to access psychotherapy notes
- Health information compiled to be used in court
- Laboratory results that are prohibited based on the Clinical Laboratory Improvement Act (CLIA)
- The data compiled by some research studies
- Situations in which the health care provider feels the patient may use the data to harm himself or another. However, the patient is able to have the decision reviewed by another licensed medical professional for a second opinion.
Patients should make requests for access to PHI in writing, or complete a form provided by the facility. The establishment is allowed to charge a reasonable fee to cover the administrative costs of sending the records, such as copies and postage.
Section 2. Amendments to PHI
There are instances where a patient's medical record may be incomplete or contain incorrect information. In the case that the patient wants to dispute information in their record, or petition for an inclusion, they have that provision under the privacy rule.
The covered entity must outline a process in which the patient is able to request an amendment to their personal health information. This may include making the request in writing, filling out a specific form, etc. Also, it is customary to request documentation to support the request for amendment of the record.
The covered entity must review the request for amendment and supporting documentation in a timely manner and notify the patient of the determination. Notice must be sent to the patient within 60 days, advising them of the outcome of the amendment request, which will usually be one of the following:
- Approval of the amendment request, in which case the covered entity is required to update the record. Also, the covered entity should disseminate the updated information to any health care providers or individuals who are involved in the care or oversight of the patient, and for which the updated information may affect that care. The patient should supply the contact information for any such persons.
The covered entity should also identify any business associates to which they have supplied the data, which is now to be amended, and have their records updated, especially if they are relying on this information to complete their job functions.
- Denial of the amendment request must be delivered to the patient in writing, outlining the reasons for denial. The patient must also be informed that they can submit a written statement disagreeing to the denial and the reasons why.
Also, if denied, the patient may ask that the covered entity send a copy of the amendment request and subsequent denial with any future disclosures, so that the new health care professional knows that they disagree with the contents of their patient record. The patient is also allowed to submit a letter of disagreement with the determination, which becomes a part of their patient record. The covered entity may or may not draft a rebuttal to the letter of disagreement.
- Delay of the determination due to internal processes, requests for additional information, etc. If the determination will be extended past the 60 day time frame, the covered entity is allowed a (one time) 30-day extension. However, the patient must be notified of this in writing within the original 60-day time frame. The covered entity must outline the reasons for the delay and the time frame in which a determination is expected.
A covered entity is within their rights to deny an amendment request in the following circumstances:
- The medical record was not created by the covered entity. However, if the patient can prove that the originator of the record is unavailable or unable to amend the record, the petitioned covered entity may elect to amend it.
- The information that the amendment refers to does not exist in the patient's file.
- The record in question is accurate and complete as it is.
In the case of denial, the covered entity must still include in the patient record the original request for amendment, their denial and the statement of disagreement, if one is submitted by the patient.
Right to Request an Accounting of Disclosures
There is a plethora of personal information that is held by various entities, such as health care providers, employers, and government. A conscientious consumer or patient will want to periodically check their personal records to find out who they have been sent out to and for what reason.
The privacy rule allows patients to request an accounting of who a covered entity has disclosed their personal health information to. Patients were able to request records for up to six years, but the law has changed to require that only three years of data be provided. However, the covered entity can restrict accounting to the date that the privacy rule was implemented. A covered entity is not required to include disclosures associated with treatment, payment, and health care operations. Most other disclosures must be accounted for, with the exception of:
- Disclosures to the individual, of his or her own protected health information
- Disclosures made based on an authorization signed by the patient
- Disclosures for the facility's internal directory, or other notification purposes
- Disclosures made for the creation of a limited data set
- Disclosures that are incidental to one for which there is an authorization on file
- Disclosures made for the purposes of law enforcement, national security, and health oversight may be temporarily exempted from accounting. A date range of the exemption must be furnished to the covered entity by the applicable agency.
- Disclosures that were made prior to the HIPAA compliance date (14 April 2003 for large entities, one year later for small ones).
Proposed updates to the privacy rule will allow the patient to also receive an accounting of access to their PHI. This means that each instance of access to the patient record by the covered entity, their business associates, or other parties, must be logged and can be requested by the patient. If implemented, this update will be rolled out in 2013.
Requests to Restrict Disclosures
A patient may elect to restrict disclosures of their personal health information to the bare minimum required to diagnose, treat, and receive payment. A patient is able to petition a covered entity to restrict use and disclosure of PHI to TPO situations or notifying immediate family in the case of changes in treatment, major illness, or death. The covered entity is not obligated to agree to the restrictions, but if they do, they are required to uphold them, with the exception of required emergency treatment.
Food for Thought
Have you ever needed to access your patient records?
Did you find the process seamless or cumbersome?
Do you think that the accounting of disclosures rule will limit the amount of information a covered entity shares with others?
The privacy rule was drafted with the understanding that patients have a right to access their own health information and should be able to do so freely. Also, patient records may not be completely accurate and the policy allows for patients to amend records they find to be in error. This creates empowerment on the part of the patient and core confidence in the accuracy and validity of their health data.