Tag Archive for: protected health information

Proposed Privacy Rule Changes

/in /by

Finalization of Privacy Rule modifications is still pending

The Department of Health and Human Services (HHS) published proposed changes to HIPAA’s Privacy Rule on January 21, 2021. The proposal was under a public comment period until May 2021 and HHS expects to publish final changes in March or April 2023.

Effective Date – Once published, the final rule will become effective 60 days from its date of publication in the Federal Register.

Compliance Date – The important date for covered entities and other parties affected by the rule will be the Compliance Date which will be 180 days from the Effective Date.  This will allow covered entities ample time to make changes in policies, forms, and procedures.

Proposed Changes – There are multiple possible changes affecting an individual’s (patient’s) right of access, permitted disclosures for the purpose of care coordination and case management activities, and more.  Here is a brief listing of proposed changes that, if finalized, will have the greatest impact for providers and their practices:

  • New Terms will be introduced for Electronic Health Records and Personal Health Applications.
  • Timeliness for access to records will be amended from the current 30-day period to 15 calendar days for responding to access requests for inspection and/or copies of PHI. An additional 15 calendar days will be permitted to fulfill the request if certain conditions are met.
  • Strengthened right of inspection – Individuals will be permitted to take notes, take photographs, and use other personal resources to capture information when inspecting their designated record set.
  • Right of access fees – Reasonable, cost-based fees that may be imposed for copies of PHI (or for a summary of PHI if agreed to by the individual) will be clarified.
  • Notice of access and authorization fees – A covered entity will be required to post a fee schedule on its website, if it has one, and make the fee schedule available at the point of service and upon request that specifies the types of access to PHI that are available free of charge and standard copy fees, including for any readily producible electronic and non-electronic forms and formats. Upon request, the covered entity must provide an individualized estimate of the approximate fee for any type of request covered by the fee schedule and provide an individual with an itemized list of the specific charges for labor, supplies, and postage that constitute the total fee charged, if requested.
  • Requests to direct PHI to a third party will enable an individual to make a request to disclose their PHI to a third party in oral as well as written form (current requirement is written form) and to direct transmission of their PHI in an electronic format to a third party (if records are maintained electronically by the covered entity).
  • Care coordination and case management activities are added to the exceptions to the Minimum Necessary Standard regarding disclosures to or requests by healthcare providers or health plans with respect to an individual.
  • Business Associate Agreements must specify if the Business Associate is expected to disclose PHI to an individual or the individual’s designee upon request, rather than to the Covered Entity, as necessary to satisfy the covered entity’s obligations (to comply with patient access rights).
  • Modified Language for Notice of Privacy Practices – Several new, specific statements will need to be prominently displayed in the notice. In addition, the email address of the person who is designated to provide further information and answer questions about the notice will need to be included.
  • Obtaining acknowledgement of receipt of the Notice of Privacy Practices will no longer be required.
  • Providers of Telecommunications Relay Services (as defined in 47 U.S.C. 255(a)(3)) will be specifically excluded from the definition of Business Associates and covered entities will be permitted to disclose PHI to a TRS Communications Assistant as necessary to conduct covered functions.
  • Presumption of compliance – There are several permissions for disclosure within the Privacy Rule that will be based on a covered entity’s good faith belief that providing access is in the best interests of the individual (e.g., to prevent a serious and reasonably foreseeable harm, or lessen a serious or reasonably foreseeable threat, to the health or safety of a person or the public). The covered entity will be presumed to have complied with the good faith requirement absent evidence that the covered entity acted in bad faith.
  • Uses to carry out treatment, payment or healthcare operations – Covered entities will be permitted to disclose an individual’s PHI to a social services agency, community-based organization, home and community-based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities.
  • Reducing identity verification burden – Verification of patient access requests will be permitted to be done orally or in writing.
  • Unreasonable measures of verification – Unreasonable verification measures will be defined, and examples provided to help covered entities avoid impeding an individual’s access rights.

Note – Eagle Associates will provide a detailed explanation of all changes and operational recommendations once the final rule is published. 

Notice for Subscribers to Eagle Associates’ HIPAA Compliance SystemEagle Associates will publish revised policies, forms (such as Notice of Privacy Practices and Business Associate Agreements), and workforce member training prior to the compliance date.  We will also provide guidance documents to help ensure your practice is fully prepared to meet the new requirements.

HIPAA Privacy and the Opioid Crisis

/in /by

The Office for Civil Rights has issued new guidance on when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when the patient may be in crisis and incapacitated, such as during an opioid overdose.

The following information will explain how a practice can share patient information (without patient authorization) with family members or designated friends during certain crisis situations, such as the opioid situation.

  1. Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment for care.  For example, a provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.
  1. Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.  For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.

For patients with decision-making capacity: A health care provider must give a patient the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual’s care or payment for care. The provider is not permitted to share health information about patients who currently have the capacity to make their own health care decisions, and object to sharing the information (generally or with respect to specific people), unless there is a serious and imminent threat of harm to health as described above. 

Decision-making incapacity may be temporary and situational, and does not have to rise to the level where another decision maker has been or will be appointed by law.  If a patient regains the capacity to make health care decisions, the provider must offer the patient the opportunity to agree or object before any additional sharing of health information.

For example, a patient who arrives at an emergency room severely intoxicated or unconscious will be unable to meaningfully agree or object to information-sharing upon admission but may have sufficient capacity several hours later. Nurses and doctors may decide whether sharing information is in the patient’s best interest, and how much and what type of health information is appropriate to share with the patient’s family or close personal friends, while the patient is incapacitated so long as the information shared is related to the person’s involvement with the patient’s health care or payment for such care.  If a patient’s capacity returns and the patient objects to future information sharing, the provider may still share information to prevent or lessen a serious and imminent threat to health or safety as described above.

While HIPAA provides a patient’s personal representative the right to request and obtain any information about the patient that the patient could obtain, and under state law, a personal representative designation generally authorizes the person to make healthcare decisions for the patient, there may be conflict with existing state laws regarding information related to substance abuse treatment.  If a state’s law is more restrictive regarding the communication of patient information (for example, state law might state that substance abuse treatment information can only be shared with treatment personnel involved in treatment), then your practice should rely on the requirements of the more restrictive law (in this example state law).

Disclosures for Treatment Purposes

/in /by

There are circumstances under which a patient’s authorization is NOT required to disclose their protected health information (PHI). One of those circumstances is when covered entities, such as practices, share patient information with another provider for treatment purposes. Many practices do not understand this provision, and require other practices to obtain a signed authorization before releasing PHI.

HHS has provided the examples below to help covered entities understand this provision:

  • A hospital may use protected health information about an individual to provide health care to the individual and may consult with other health care providers about the individual’s treatment.
  • A health plan may use protected health information to provide customer service to its enrollees.
  • A covered entity may disclose protected health information for the treatment activities of any health care provider (including providers not covered by the Privacy Rule). For example:
    • A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual.
    • A hospital may send a patient’s health care instructions to a nursing home to which the patient is transferred.

Any disclosures made must be consistent with your Notice of Privacy Practices.

The full text of the HHS guidance can be found here.

Feel free to share this link with other providers that are requiring authorizations for disclosures that do not warrant them. Keep in mind, however, that if a practice refuses to disclose information to you without a signed authorization, the quickest way to get the information you need is often to obtain the authorization. You may send and receive authorizations remotely.  You do not have to require a patient to sign an authorization in person. You would simply perform reasonable identity verification measures to confirm that you are sending the information to an address, fax or email address that you have confirmed with the patient, and their signature matches what you have on file.

Disclosure Requests for Legal Proceedings

/in /by

Disclosure of protected health information (PHI) for use in legal proceedings is permitted under certain circumstances.  If a covered entity receives a court order that is signed by a judge, requesting PHI, it should comply with the order and provide the information that is specifically requested.

If the practice receives a subpoena, discovery request, or other lawful process that is not accompanied by a signed order of the court, certain satisfactory assurances must be obtained from the requesting party prior to disclosure of the requested information.

In these instances, the requesting party must provide the practice with either of the following:

  • Satisfactory assurances that reasonable efforts have been made to give the individual (whose information has been requested) notice of the request; or
  • Satisfactory assurances that the party seeking such information has made reasonable efforts to secure a qualified protective order (see below) that will guard the confidentiality of the information.

Please refer to the article, Requests for Disclosure of PHI for Legal Proceedings, in the April issue of the Advisor®, for more information regarding satisfactory assurances and documentation requirements.

Disclosure of PHI Obtained From Other Providers

/in /by

Patients have the right to request a copy of their medical record, and covered entities must provide it and include any information that was created by, or obtained from other healthcare providers that is contained in the patient record.

The Privacy Rule states:

“A covered entity is required to provide access to protected health information in accordance with the rule regardless of whether the covered entity created such information or not… In order to assure that an individual can exercise his or her access rights, we do not require the individual to make a separate request to each originating provider.

If the individual directs an access request to a covered entity that has the protected health information requested, the covered entity must provide access.”

The inclusion of other providers’ information is not exclusive to patient access rights. For example, if a hospital requests a patient’s full medical record for treatment purposes, then the entire contents of the medical record, including records that were created by other providers, should be included.

Health and Human Services has posted the following question and answer that addresses the issue in a more general manner, rather than only referring to patient requests:

Question – A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider.  Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer – Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.”

While a covered entity may deny access to information that was received from someone under a promise of confidentiality (if access would be reasonably likely to reveal the source of the information), a covered entity may not deny access to PHI when the information has been obtained from a healthcare provider. If a patient authorizes disclosure of his/her PHI, or disclosure is otherwise permitted by the Privacy Rule, a provider may not restrict disclosure of PHI based on who created it.