HIPAA PRIVACY RULE: ACCESS TO PROTECTED HEALTH INFORMATION. A. General Right to Access Protected Health Information 1

Similar documents
Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

Creation Date: 1/30/15 Title: Patient Right to Access, Inspect and Copy Revision History:

POLICY NUMBER B JULY 8, 2014

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

HIPAA PRIVACY RULE: LIMITING USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE MINIMUM NECESSARY

PATIENT PRIVACY: RIGHT TO ACCESS PROTECTED HEALTH INFORMATION IN THE DESIGNATED RECORD SET POLICY

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Notice of HIPAA Privacy Practices Updates

Medical Records Chapter (1) The documentation of each patient encounter should include:

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

BON SECOURS RICHMOND NOTICE OF PRIVACY PRACTICES

CAPITAL SURGEONS GROUP, PLLC

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

Welcome to Baptist Medical Group - Westside. Please read the below information carefully to prepare for your upcoming appointment.

Your Medical Record Rights in Iowa

Karen LeVasseur, LCSW Calm4Kids Therapy Center, LLC 514 Main Street Bradley Beach, NJ

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

(A Guide to Consumer Rights under HIPAA)

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

Indiana. Your Medical Record Rights in. (A Guide to Consumer Rights under HIPAA)

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

CHI Mercy Health. Definitions

Your Medical Record Rights in Nevada

Disclosure Statement & Policies

THE CHILDREN S INSTITUTE OF PITTSBURGH NOTICE OF PRIVACY PRACTICES

Patient Appointment Agreement

Your Medical Record Rights in New Mexico

OREGON HIPAA NOTICE FORM

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

INFORMED CONSENT TO PARTICIPATE IN A DIABETES RESEARCH REGISTRY

MAIN STREET RADIOLOGY

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Johns Hopkins Notice of Privacy Practices for Health Care Providers

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

The Queen s Medical Center HIPAA Training Packet for Researchers

NOTICE OF PRIVACY PRACTICES

Form B - For those enrolled in other insurance

STANDARD ADMINISTRATIVE PROCEDURE

Section VII Provider Dispute/Appeal Procedures; Member Complaints, Grievances, and Fair Hearings

COMMUNITY HOWARD REGIONAL HEALTH KOKOMO, INDIANA. Medical Staff Policy POLICY #4. APPOINTMENT, REAPPOINTMENT AND CREDENTIALING POLICY

Your Medical Record Rights in Utah

Virginia. Your Medical Record Rights in. (A Guide to Consumer Rights under HIPAA)

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

Your Medical Record Rights in Rhode Isl and

Chapter 5 BRIEFINGS AND VOUCHER ISSUANCE

HIPAA-HITECH HELPBOOK NJ Physician Practices

PURDUE UNIVERSITY WEST LAFAYETTE, INDIANA SCHOOL OF NURSING STUDENT DRUG TESTING POLICY PRIOR TO PARTICIPATION IN CLINICAL ACTIVITIES

John W. Steele, Ph.D., Licensed Psychologist 1285 Fairfield Drive, Boulder, CO 80305

2012/2013 ST. JOSEPH MERCY OAKLAND Pontiac, Michigan HOUSE OFFICER EMPLOYMENT AGREEMENT

Your Medical Record Rights in Hawaii

Attachment B ORDINANCE NO. 14-

The care of your newborn child, or the placement of a child with you for adoption or foster care; or

NOTICE OF PRIVACY PRACTICES UNIVERSITY OF CALIFORNIA RIVERSIDE CAMPUS HEALTH CENTER

INDIANA STATE UNIVERSITY POLICIES AND PROCEDURES FOR THE REVIEW OF RESEARCH INVOLVING HUMAN SUBJECTS

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

Parental Consent For Minors to Receive Services

The Duty to Record: Ethical, Legal, and Professional Considerations for Arkansas Psychologists

Let s TALK about... Patient Rights and Responsibilities

Your Medical Record Rights in Wisconsin

PATIENT INFORMATION Please Print

Institutional Review Board (previously referred to as Human Participants Research Board) Updated January 2004

Notice of Privacy Practices

Use And Disclosure Of Protected Health Information (PHI) For Research

MEMPHIS LUNG PHYSICIANS FOUNDATION AN OFFICE OF BAPTIST MEDICAL GROUP NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICE UNIVERSITY OF CALIFORNIA SAN FRANCISCO DENTAL CENTER

physicians, nurses, and technicians and other Facility personnel for review and learning purposes. We may also combine the medical information we

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

Notice of Privacy Practices for Protected Health Information (PHI)

INFORMED CONSENT FOR TREATMENT

Department of Rehabilitation Services

I. POLICY: DEFINITIONS:

PROCEDURE-STUDENT RECORDS

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

NOTICE OF PRIVACY PRACTICES

DEPARTM PRACTICES. Effective: Tel: Fax: to protecting. Alice Gleghorn, Page 1

Your Medical Record Rights in i Maryland

CREDENTIALING PROCEDURES MANUAL MEMORIAL HOSPITAL OF SOUTH BEND, INC. SOUTH BEND, INDIANA

UTILIZATION REVIEW DECISIONS ISSUED PRIOR TO JULY 1, 2013 FOR INJURIES OCCURRING PRIOR TO JANUARY 1, 2013

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

NOTICE OF PRIVACY PRACTICES

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

[Enter Organization Logo] USE AND DISCLOSURE OF MENTAL HEALTH RECORDS. Policy Number: [Enter] Effective Date: [Enter]

NOTICE OF PRIVACY PRACTICES

HIPAA Notice of Privacy Practices DFD Russell Medical Center Effective April 14, 2003 Updated April 10, 2013

Your Medical Record Rights in Guam

New Jersey Administrative Code _Title 10. Human Services _Chapter 126. Manual of Requirements for Family Child Care Registration

General Procedure - Institutional Review Board

HIPAA Policies and Procedures Manual

ALABAMA DEPARTMENT OF MENTAL HEALTH BEHAVIOR ANALYST LICENSING BOARD DIVISION OF DEVELOPMENTAL DISABILITIES ADMINISTRATIVE CODE

SECTION 8: COORDINATORS 8.1 STRUCTURE: Coordinator positions are established and appointments are made by the NFPA Board. Each Coordinator may

NOTICE OF PRIVACY PRACTICES

Northern Lights Services, Inc., DBA Northern Lights HEALTH CARE CENTER 706 Bratley Drive Washburn, WI (715) Fax (715)

Oklahoma Surgicare NOTICE OF PRIVACY PRACTICES. Effective Date: 02/17/2010

Delegation Oversight 2016 Audit Tool Credentialing and Recredentialing

Contra Costa County. Drug Medi-Cal Organized Delivery System (DMC-ODS) Program BENEFICIARY HANDBOOK

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Transcription:

1 of 9 SUBJECT: HIPAA PRIVACY RULE: ACCESS TO PROTECTED HEALTH INFORMATION HIPAA CITE: 45 CFR 164.524 POLICY NUMBER: PAT - 601 ISSUED: April 14, 2003 I. POLICY: A. General Right to Access Protected Health Information 1 This policy describes when it is appropriate to permit a patient to access his or her Protected Health Information and the procedures to follow when approving or denying a patient request to access his or her Protected Health Information. Except as set forth in Sections 1.B. and 1.C. below, the University of Southern California (USC) 2 recognizes the right of a patient to have access to (i.e., inspect and/or obtain a copy of) Protected Health Information maintained by USC in a "Designated Record Set." A Designated Record Set is defined as the following: 1. An individual's medical records and billing records maintained by USC; and 2. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for USC's health plans (including the USC Network Plan); and 3. Records used by USC providers, in whole or in part, to make decisions about individuals. 1 Protected Health Information is defined as identifiable information that relates to the individual's past, present or future physical or mental health condition or to payment for health care. 2 For purposes of the HIPAA Privacy Rule, USC is defined as those components/units that provide clinical services within the School of Pharmacy, the School of Dentistry and the Independent Health Professions (e.g., Physical Therapy, Occupational Therapy, Nursing) as well as USC Care Medical Group, Inc., the USC-affiliated faculty practice plan corporations at the Keck School of Medicine, the USC affiliated faculty practice plans of Physical Therapy and Occupational Therapy, clinical researchers who conduct research that involves clinical treatment and those units that support the clinical functions, such as the Office of the General Counsel and the Office of Audit and Compliance.

2 of 9 B. Exceptions to Right to Access Protected Health Information 3 USC shall not provide a patient with access to the following Protected Health Information maintained in the Designated Record Set: 1. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and 2. Minor s Protected Health Information that is not accessible to that minor s parent or legal guardian under California Health and Safety Code Sections 123100 et seq. 4 C. USC Right to Deny Patient Request to Access Protected Health Information USC may deny a patient access to his/her Protected Health Information for any of the reasons set forth below in Sections I.C.1 or I.C.2. A patient does not have a right of review of a request for access that is denied for any of the reasons set forth in Section I.C.1. below. A patient may seek review of a request for access that is denied based on any of the reasons set forth in Section I.C.2. In those cases, the review should be conducted pursuant to the procedures set forth in Section II.D. 1. Permissible Grounds for Denial of Access Without Opportunity for Review. USC may deny a patient request for access without a right to have the denial reviewed for any of the reasons set forth below in Sections I.C.1.a-d. USC, 3 The HIPAA Privacy Rule and California state law both contain exceptions to a patient's right to access Protected Health Information, but the exceptions are different in the following areas: Under the privacy rule, clinical laboratories are not required to provide patients access to their lab tests. No such exception exists in state law. Under the privacy rule, research laboratories exempt from CLIA are not required to provide patients access to their research lab tests. No such exception exists in state law. Under the privacy rule, providers are not required to provide patients access to their psychotherapy notes, but state law does not contain such an exception. Because state law provides more rights to patients than the HIPAA Privacy Rule, state law will apply. This means that USC may not deny a patient request to access Protected Health Information that falls into any of the above categories that are not excepted under state law. Please call the Office of Compliance if you need further assistance regarding the application of these exceptions. 4 Generally, a parent of a minor has the right of access to the minor's patient information. However, where the minor is authorized by law to consent to treatment, the right of access with respect to that patient information rests with the minor, not the parent or guardian. Additionally, a provider may deny a parent or guardian access to a minor's patient information where the provider determines that access would have a detrimental effect on the provider's professional relationship with the minor or on the minor's physical safety or psychological well being.

3 of 9 shall, to the extent possible, give the patient access to any Protected Health Information requested, other than that to which access was denied. a. If the requested Protected Health Information falls under one of the exceptions to the patient s right of access discussed above in I.B. b. If the requested Protected Health Information is information that has been obtained by USC in the course of research that includes treatment of the research participants (e.g., a clinical trial), the patient s right to access the information may be temporarily suspended for as long as the research is in progress provided that: i. the patient has agreed to the denial of access when consenting to participate in the research study; and ii. USC has informed the patient that his or her right to access the Protected Health Information will be reinstated once the research is completed. 5 c. If an inmate of a correctional institution makes a request for access while USC is acting under the direction of the correctional institution, and the inmate s request would jeopardize the health, safety, security, custody, or rehabilitation of the inmates or the safety of any officer, employee or other at USC. 6 d. If USC obtained the requested Protected Health Information from someone other than a Health Care Provider under a promise of confidentiality and such access would be reasonably likely to reveal the source of the information. 2. Grounds for Denial of Access With Opportunity for Review of Denial in Certain Cases. USC may deny a patient request for access if it is determined that providing such access is reasonably likely to endanger the life or physical safety of the patient or another person. However, USC 5 USC's template informed consent documents have been revised to include the appropriate language to meet these requirements. The standard documents can be obtained from the relevant IRB office or the USC policies website at http//policies.usc.edu. 6 California state law permits inmates to access their records in very limited situations. Contact the Office of Compliance before denying an inmate the right to his or her records.

4 of 9 must give the patient an opportunity to have the denial of access decision reviewed pursuant to the procedures set forth in Section II.D. Section II describes USC's procedures for implementing the above policy regarding patient access to Protected Health Information. II. PROCEDURES: A. Initial Processing of a Request for Access 1. Access Request Form. A patient that requests access to his or her Protected Health Information must make a request in writing on USC's Access Request Form. A copy of USC's Access Request Form can be downloaded from the USC policies website at http://policies.usc.edu. 2. Referral to Privacy Administrator. Patient requests for access to Protected Health Information should be referred to the clinical unit's Privacy Administrator who will be responsible for the initial handling of the patient's request. 3. Requests to be in Writing. If a patient makes an oral request, the Privacy Administrator should inform the patient that such requests must be made in writing. In addition, a copy of USC's Access Request Form should be provided to the patient. The Privacy Administrator may refuse an oral request to access or inspect Protected Health Information on the basis that such request is oral and not written. 4. Verification of Identity of Person Requesting Information. The Privacy Administrator should use reasonable efforts to verify the identity of the person requesting access to his or her Protected Health Information and the authority of such person to have access, if the authority is not otherwise known. 5. Scope and Format of Request. The Privacy Administrator should discuss with the patient the scope, format and other aspects of the patient's request as necessary to facilitate the timely provision of access. 6. Requests Limited to Particular USC Clinical Unit. If the patient's request is directed solely at Protected Health Information kept by the specific USC clinical unit or practice plan, the Privacy Administrator for that unit should follow the access procedures set forth in this section of the policy. If the patient requests access to Protected Health Information maintained by more than one USC clinical unit or faculty practice plan or all of USC (e.g., all of the clinical units that comprise

5 of 9 USC under the Privacy Rule), the Privacy Administrator should follow the access procedures set forth in this policy below in Section II.H. 7. Provider Review of Protected Health Information. Once the requested Protected Health Information has been located, the Privacy Administrator should consult with the provider who treated the patient or, alternatively, from the provider who has been designated by the USC clinical unit or faculty practice plan to review the Protected Health Information in the absence of the treating provider. The provider or designee will determine whether to approve or deny the request in accordance with this policy. Where a denial of access is contemplated, the provider or designee also should consult with the USC Office of Compliance for assistance in determining if a denial is appropriate. B. Types of Actions on a Request. USC, through the relevant clinical unit, may take one of the following three actions on a request: 1. provide access in whole or in part, in accordance with the procedures in Section II.C below; 2. deny the request without an opportunity for review in accordance with the procedures set forth in Section I.C.1 and II.D.1; 3. deny the request and give the patient an opportunity to obtain a review of the denial as set forth in Section I.C.2 and II.D.2. C. Access Procedures. If it is appropriate to provide access to the patient (in whole or in part) the procedures set forth below will be followed: 1. Patient Right to Access. The patient has the right to inspect the information, to obtain a copy of the information or to do both. 2. Patient Access Arrangements. The Privacy Administrator should arrange for a mutually convenient time and place to provide the access requested in accordance with the time limitations set forth in Section II.E. 3. Summary of Protected Health Information. The patient also may be provided with a summary of the Protected Health Information requested, in lieu of providing an opportunity to inspect or obtain a copy of the Protected Health Information, if the patient agrees in advance;

6 of 9 a. to the provision of the summary, b. to any fees imposed by USC for such summary (See Section II.F), and c. to any extended time period required by USC to produce the summary. If it is determined that a summary is more appropriate to provide to the patient, the provider/designee should prepare the summary. 4. Format of Access. The requested Protected Health Information should be given to the patient in the form or format requested, provided that the information is readily producible in such form or format. If the Protected Health Information is not readily producible in the requested format, the Privacy Administrator should arrange to produce a copy of the information in a format mutually agreed upon between the parties. If the patient requests to inspect Protected Health Information that is maintained electronically, Privacy Administrator should arrange to print out a copy and allow the patient to view the printout on-site. 5. Requests for Copies. A patient is entitled to request the USC clinical unit or faculty practice plan to mail a copy of the requested Protected Health Information. The USC clinical unit or faculty practice plan may request reimbursement in accordance with Section II.F of this policy. D. Procedures in Case of Denial. If access is denied (in whole or in part) for any of the reasons set forth in Section I.C, the procedures set forth below shall be followed: 1. Request Denial Form. The Privacy Administrator shall complete a Denial of Access Form, which should be given to the patient and which should explain the reasons for denying the access request. 7 A copy of USC's Denial of Access Form can be downloaded from the USC policies website at http://policies.usc.edu. 2. Review Procedures. a. Referral to the Quality Assurance Committee. When a patient has a right to have a denial reviewed pursuant to Section I.C.2, such requests for review shall be referred promptly to the 7 The provider who completes the form should be mindful of confidentiality issues when explaining the reasons for denial. For example, providers should use caution when denying a parent/legal guardian access to a minor s Protected Health Information, whether in whole or in part. If a parent is permitted to access most of the record, but is denied access to the portion relating to the minor s treatment for a sexually transmitted disease, for example, then the written notice of denial should not alert the parent to the existence of such information.

7 of 9 USC Care Quality Assurance Committee, if involving a clinical physician, or other appropriate quality assurance committee, if involving a practitioner that is not a member of USC Care Medical Group, Inc. The Privacy Administrator or Privacy Liaison shall be responsible for forwarding such requests to the appropriate quality assurance committee. b. Determination by Quality Assurance Committee. Within a reasonable time of receiving the request for review, the Quality Assurance Committee must determine whether or not to deny the requested access based on the standards set forth in Section I.C.2, and shall provide the patient with written notice of its decision. The decision by the Quality Assurance Committee shall be final and must be followed by the USC clinical unit or faculty practice plan that initially denied access. The Privacy Liaison shall be responsible for ensuring that the determinations of the Quality Assurance Committee are conveyed to the patient and are followed by the clinical unit. 3. Protected Health Information Not Maintained by USC. If USC, through the relevant clinical unit, does not maintain the Protected Health Information requested by the patient, but knows where the requested information is maintained, it must inform the patient where to direct the request for access. For example, in cases where the Protected Health Information belongs to a hospital partner, the Privacy Administrator of the relevant clinical unit should attempt to coordinate with the hospital liaison to ensure that the patient request is addressed. E. Time to Respond to Request for Access. 1. Time to Respond to Request to Inspect. USC, through the relevant clinical unit, must provide access (i.e., inspection) to a patient's Protected Health Information during business hours within five (5) working days of receiving the request from the patient or his or her representative. If a patient agrees to provide additional time to the clinical unit to respond, it is recommended that the agreement be confirmed in writing. 2. Requests for Copies of Protected Health Information. USC, through the relevant clinical unit, shall transmit copies of Protected Health Information within fifteen (15) days of receiving a request for copies. If a patient agrees to provide additional time to the clinical unit to respond, it is recommended that the agreement be confirmed in writing.

8 of 9 F. Fees 3. Summaries of Protected Health Information. USC, through the relevant clinical unit, shall provide a summary of Protected Health Information within ten (10) working days of receiving a patient's request, or within a maximum of thirty (30) days if USC notifies the individual that more time is necessary, either because of the length of the record or because the individual was discharged from the hospital within the prior ten (10) days. 4. Duplicate Information. If the same Protected Health Information is maintained in more than one Designated Record Set or at more than one location, the Privacy Administrator of the relevant clinical unit need only produce the information once per request. 1. Categories of Fees. USC, through the relevant clinical unit, may charge the individual the following reasonable, cost-based fees associated with obtaining access to Protected Health Information: a. Copying: No more than twenty-five cents per page or fifty cents for copies from microfilm and may include the labor costs incurred in copying the information; b. Mailing: Fees may include copying costs (twenty five cents per page) and the cost of postage; and c. Electronic: Fees may include cost of computer disk. 2. No Handling Fees. USC, through the relevant clinical unit, shall not charge any fees for clerical costs in locating the Protected Health Information, processing the request or making the information available. 3. Preparation of Summary or Explanation. USC, through the relevant clinical unit, shall charge a reasonable fee, based on actual time and cost for the preparation of an explanation or summary of the Protected Health Information that USC provides to a patient, if: (i) the patient requests such explanation and (ii) the patient agrees to be charged such fee in advance of the preparation. 4. No Fees for Eligibility Appeals of Public Benefit Program. A patient or his or her representative is entitled to a copy, at no charge, of the relevant portion of the patient's Protected Health Information, upon presenting to USC a written request and proof that the information is needed to support an appeal regarding eligibility for a public benefit program (e.g., Medi-Cal, social security disability insurance benefits)

9 of 9 G. Documentation. The Privacy Administrator will document the status of the response, including: The date that the request is received; The date that the clinical unit provides access and the information is provided to the patient; If the request is denied, the date of the denial, the date of the appeal, if any, the determination on appeal, and the date the request is closed (either by appeal or by producing Protected Health Information). Access Request Forms and Denial of Access Forms, as well as any other written correspondence to or from a patient regarding his or her right to access Protected Health Information shall be maintained in the patient s medical record(s). H. Process for Handling Global Requests for USC Protected Health Information. If the request seeks records from more than one USC clinical unit or faculty practice plan, the request shall be forwarded promptly to USC Care Medical Group, Inc. for handling. USC Care will be responsible for: Requesting that the Privacy Administrator from each relevant USC clinical unit and/or faculty practice plan provide copies of Protected Health Information that respond to the patient's request; Ensuring that all USC clinical units and faculty practice plans provide responsive Protected Health Information within the deadlines set forth in Section II.E; Making arrangements with the patient to inspect/copy the responsive Protected Health Information; Documenting the response to the request. The USC clinical units and faculty practice plans are responsible for handling denials of requests for access and also for determining and collecting from the patient the fees to be charged to respond to the request for access.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback