PATIENT PRIVACY: RIGHT TO ACCESS PROTECTED HEALTH INFORMATION IN THE DESIGNATED RECORD SET POLICY PURPOSE The purpose of this policy is to: Define the components of information that comprise the patient s Designated Record Set at The University of Texas MD Anderson Cancer Center; Recognize the patient s right to access, inspect, and obtain a copy of Protected Health Information (PHI) contained in his/her Designated Record Set; and Provide instruction on how to facilitate a patient s request for such access. POLICY STATEMENT Under the Health Insurance Portability and Accountability Act (HIPAA), patients have a right to access, inspect, and obtain a copy of the contents of their Designated Record Set. It is the policy of The University of Texas MD Anderson Cancer Center (MD Anderson) to comply with HIPAA and facilitate patients rights to access, inspect, and copy the PHI contained in their Designated Record Set. The contents of the Designated Record Set of MD Anderson patients (regardless of whether they are created at, or received by, MD Anderson), are the property of MD Anderson. However, patients will be afforded access to their PHI in accordance with this policy. SCOPE Compliance with this policy applies to all MD Anderson patients and/or their Personal Representatives when requesting access to their PHI, as well as all faculty, trainees/students, and other members of MD Anderson s workforce involved in processing the requests. This policy does not directly address the contents of a patient s Legal Medical Record, which is a subset of the Designated Record Set. The content, custodianship, ownership, and release of a patient s Legal Medical Record is governed by the Legal Medical Record Policy (UTMDACC Institutional Policy #CLN0554). A patient s Legal Medical Record is the official business record of care provided to a patient and is the set of documentation routinely released in response to a request for the patient s medical record, whereas the Designated Record Set is the larger body of information about a patient s care and payment that the patient has a right to access under HIPAA. This policy defines the content of the Designated Record Set and specifies the patient s right to access, inspect, and copy that information. A patient s right to amend the information in their Designated Record Set is addressed by the Patient Privacy: Right to Request Amendment of PHI Policy (UTMDACC Institutional Policy #ADM0390). Page 1 of 14
A patient s right to restrict the disclosure of information in their Designated Record Set is addressed by the Patient Privacy: Right to Request Privacy Protections and Other Restrictions on the Disclosure of Protected Health Information Policy (UTMDACC Inst. Policy #ADM0393). TARGET AUDIENCE The target audience for this policy includes, but is not limited to, patients requesting access to or copies of their PHI and all faculty, trainees/students, and other members of MD Anderson s workforce. DEFINITIONS Designated Record Set: A group of records maintained by or for MD Anderson that: (1) are the medical records and billing records about individuals maintained by or for MD Anderson; or (2) are used, in whole or in part, by or for MD Anderson, to make decisions about individuals. Note: For purposes of this definition, record means any item, collection, or grouping of information that contains Protected Health Information and is maintained, collected, used, or disseminated by or for MD Anderson. Encounter: A clinical contact with a patient (e.g., office visits or admissions). If more than one evaluation or procedure takes place during a visit, it is considered a single encounter. Episode: A patient condition that spans several encounters. Health Care Provider: Individuals who are responsible for direct patient care or ancillary services provided to the patient. For example: Staff Physicians. GME Residents and Fellows. Dentists, Podiatrists, and Medical Physicists. PhDs in the Division of Cancer Prevention. Registered Nurses, Advanced Practice Registered Nurses, and Physician Assistants. Psychologists, Speech Pathologists, and Physical/Occupational Therapists. Pharmacists, Perfusionists, Respiratory Therapists, and Dieticians. Technicians, Social Workers, and Chaplains. Nursing Assistants. Students and trainees under direct supervision. HIPAA: Health Insurance Portability and Accountability Act of 1996. Legal Medical Record: The collection of information concerning a patient and his/her health care that is: (1) created and maintained in the regular course of business in accordance with applicable policies and procedures; (2) made by a person who has knowledge of the acts, events, opinions, or diagnoses relating to the patient; and (3) made at or around the time indicated in the documentation. It is the official legal and business record of health care services provided to an individual by MD Anderson. Licensed Health Care Provider: Individuals licensed to practice in their respective clinical disciplines. For example: Staff Physicians GME Residents and Fellows Dentists, Podiatrists, and Medical Physicists PhDs in the Division of Cancer Prevention Page 2 of 14
Registered Nurses, Advanced Practice Registered Nurses, and Physician Assistants Psychologists, Speech Pathologists, and Physical/Occupational Therapists Pharmacists, Perfusionists, Respiratory Therapists, and Dieticians Social Workers Personal Health Record (also known as mymdanderson): The components of a patient s Designated Record Set that are available to the patient for viewing through a secure internet-based portal. Personal Representative: An individual who is authorized under the law to act on behalf of the patient and exercise the patient s rights under HIPAA. Note: The following are examples of individuals who may be considered a patient s Personal Representative under Texas law: An agent appointed under a Medical Power of Attorney. A parent or guardian of a minor. An individual acting in loco perentis for a minor with authority to make health care decisions on behalf of the minor. A legal guardian of an incompetent person. An attorney ad litem, a guardian ad litem. An individual appointed as an attorney-in-fact and given power to make health care decisions, or the representative of a deceased individual s estate (whether an executor, administrator, or other court-appointed Personal Representative). Certain next of kin of a deceased individual in the event that no representative has been designated (i.e., the decedent s spouse, adult children, adult grandchildren, parents, adult siblings, adult children of siblings, adult grandchildren of siblings, grandparents, and aunts/uncles, in that order). Preliminary Document: A document or report pending a practitioner's review and signature. Protected Health Information (PHI): See HIPAA Definitions Plan. Psychotherapy Notes: See HIPAA Definitions Plan. Retention: The length of time specified in the schedule based on the statute of limitations for each state, as well as institutional practice. Scanned Document: A true and identical electronic image of a source document in which the content and meaning are preserved. Scanned Documents are: An electronically generated permanent image; Maintained, stored, archived, viewed, and retrieved in approved applications; and Viewed and/or printed using MD Anderson's electronic record. Workforce Member: See HIPAA Definitions Plan. Page 3 of 14
PROCEDURE 1.0 Content of the Designated Record Set 1.1 The following records are generally included in an individual s Designated Record Set at MD Anderson, as they constitute medical and billing records typically maintained by or for MD Anderson, and/or records maintained and used by MD Anderson to make decisions about a patient s care: A. All contents of the patient s Legal Medical Record (as defined by the Legal Medical Record Policy (UTMDACC Institutional Policy #CLN0554). For some document types, only the latest encounter is included in the Legal Medical Record. All time periods and encounters for documents contained in the Legal Medical Record are included in the Designated Record Set. B. Administrative Data (only the following): Acknowledgement of the Notice of Privacy Practices. Non-privileged Committee minutes, documentation, and reports relating to patientspecific care decisions about the requesting patient. Non-privileged Social Work, Patient Affairs, and Case Management records about the requesting patient that are maintained outside of the electronic health record (EHR) and used to make decisions about the requesting patient s care. C. Clinical Records and Source Clinical Data Appointment List for a particular patient. Flow sheets related to patient care not already included in the Legal Medical Record. Source Clinical Data: o Cardiology Studies (e.g., EKG, EEG, stress tests). o Images captured for clinical purposes (MRI, PET CT, CT, X-ray, Mammograms, Ultrasounds, Nuclear Medicine). o Photographs, videos, or audio recordings created by MD Anderson employee for identification purposes or for clinical purposes. Stem Cell smart forms Note: Information about donors may require redaction prior to release. D. The contents of a patient s mymdanderson account, including correspondence. E. External Records and Reports External providers records received by MD Anderson (e.g., records received through health information exchanges, from patients, or directly from other Health Care Providers), if used to make decisions about a patient s care and maintained by MD Anderson in MD Anderson s her. Page 4 of 14
Patient generated records, including photographs, surveys, questionnaires, and correspondence generated by the patient, if such records are used to make decisions about a patient s care and maintained by MD Anderson in the EHR. Forms and letters prepared at the patient s request for work-related or insurance purposes (including FMLA, return-to-work, disability, and workers compensation documentation). F. Financial records Itemized statements. Remittance Advices. Claim forms (e.g., UB04, CMS1500 forms). Explanation of Benefits forms and related correspondence. Payment records. Adjustment Records. Advanced Beneficiary Notices. Financial Screening records. Eligibility information. Guarantor Notes (may be redacted if necessary to remove privileged information). G. Research records (only the following): Research records containing treatment-related information for a particular participant for studies where the informed consent document does not warn the participant that records will not be available while the study is ongoing. Research records containing treatment-related information for a particular participant for studies that are no longer ongoing. 1.2 Depending on the circumstances, it is possible that documents not specifically listed above at section 1.1. May be considered part of the Designated Record Set for a particular patient. If there are questions about a document that is not specifically named above, contact the Institutional Compliance Office or Legal Services for assistance in determining whether a patient has a right to access that document under HIPAA. 1.3 The following records generally do not meet the definition of Designated Record Set and are excluded from the patient s Designated Record Set: A. Administrative Data (patient-identifiable data used for administrative, regulatory, health care operations, and payment purposes). Examples include, but are not limited to: Adopt-a-Family records. MD Anderson appointment and surgery schedules. Correspondence (including e-mail, text messages, pages, staff messages, telephone messages, and HipLink correspondence) maintained outside of the EHR and utilized for day-to-day administrative employee communication. Page 5 of 14
Databases containing patient information. Data, abstracts, records, and reports collected and maintained for any of the following purposes: Peer review. Quality improvement, including Ethics records not included in the EHR. Performance improvement. Event history, user activity logs, and audit trails. Handoff Notes, Sticky Notes, and Sign Out Notes utilized by the care team. Incident or patient safety reports and Off-Shift Administration incident reports. Institutional review board lists. Patient-identifiable abstracts in coding system. Patient-identifiable data reviewed for quality assurance or utilization management. Patient surveys completed for non-treatment purposes. Physician queries including, not limited to, Clinical Document Improvement (CDI) and coding queries and associated correspondence). Privileged records, including but not limited to: Committee minutes and reports that are protected by a privilege, including 2- STOP and Clinical Ethics Consultation Committee records. Compliance hotline calls and reports. Documents protected by attorney-client privilege or attorney work product protections. Information compiled in reasonable anticipation of, or for use in civil, criminal, or administrative action or proceeding. Risk Management, Institutional Compliance, Patient Safety, Legal Services, Internal Audit, and Patient Advocacy records. Telephone Messages. B. Clinical information, including: Alerts (including, but not limited to decision support tool alerts, best practice alerts, medication warnings, and user responses to all alerts). Donors reports/results/orders. External source copyrighted forms. Laboratory results/reports from non-clia-certified laboratories. Page 6 of 14
Pathology slides. Preliminary Documents, including incomplete Treatment Summaries. Psychotherapy Notes. Note: Patients may request copies of Psychotherapy Notes, but MD Anderson is not required to grant such request. Psychotherapy Notes are generally maintained outside of the EHR. C. Derived Data (Information aggregated or summarized from patient records so that there are no means to identify patients). Examples include: Accreditation reports. Best practice guidelines created from aggregate patient data. ORYX reports, public health records, and statistical reports. D. MetaData. E. Photographs, videos, and audio recordings taken solely for non-clinical purposes (e.g., those captured for research, health care operations, quality improvement, security, education, and training purposes). F. Registry Data, including, but not limited to: Birth and death registers. Cancer registry information. Surgery registers. Tumor registry data. G. Research records that relate to a patient, while the research is ongoing, provided that the participant agreed to the denial of access when consenting to the research study. Note: Research records are identified with a research icon in the EHR or the word study in the document name. 2.0 Patient PHI Access, Inspection, and Copying Rights 2.1 Each patient and/or the patient s Personal Representative has a right to access, inspect, and/or obtain a copy of the patient s PHI for as long as the PHI is maintained in the Designated Record Set, except for: A. Psychotherapy Notes; B. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; or C. As otherwise permitted by law. 2.2 Method for Obtaining PHI: Page 7 of 14
A. Certain records are available to patients at any time through mymdanderson, the patient s online Personal Health Record. B. For records not available through the portal, a patient s request for access to PHI must be documented and submitted to the Department of Health Information Management (HIM Department). Requests may be made: Via email to: HIMROI@mdanderson.org; Via regular mail to: The University of Texas MD Anderson Cancer Center, 7007 Bertner Avenue, Unit 1632, Houston, TX 77030, Attention: HIM; or In person at an HIM satellite location. 2.3 Patients may be required to complete a HIPAA Authorization prior to release of records, depending on the identity of the recipient, the nature of the documents to be released, and the purpose of the release. See Patient Privacy: Authorization for the Use and Disclosure of Protected Health Information (PHI) Policy (UTMDACC Institutional Policy #ADM0396). 2.4 The HIM Department is generally responsible for processing requests for access to PHI. However, other Workforce Members are permitted to release certain documents to patients, their Personal Representative, or to other individuals involved in the patient s care (see Patient Privacy: Disclosures of Protected Health Information to Individuals Involved in a Patient s Care Policy (UTMDACC Institutional Policy #ADM1032). Workforce Members should document these releases in the patient s medical record, in a note or using the Quick Release or Quick Disclosure function. 2.5 Some records are maintained in systems outside of HIM and the EHR. For releases that involve more than one information system, HIM coordinates the compilation of documentation from the various locations, with the assistance of Legal Services, if needed. 3.0 Timely Action Requirements 3.1 A patient's request to access, inspect, and/or copy his/her PHI will be either fulfilled or denied no later than fifteen (15) days after receipt of the request. 3.2 If a patient s request cannot be fulfilled within fifteen (15) days, contact the Institutional Compliance Office for assistance. 4.0 Fulfilling Requests 4.1 MD Anderson will provide the patient with access to PHI in the form and format requested by the patient, including electronically, whenever feasible. 4.2 Any agreed upon method may be used for fulfilling the request so long as such method accurately transmits the requested information and is reasonably calculated to maintain the security and confidentiality of the information as required by law, such as: A. Mailing, faxing, or e-mailing copies of the requested PHI to the patient; B. Releasing electronic records through mymdanderson; Note: Not all records are technically capable of being released through mymdanderson. C. Providing the patient with records on electronic media or devices, including CDs, DVDs, or external drives; Page 8 of 14
D. Permitting the patient to inspect and copy the requested PHI at a secure on-site facility; or E. Arranging for the patient to pick up copies of the requested PHI from a secure on-site facility. 4.3 MD Anderson may provide a summary or explanation of the requested PHI in lieu of providing all requested materials if: A. The patient agrees in advance to receive a summary or explanation in lieu of all requested materials; and B. The patient agrees in advance to any fees associated with production of the summary or explanation. 4.4 If the PHI requested is maintained in more than one location, MD Anderson is only required to produce the PHI once in response to a request for access. 5.0 Applicable Fees 5.1 MD Anderson may charge reasonable, cost-based fees in exchange for providing copies of requested information. 5.2 Fees may include only the cost of: A. Labor for copying PHI; B. Supplies for creating the paper copy or electronic media; C. Postage; and D. Preparing an explanation of summary of the PHI, if agreed to by the patient. 5.3 Fees will not exceed the maximum amounts allowed by Texas Health & Safety Code, section 241.154, as annually adjusted. 5.4 Fees will not be imposed for a patient or his/her authorized representative to inspect (rather than obtain copies of) PHI. 6.0 Denials Generally 6.1 MD Anderson may completely or partially deny a patient s request for access to his/her PHI if the requested PHI is exempt from disclosure under this policy. With the exception of the nonreviewable denials described in Sections 2.1 and 8.0, a patient has a right to have a denial reviewed. 6.2 If it appears that a request merits denial, the request should be forwarded to Legal Services or the Institutional Compliance Office for handling. 6.3 Denials must be made in writing by Legal Services or the Institutional Compliance Office. 6.4 If a request is denied, either completely or partially, MD Anderson will provide written notice of denial no later than the expiration of the applicable timely action deadlines described in Section 3.0. The denial must: A. Explain the specific grounds for the denial; Page 9 of 14
B. Explain the patient s right to request a review of the denial, if applicable; C. Explain the patient s right to file a complaint, including at least the names, titles, and phone numbers, for the parties responsible for receiving complaints (MD Anderson s Privacy Officer and Secretary of Health and Human Services); and D. Include, if applicable and to the extent possible, any of the requested information remaining after exclusion of the PHI that has been denied. 7.0 Reviewable Denials 7.1 In the following circumstances, MD Anderson may deny a patient s request for access to their PHI: A. A Licensed Health Care Provider has determined (in the exercise of professional judgment) and documented that granting access to the PHI requested is reasonably likely to endanger the life or physical safety of the patient or another person; B. The requested PHI makes reference to another person (unless such person is a Health Care Provider) and a Licensed Health Care Provider has determined and documented that the access requested is reasonably likely to cause substantial harm to this other person; or C. The request for access is made by the patient s personal representative and a Licensed Health Care Provider has determined and documented that providing access to the representative is reasonably likely to cause substantial harm to the patient or another person. 7.2 If access is denied under Section 7.1, the patient has a right to have the denial reviewed by a Licensed Health Care Provider who did not participate in the original decision to deny the request, and who is designated by MD Anderson to act as a reviewing official. This review of denial must be completed within a reasonable period of time, and the patient must be notified promptly of the reviewing official s determination. MD Anderson will provide or deny access to the requested PHI in accordance with the determination of the designated reviewing official. 7.3 Additionally, under Texas law, MD Anderson may deny a patient s request for access to his/her PHI if a physician has determined that access to the information would be harmful to the physical, mental, or emotional health of the patient. Note: If the physician denies the request in whole or in part, the patient must be furnished with a written statement signed and dated by the physician, providing the reason for the denial. A copy of the statement must be placed in the billing or electronic health records, as applicable. 8.0 Non-Reviewable Denials In the following circumstances, MD Anderson may deny a patient s request for access to his/her PHI without providing the patient with an opportunity to have the denial reviewed: 8.1 The requested information is excepted from access under Section 2.1; 8.2 If MD Anderson is acting under the direction of a correctional institution and the release of information in response to a request from an inmate or correctional institution would jeopardize the health, safety, security, custody, or rehabilitation of the patient or of other inmates, the safety of any officer, employee, or other person responsible for the inmate; Page 10 of 14
8.3 The patient is participating in research involving treatment and has consented to the denial of access while participating in that research; or 8.4 The PHI was obtained from someone other than a Health Care Provider under a promise of confidentiality and the access requested would reveal the source of the information. 9.0 Documentation 9.1 Documentation of patients written requests for access and any denials will be retained for at least six (6) years, and in accordance with MD Anderson s Retention of Official Medical Records Policy (UTMDACC Institutional Policy # ADM0386). Page 11 of 14
ATTACHMENTS / LINKS HIPAA Definitions Plan (Attachment # ATT0699). RELATED POLICIES Legal Medical Record Policy (UTMDACC Institutional Policy #CLN0554). Patient Privacy: Authorization for the Use and Disclosure of Protected Health Information (PHI) Policy (UTMDACC Institutional Policy #ADM0396). Patient Privacy: Disclosures of Protected Health Information to Individuals Involved in a Patient s Care Policy (UTMDACC Institutional Policy #ADM1032). Patient Privacy: Right to Request Amendment of PHI Policy (UTMDACC Institutional Policy #ADM0390). Patient Privacy: Right to Request Privacy Protections and Other Restrictions on the Disclosure of PHI Policy (UTMDACC Institutional Policy #ADM0393). Retention of Official Medical Records Policy (UTMDACC Institutional Policy # ADM0386). JOINT COMMISSION STANDARDS / NATIONAL PATIENT SAFETY GOALS IM.02.01.01: The hospital protects the privacy of health information. Comprehensive Accreditation Manual for Hospitals (CAMH), 2015. IM.02.01.03: The hospital maintains the security and integrity of health information. Comprehensive Accreditation Manual for Hospitals (CAMH), 2015. OTHER RELATED ACCREDITATION / REGULATORY STANDARDS 42 U.S.C. 17935 (2010) 45 C.F.R 164.524 42 C.F.R. 482.13(d)(1) 42 C.F.R. 482.24(b)(3) Texas Occupations Code Ch. 159. Texas Health & Safety Code Ch. 181. Texas Health & Safety Code Ch. 241, Subch. G. Texas Administrative Code Ch. 165. Page 12 of 14
Texas Department of State Health Services, Maximum Fees Allowed for Providing Health Care Information, Effective October 3, 2014. REFERENCES None. Page 13 of 14
POLICY APPROVAL Approved With Revisions Date: 05/24/2016 Approved Without Revisions Date: Implementation Date: 05/24/2016 Version: 33.0 RESPONSIBLE DEPARTMENT(S) Institutional Compliance Office Page 14 of 14