PATIENT PRIVACY: RIGHT TO ACCESS PROTECTED HEALTH INFORMATION IN THE DESIGNATED RECORD SET POLICY

Similar documents
Pennsylvania Hospital & Surgery Center ADMINISTRATIVE POLICY MANUAL

POLICY NUMBER B JULY 8, 2014

HIPAA PRIVACY RULE: ACCESS TO PROTECTED HEALTH INFORMATION. A. General Right to Access Protected Health Information 1

Creation Date: 1/30/15 Title: Patient Right to Access, Inspect and Copy Revision History:

Medical Records Chapter (1) The documentation of each patient encounter should include:

HIPAA Policies and Procedures Manual

SUMMARY OF NOTICE OF PRIVACY PRACTICES

POLICY & PROCEDURE. This policy applies to all healthcare organizations owned and/or managed by WFH.

Notice of Privacy Practices

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

CHI Mercy Health. Definitions

Notice of HIPAA Privacy Practices Updates

Associates in ear, nose, throat/ Head & Neck surgery, pllc

Parental Consent For Minors to Receive Services

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

CLINICIAN S GUIDE TO HIPAA PRIVACY

Your Medical Record Rights in Hawaii

WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

Patient Instructions to Obtain Copies of Medical Records

Indiana. Your Medical Record Rights in. (A Guide to Consumer Rights under HIPAA)

BON SECOURS RICHMOND NOTICE OF PRIVACY PRACTICES

always legally required to follow the privacy practices described in this Notice.

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

Johns Hopkins Notice of Privacy Practices for Health Care Providers

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

Use And Disclosure Of Protected Health Information (PHI) For Research

MAIN STREET RADIOLOGY

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

Your Medical Record Rights in Louisiana

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

CINCINNATI CHILDREN S HOSPITAL MEDICAL CENTER CONSENT TO PARTICIPATE IN A RESEARCH STUDY

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

Privacy & Security of Occupational, Behavioral & Deceased Patient Records Alisha R. Smith, RHIA

INFORMED CONSENT FOR TREATMENT

CAPITAL SURGEONS GROUP, PLLC

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

NOTICE OF PRIVACY PRACTICES

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

State of Alaska Department of Corrections Policies and Procedures Chapter: Subject:

Notice of Privacy Practices

(A Guide to Consumer Rights under HIPAA)

Your Medical Record Rights in Rhode Isl and

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

NOTICE OF PRIVACY PRACTICES

HIPAA Notice of Privacy Practices

OREGON HIPAA NOTICE FORM

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

To ensure proper disclosure and release of Protected Health Information (PHI) Division/Department: All HealthPoint Policy/Procedure #:

Your Medical Record Rights in Utah

DEPARTM PRACTICES. Effective: Tel: Fax: to protecting. Alice Gleghorn, Page 1

NOTICE OF PRIVACY PRACTICES Full Length Version Effective Date: 4/19/2016

Your Medical Record Rights in Nevada

Signature (Patient or Legal Guardian): Date:

Form B - For those enrolled in other insurance

NOTICE OF PRIVACY PRACTICES

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

Mobile Mammo Registration Instructions

NOTICE OF PRIVACY PRACTICES

THE CHILDREN S INSTITUTE OF PITTSBURGH NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

OAK HAMMOCK AT THE UNIVERSITY OF FLORIDA, INC. NOTICE OF PRIVACY PRACTICES. Privacy Office: (352) Effective Date: September 23, 2013

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

UNIVERSITY OF ILLINOIS HIPAA PRIVACY AND SECURITY DIRECTIVE

PRIOR APPROVAL GUIDE ',47 +MPP 7ERW

Your Medical Record Rights in New Mexico

Personal Information Bank (PIB) Details

NOTICE OF PRIVACY PRACTICES

HIPAA Notice of Privacy Practices DFD Russell Medical Center Effective April 14, 2003 Updated April 10, 2013

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

Patient name (print) Signature of Patient/ Legal Representative. Relationship to Patient FOR OFFICE USE ONLY

NOTICE OF PRIVACY PRACTICES

OUR LEGAL DUTY PERSONS COVERED BY THIS NOTICE

NOTICE OF PRIVACY PRACTICES

Patient Consent Form

PATIENT INFORMATION Please Print

Lily M. Gutmann, Ph.D., CYT Licensed Psychologist 4405 East West Highway #512 Bethesda, MD (301)

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

ANCILLARY/FACILITY APPLICATION CREDENTIALING / RE-CREDENTIALING

Notice of. Privacy Practices. Dartmouth-Hitchcock Affiliated Covered Entity

AN ACT authorizing the provision of health care services through telemedicine and telehealth, and supplementing various parts of the statutory law.

Patient Registration Form Pediatrics

Instructions for Returning these Forms

Privacy Practices Home Visit Doctor, LLC July 2017

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

CRIMINAL AND PERSONAL BACKGROUND CHECK POLICY

Your Medical Record Rights in Iowa

Your Medical Record Rights in Wisconsin

- Cardiac Catherization - Cardiac Angioplasty - Cardiac Bypass - MUGA - CT Scan

Pain Specialists of Greater Chicago Notice of Privacy Practices

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

NOTICE OF PRIVACY PRACTICES This Notice is effective September 23, 2013

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

New Patient Information

Virginia. Your Medical Record Rights in. (A Guide to Consumer Rights under HIPAA)

OUTPATIENT SERVICES CONTRACT 2018

Patient s Bill of Rights (Revised April 2012)

Transcription:

PATIENT PRIVACY: RIGHT TO ACCESS PROTECTED HEALTH INFORMATION IN THE DESIGNATED RECORD SET POLICY PURPOSE The purpose of this policy is to: Define the components of information that comprise the patient s Designated Record Set at The University of Texas MD Anderson Cancer Center; Recognize the patient s right to access, inspect, and obtain a copy of Protected Health Information (PHI) contained in his/her Designated Record Set; and Provide instruction on how to facilitate a patient s request for such access. POLICY STATEMENT Under the Health Insurance Portability and Accountability Act (HIPAA), patients have a right to access, inspect, and obtain a copy of the contents of their Designated Record Set. It is the policy of The University of Texas MD Anderson Cancer Center (MD Anderson) to comply with HIPAA and facilitate patients rights to access, inspect, and copy the PHI contained in their Designated Record Set. The contents of the Designated Record Set of MD Anderson patients (regardless of whether they are created at, or received by, MD Anderson), are the property of MD Anderson. However, patients will be afforded access to their PHI in accordance with this policy. SCOPE Compliance with this policy applies to all MD Anderson patients and/or their Personal Representatives when requesting access to their PHI, as well as all faculty, trainees/students, and other members of MD Anderson s workforce involved in processing the requests. This policy does not directly address the contents of a patient s Legal Medical Record, which is a subset of the Designated Record Set. The content, custodianship, ownership, and release of a patient s Legal Medical Record is governed by the Legal Medical Record Policy (UTMDACC Institutional Policy #CLN0554). A patient s Legal Medical Record is the official business record of care provided to a patient and is the set of documentation routinely released in response to a request for the patient s medical record, whereas the Designated Record Set is the larger body of information about a patient s care and payment that the patient has a right to access under HIPAA. This policy defines the content of the Designated Record Set and specifies the patient s right to access, inspect, and copy that information. A patient s right to amend the information in their Designated Record Set is addressed by the Patient Privacy: Right to Request Amendment of PHI Policy (UTMDACC Institutional Policy #ADM0390). Page 1 of 14

A patient s right to restrict the disclosure of information in their Designated Record Set is addressed by the Patient Privacy: Right to Request Privacy Protections and Other Restrictions on the Disclosure of Protected Health Information Policy (UTMDACC Inst. Policy #ADM0393). TARGET AUDIENCE The target audience for this policy includes, but is not limited to, patients requesting access to or copies of their PHI and all faculty, trainees/students, and other members of MD Anderson s workforce. DEFINITIONS Designated Record Set: A group of records maintained by or for MD Anderson that: (1) are the medical records and billing records about individuals maintained by or for MD Anderson; or (2) are used, in whole or in part, by or for MD Anderson, to make decisions about individuals. Note: For purposes of this definition, record means any item, collection, or grouping of information that contains Protected Health Information and is maintained, collected, used, or disseminated by or for MD Anderson. Encounter: A clinical contact with a patient (e.g., office visits or admissions). If more than one evaluation or procedure takes place during a visit, it is considered a single encounter. Episode: A patient condition that spans several encounters. Health Care Provider: Individuals who are responsible for direct patient care or ancillary services provided to the patient. For example: Staff Physicians. GME Residents and Fellows. Dentists, Podiatrists, and Medical Physicists. PhDs in the Division of Cancer Prevention. Registered Nurses, Advanced Practice Registered Nurses, and Physician Assistants. Psychologists, Speech Pathologists, and Physical/Occupational Therapists. Pharmacists, Perfusionists, Respiratory Therapists, and Dieticians. Technicians, Social Workers, and Chaplains. Nursing Assistants. Students and trainees under direct supervision. HIPAA: Health Insurance Portability and Accountability Act of 1996. Legal Medical Record: The collection of information concerning a patient and his/her health care that is: (1) created and maintained in the regular course of business in accordance with applicable policies and procedures; (2) made by a person who has knowledge of the acts, events, opinions, or diagnoses relating to the patient; and (3) made at or around the time indicated in the documentation. It is the official legal and business record of health care services provided to an individual by MD Anderson. Licensed Health Care Provider: Individuals licensed to practice in their respective clinical disciplines. For example: Staff Physicians GME Residents and Fellows Dentists, Podiatrists, and Medical Physicists PhDs in the Division of Cancer Prevention Page 2 of 14

Registered Nurses, Advanced Practice Registered Nurses, and Physician Assistants Psychologists, Speech Pathologists, and Physical/Occupational Therapists Pharmacists, Perfusionists, Respiratory Therapists, and Dieticians Social Workers Personal Health Record (also known as mymdanderson): The components of a patient s Designated Record Set that are available to the patient for viewing through a secure internet-based portal. Personal Representative: An individual who is authorized under the law to act on behalf of the patient and exercise the patient s rights under HIPAA. Note: The following are examples of individuals who may be considered a patient s Personal Representative under Texas law: An agent appointed under a Medical Power of Attorney. A parent or guardian of a minor. An individual acting in loco perentis for a minor with authority to make health care decisions on behalf of the minor. A legal guardian of an incompetent person. An attorney ad litem, a guardian ad litem. An individual appointed as an attorney-in-fact and given power to make health care decisions, or the representative of a deceased individual s estate (whether an executor, administrator, or other court-appointed Personal Representative). Certain next of kin of a deceased individual in the event that no representative has been designated (i.e., the decedent s spouse, adult children, adult grandchildren, parents, adult siblings, adult children of siblings, adult grandchildren of siblings, grandparents, and aunts/uncles, in that order). Preliminary Document: A document or report pending a practitioner's review and signature. Protected Health Information (PHI): See HIPAA Definitions Plan. Psychotherapy Notes: See HIPAA Definitions Plan. Retention: The length of time specified in the schedule based on the statute of limitations for each state, as well as institutional practice. Scanned Document: A true and identical electronic image of a source document in which the content and meaning are preserved. Scanned Documents are: An electronically generated permanent image; Maintained, stored, archived, viewed, and retrieved in approved applications; and Viewed and/or printed using MD Anderson's electronic record. Workforce Member: See HIPAA Definitions Plan. Page 3 of 14

PROCEDURE 1.0 Content of the Designated Record Set 1.1 The following records are generally included in an individual s Designated Record Set at MD Anderson, as they constitute medical and billing records typically maintained by or for MD Anderson, and/or records maintained and used by MD Anderson to make decisions about a patient s care: A. All contents of the patient s Legal Medical Record (as defined by the Legal Medical Record Policy (UTMDACC Institutional Policy #CLN0554). For some document types, only the latest encounter is included in the Legal Medical Record. All time periods and encounters for documents contained in the Legal Medical Record are included in the Designated Record Set. B. Administrative Data (only the following): Acknowledgement of the Notice of Privacy Practices. Non-privileged Committee minutes, documentation, and reports relating to patientspecific care decisions about the requesting patient. Non-privileged Social Work, Patient Affairs, and Case Management records about the requesting patient that are maintained outside of the electronic health record (EHR) and used to make decisions about the requesting patient s care. C. Clinical Records and Source Clinical Data Appointment List for a particular patient. Flow sheets related to patient care not already included in the Legal Medical Record. Source Clinical Data: o Cardiology Studies (e.g., EKG, EEG, stress tests). o Images captured for clinical purposes (MRI, PET CT, CT, X-ray, Mammograms, Ultrasounds, Nuclear Medicine). o Photographs, videos, or audio recordings created by MD Anderson employee for identification purposes or for clinical purposes. Stem Cell smart forms Note: Information about donors may require redaction prior to release. D. The contents of a patient s mymdanderson account, including correspondence. E. External Records and Reports External providers records received by MD Anderson (e.g., records received through health information exchanges, from patients, or directly from other Health Care Providers), if used to make decisions about a patient s care and maintained by MD Anderson in MD Anderson s her. Page 4 of 14

Patient generated records, including photographs, surveys, questionnaires, and correspondence generated by the patient, if such records are used to make decisions about a patient s care and maintained by MD Anderson in the EHR. Forms and letters prepared at the patient s request for work-related or insurance purposes (including FMLA, return-to-work, disability, and workers compensation documentation). F. Financial records Itemized statements. Remittance Advices. Claim forms (e.g., UB04, CMS1500 forms). Explanation of Benefits forms and related correspondence. Payment records. Adjustment Records. Advanced Beneficiary Notices. Financial Screening records. Eligibility information. Guarantor Notes (may be redacted if necessary to remove privileged information). G. Research records (only the following): Research records containing treatment-related information for a particular participant for studies where the informed consent document does not warn the participant that records will not be available while the study is ongoing. Research records containing treatment-related information for a particular participant for studies that are no longer ongoing. 1.2 Depending on the circumstances, it is possible that documents not specifically listed above at section 1.1. May be considered part of the Designated Record Set for a particular patient. If there are questions about a document that is not specifically named above, contact the Institutional Compliance Office or Legal Services for assistance in determining whether a patient has a right to access that document under HIPAA. 1.3 The following records generally do not meet the definition of Designated Record Set and are excluded from the patient s Designated Record Set: A. Administrative Data (patient-identifiable data used for administrative, regulatory, health care operations, and payment purposes). Examples include, but are not limited to: Adopt-a-Family records. MD Anderson appointment and surgery schedules. Correspondence (including e-mail, text messages, pages, staff messages, telephone messages, and HipLink correspondence) maintained outside of the EHR and utilized for day-to-day administrative employee communication. Page 5 of 14

Databases containing patient information. Data, abstracts, records, and reports collected and maintained for any of the following purposes: Peer review. Quality improvement, including Ethics records not included in the EHR. Performance improvement. Event history, user activity logs, and audit trails. Handoff Notes, Sticky Notes, and Sign Out Notes utilized by the care team. Incident or patient safety reports and Off-Shift Administration incident reports. Institutional review board lists. Patient-identifiable abstracts in coding system. Patient-identifiable data reviewed for quality assurance or utilization management. Patient surveys completed for non-treatment purposes. Physician queries including, not limited to, Clinical Document Improvement (CDI) and coding queries and associated correspondence). Privileged records, including but not limited to: Committee minutes and reports that are protected by a privilege, including 2- STOP and Clinical Ethics Consultation Committee records. Compliance hotline calls and reports. Documents protected by attorney-client privilege or attorney work product protections. Information compiled in reasonable anticipation of, or for use in civil, criminal, or administrative action or proceeding. Risk Management, Institutional Compliance, Patient Safety, Legal Services, Internal Audit, and Patient Advocacy records. Telephone Messages. B. Clinical information, including: Alerts (including, but not limited to decision support tool alerts, best practice alerts, medication warnings, and user responses to all alerts). Donors reports/results/orders. External source copyrighted forms. Laboratory results/reports from non-clia-certified laboratories. Page 6 of 14

Pathology slides. Preliminary Documents, including incomplete Treatment Summaries. Psychotherapy Notes. Note: Patients may request copies of Psychotherapy Notes, but MD Anderson is not required to grant such request. Psychotherapy Notes are generally maintained outside of the EHR. C. Derived Data (Information aggregated or summarized from patient records so that there are no means to identify patients). Examples include: Accreditation reports. Best practice guidelines created from aggregate patient data. ORYX reports, public health records, and statistical reports. D. MetaData. E. Photographs, videos, and audio recordings taken solely for non-clinical purposes (e.g., those captured for research, health care operations, quality improvement, security, education, and training purposes). F. Registry Data, including, but not limited to: Birth and death registers. Cancer registry information. Surgery registers. Tumor registry data. G. Research records that relate to a patient, while the research is ongoing, provided that the participant agreed to the denial of access when consenting to the research study. Note: Research records are identified with a research icon in the EHR or the word study in the document name. 2.0 Patient PHI Access, Inspection, and Copying Rights 2.1 Each patient and/or the patient s Personal Representative has a right to access, inspect, and/or obtain a copy of the patient s PHI for as long as the PHI is maintained in the Designated Record Set, except for: A. Psychotherapy Notes; B. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; or C. As otherwise permitted by law. 2.2 Method for Obtaining PHI: Page 7 of 14

A. Certain records are available to patients at any time through mymdanderson, the patient s online Personal Health Record. B. For records not available through the portal, a patient s request for access to PHI must be documented and submitted to the Department of Health Information Management (HIM Department). Requests may be made: Via email to: HIMROI@mdanderson.org; Via regular mail to: The University of Texas MD Anderson Cancer Center, 7007 Bertner Avenue, Unit 1632, Houston, TX 77030, Attention: HIM; or In person at an HIM satellite location. 2.3 Patients may be required to complete a HIPAA Authorization prior to release of records, depending on the identity of the recipient, the nature of the documents to be released, and the purpose of the release. See Patient Privacy: Authorization for the Use and Disclosure of Protected Health Information (PHI) Policy (UTMDACC Institutional Policy #ADM0396). 2.4 The HIM Department is generally responsible for processing requests for access to PHI. However, other Workforce Members are permitted to release certain documents to patients, their Personal Representative, or to other individuals involved in the patient s care (see Patient Privacy: Disclosures of Protected Health Information to Individuals Involved in a Patient s Care Policy (UTMDACC Institutional Policy #ADM1032). Workforce Members should document these releases in the patient s medical record, in a note or using the Quick Release or Quick Disclosure function. 2.5 Some records are maintained in systems outside of HIM and the EHR. For releases that involve more than one information system, HIM coordinates the compilation of documentation from the various locations, with the assistance of Legal Services, if needed. 3.0 Timely Action Requirements 3.1 A patient's request to access, inspect, and/or copy his/her PHI will be either fulfilled or denied no later than fifteen (15) days after receipt of the request. 3.2 If a patient s request cannot be fulfilled within fifteen (15) days, contact the Institutional Compliance Office for assistance. 4.0 Fulfilling Requests 4.1 MD Anderson will provide the patient with access to PHI in the form and format requested by the patient, including electronically, whenever feasible. 4.2 Any agreed upon method may be used for fulfilling the request so long as such method accurately transmits the requested information and is reasonably calculated to maintain the security and confidentiality of the information as required by law, such as: A. Mailing, faxing, or e-mailing copies of the requested PHI to the patient; B. Releasing electronic records through mymdanderson; Note: Not all records are technically capable of being released through mymdanderson. C. Providing the patient with records on electronic media or devices, including CDs, DVDs, or external drives; Page 8 of 14

D. Permitting the patient to inspect and copy the requested PHI at a secure on-site facility; or E. Arranging for the patient to pick up copies of the requested PHI from a secure on-site facility. 4.3 MD Anderson may provide a summary or explanation of the requested PHI in lieu of providing all requested materials if: A. The patient agrees in advance to receive a summary or explanation in lieu of all requested materials; and B. The patient agrees in advance to any fees associated with production of the summary or explanation. 4.4 If the PHI requested is maintained in more than one location, MD Anderson is only required to produce the PHI once in response to a request for access. 5.0 Applicable Fees 5.1 MD Anderson may charge reasonable, cost-based fees in exchange for providing copies of requested information. 5.2 Fees may include only the cost of: A. Labor for copying PHI; B. Supplies for creating the paper copy or electronic media; C. Postage; and D. Preparing an explanation of summary of the PHI, if agreed to by the patient. 5.3 Fees will not exceed the maximum amounts allowed by Texas Health & Safety Code, section 241.154, as annually adjusted. 5.4 Fees will not be imposed for a patient or his/her authorized representative to inspect (rather than obtain copies of) PHI. 6.0 Denials Generally 6.1 MD Anderson may completely or partially deny a patient s request for access to his/her PHI if the requested PHI is exempt from disclosure under this policy. With the exception of the nonreviewable denials described in Sections 2.1 and 8.0, a patient has a right to have a denial reviewed. 6.2 If it appears that a request merits denial, the request should be forwarded to Legal Services or the Institutional Compliance Office for handling. 6.3 Denials must be made in writing by Legal Services or the Institutional Compliance Office. 6.4 If a request is denied, either completely or partially, MD Anderson will provide written notice of denial no later than the expiration of the applicable timely action deadlines described in Section 3.0. The denial must: A. Explain the specific grounds for the denial; Page 9 of 14

B. Explain the patient s right to request a review of the denial, if applicable; C. Explain the patient s right to file a complaint, including at least the names, titles, and phone numbers, for the parties responsible for receiving complaints (MD Anderson s Privacy Officer and Secretary of Health and Human Services); and D. Include, if applicable and to the extent possible, any of the requested information remaining after exclusion of the PHI that has been denied. 7.0 Reviewable Denials 7.1 In the following circumstances, MD Anderson may deny a patient s request for access to their PHI: A. A Licensed Health Care Provider has determined (in the exercise of professional judgment) and documented that granting access to the PHI requested is reasonably likely to endanger the life or physical safety of the patient or another person; B. The requested PHI makes reference to another person (unless such person is a Health Care Provider) and a Licensed Health Care Provider has determined and documented that the access requested is reasonably likely to cause substantial harm to this other person; or C. The request for access is made by the patient s personal representative and a Licensed Health Care Provider has determined and documented that providing access to the representative is reasonably likely to cause substantial harm to the patient or another person. 7.2 If access is denied under Section 7.1, the patient has a right to have the denial reviewed by a Licensed Health Care Provider who did not participate in the original decision to deny the request, and who is designated by MD Anderson to act as a reviewing official. This review of denial must be completed within a reasonable period of time, and the patient must be notified promptly of the reviewing official s determination. MD Anderson will provide or deny access to the requested PHI in accordance with the determination of the designated reviewing official. 7.3 Additionally, under Texas law, MD Anderson may deny a patient s request for access to his/her PHI if a physician has determined that access to the information would be harmful to the physical, mental, or emotional health of the patient. Note: If the physician denies the request in whole or in part, the patient must be furnished with a written statement signed and dated by the physician, providing the reason for the denial. A copy of the statement must be placed in the billing or electronic health records, as applicable. 8.0 Non-Reviewable Denials In the following circumstances, MD Anderson may deny a patient s request for access to his/her PHI without providing the patient with an opportunity to have the denial reviewed: 8.1 The requested information is excepted from access under Section 2.1; 8.2 If MD Anderson is acting under the direction of a correctional institution and the release of information in response to a request from an inmate or correctional institution would jeopardize the health, safety, security, custody, or rehabilitation of the patient or of other inmates, the safety of any officer, employee, or other person responsible for the inmate; Page 10 of 14

8.3 The patient is participating in research involving treatment and has consented to the denial of access while participating in that research; or 8.4 The PHI was obtained from someone other than a Health Care Provider under a promise of confidentiality and the access requested would reveal the source of the information. 9.0 Documentation 9.1 Documentation of patients written requests for access and any denials will be retained for at least six (6) years, and in accordance with MD Anderson s Retention of Official Medical Records Policy (UTMDACC Institutional Policy # ADM0386). Page 11 of 14

ATTACHMENTS / LINKS HIPAA Definitions Plan (Attachment # ATT0699). RELATED POLICIES Legal Medical Record Policy (UTMDACC Institutional Policy #CLN0554). Patient Privacy: Authorization for the Use and Disclosure of Protected Health Information (PHI) Policy (UTMDACC Institutional Policy #ADM0396). Patient Privacy: Disclosures of Protected Health Information to Individuals Involved in a Patient s Care Policy (UTMDACC Institutional Policy #ADM1032). Patient Privacy: Right to Request Amendment of PHI Policy (UTMDACC Institutional Policy #ADM0390). Patient Privacy: Right to Request Privacy Protections and Other Restrictions on the Disclosure of PHI Policy (UTMDACC Institutional Policy #ADM0393). Retention of Official Medical Records Policy (UTMDACC Institutional Policy # ADM0386). JOINT COMMISSION STANDARDS / NATIONAL PATIENT SAFETY GOALS IM.02.01.01: The hospital protects the privacy of health information. Comprehensive Accreditation Manual for Hospitals (CAMH), 2015. IM.02.01.03: The hospital maintains the security and integrity of health information. Comprehensive Accreditation Manual for Hospitals (CAMH), 2015. OTHER RELATED ACCREDITATION / REGULATORY STANDARDS 42 U.S.C. 17935 (2010) 45 C.F.R 164.524 42 C.F.R. 482.13(d)(1) 42 C.F.R. 482.24(b)(3) Texas Occupations Code Ch. 159. Texas Health & Safety Code Ch. 181. Texas Health & Safety Code Ch. 241, Subch. G. Texas Administrative Code Ch. 165. Page 12 of 14

Texas Department of State Health Services, Maximum Fees Allowed for Providing Health Care Information, Effective October 3, 2014. REFERENCES None. Page 13 of 14

POLICY APPROVAL Approved With Revisions Date: 05/24/2016 Approved Without Revisions Date: Implementation Date: 05/24/2016 Version: 33.0 RESPONSIBLE DEPARTMENT(S) Institutional Compliance Office Page 14 of 14

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback