Earlier this year, the U.S. Department of Health & Human Services (HHS) clarified certain patient rights under HIPAA regarding access to protected health information (PHI) in their January 2016 release of Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. Generally, an individual (patient) has a right to access his or her own medical records under HIPAA; however, this right is not absolute. The new HHS guidance provides important distinctions regarding the timeliness of responses to requests for PHI, the narrow grounds for denying such requests, and other various aspects of HIPAA. What Medical Record Information Can Be Disclosed? Now that the covered entity has received the request, the question becomes: “Should this information be disclosed to the patient?”A patient has a right to access PHI in his or her medical record that is contained in a Designated Records Set (DRS). DRS is a group of records maintained by or for a covered entity, comprised of:
Although the DRS should be disclosed to the patient by right under HIPAA, this does not mean all information kept by the covered entity must be disclosed. Patients have a right to access a vast range of information, including: billing and payment records; insurance information; clinical laboratory test results; and medical images (X-rays, wellness and disease management program files, and clinical case notes), among other information used to make decisions about them. The covered entity is not, however, required to create new information that does not already exist in the DRS. Information excluded from the DRS is that which is not used by the covered entity to make decisions about the patient. For example, quality assessments and improvement records are generally used to make business decisions rather than patient decisions. Other information that is not disclosed to patients may include peer review data, physician performance calculations, and quality control records used to improve customer service. When Can Medical Record Requests Be Denied? Under HIPAA, there are situations when a covered entity has the right to deny a patient access to PHI following a request for access. Universally, the entity may deny access if the information is not kept in the DRS for that patient. Special circumstances for PHI access denial, for example, are if the release of the information (as determined by a healthcare professional) could endanger the life or physical safety of the patient or another person.Denied PHI Access that Can Be Reviewed or Appealed There are narrow circumstances in which a covered entity may deny the request for access to a portion of a patient’s PHI. Among these circumstances, a patient has “a right to have the denial reviewed by a licensed healthcare professional designated by the covered entity who did not participate in the original decision to deny.” These special circumstances are defined under HIPAA as “reviewable” grounds for denial. HHS clarified that general concerns about psychological or emotional harm are “not sufficient to deny an individual access” (i.e., the patient would be upset by the information). The mere possibility of harm is not sufficient; instead, the licensed professional needs to determine whether the possibility is “reasonably likely.” HHS expects this ground for denial will be used in a very small number of cases. According to 45 CFR § 164.524(a)(3), the other reviewable grounds occur when a licensed healthcare professional uses professional judgment to determine “access requested is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI; or the provision of access to a personal representative of the individual that requests such access is reasonably likely to cause substantial harm to the individual or another person.”Example: If the entity believes the release of the information would lead a patient to commit suicide or harm another person, the entity has grounds to deny the request and the patient has the right to have this denial reviewed. HHS says this exception is “narrowly construed” to protect the patient’s independence and their right under HIPAA “to obtain information about themselves, which is fundamental in facilitating individuals’ active participation in their own health care.” The reviewable grounds contain a reasonableness standard, and the patient is allowed to appeal the denial in these special circumstances. Denied PHI Access that Cannot Be Reviewed or Appealed There also are circumstances where the individual has no right to have the PHI access denial reviewed. The “unreviewable” grounds for denial under HIPAA include a request for “psychotherapy notes, or information compiled in reasonable anticipation of, or for use in, a legal proceeding,” according to the 2014 45 CFR § 164.524(a)(2). Another example of unreviewable grounds are when an inmate requests PHI kept by a covered entity that is a correctional institution (or healthcare provider acting under the direction of the institution), and providing that information would “jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other person at the institution or responsible for the transporting of the inmate.” HIPAA also allows a covered entity to deny, without review, any request for PHI that:
In other words, a patient does not have the right to access psychotherapy notes of a provider that are kept separate from the patient’s medical and billing records. More specifically for psychotherapy notes, “individuals do not have a right to access the psychotherapy notes that a mental health professional maintains separately from the individual’s medical record and that document or analyze the contents of a session with the individual,” according to the January 2016 HHS guidance. Other HHS Guidance and Factors Business Associates: A patient has the right under HIPAA to access their own PHI, and the right extends to PHI held by a business associate of a covered entity. HHS also stressed the business associate agreement will govern the issue of how the information is disclosed and how quickly a response to a request is made, provided the agreement complies with HIPAA. Payment for Healthcare Services: Although a covered entity or business associate may charge the individual a “reasonable, cost-based fee” for a copy of medical records, the provider may not withhold or deny a patient access to their PHI simply because the patient has not paid the bill for healthcare services provided to the patient. Clinical Laboratory Tests: Under HIPAA, a clinical lab test report becomes part of the lab’s DRS for that patient. HHS explains that this only applies to “completed” clinical lab test reports; however, other test information may become part of the DRS, even though the report is not completed. Examples for this type of information are test orders, ordering provider information, billing information, and insurance information. HHS made clear that the clinical lab is under no obligation to interpret any test result for a patient. The patient’s right under HIPAA is to “merely inspect or receive a copy of the completed test reports.” But a clinical lab may provide materials along with the requested PHI that helps to educate or explain the test results, as well as provide a disclaimer about the limitations of the laboratory data or diagnosis. EHR Incentive Program Guidelines: There are situations where a covered entity has incentives to provide a patient with timely access to PHI. For example, there are requirements under the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs where a covered entity may receive incentive-based payments from Medicare or Medicaid for successfully demonstrating meaningful use of certified EHR technology, “which includes providing patients the ability to view online, download, and transmit their health information.” HHS notes that these requirements are more precise than the HIPAA requirements. Be Cautious When Disclosing PHI to Patients Covered entities and business associates should be cautious when complying with a request for medical records by a patient. First, the provider must determine what information needs to be included in the DRS. Second, the provider must determine if the information requested by the patient is contained within the DRS. If so, the provider should disclose this information to the patient or representative. If the information is not contained in the DRS, the provider can deny the request for PHI under HIPAA; and depending on the information requested, that denial may (or may not) be eligible for review. Robert A. Pelaia, Esq., CPC, CPCO, is deputy general counsel at the University of South Florida in Tampa, Fla. He is certified as a Health Care Law Specialist by the Florida Bar Board of Legal Specialization and Education, serves on AAPC’s Legal Advisory Board, and was a 2011-2013 AAPC National Advisory Board member. Pelaia is a member of the Tampa, Fla., local chapter. Drew Krieger, Esq., MBA, is a recent law school graduate with experience in healthcare law. He previously worked for a small, transactional healthcare law firm. Krieger resides in Jacksonville, Fla. PHI Requests, Denials, and Appeals was last modified: May 1st, 2016 by |