Individuals have certain rights under the HIPAA Privacy Rule regarding the use and disclosure of their protected health information (PHI) in whatever form it exists—oral, written, or electronic. Covered entities and business associates alike must ensure that they are prepared to properly address individuals exercising those rights. Show
1. Right to Request AccessRegulations under HIPAA have always recognized the importance of providing individuals with the ability to access and obtain a copy of their health information. With limited exceptions, the HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and business associates. 2. Right to Request an Accounting of DisclosuresIndividuals have the right to request a listing of all disclosures that were not associated with treatment, payment, or healthcare operations. The accounting of disclosures must contain the following for each disclosure:
3. Right to Request an AmendmentThe HIPAA Privacy Rule provides individuals with the right to request an amendment of their PHI within the designated record set. The rule specifies the processes covered entities must follow in responding to such a request. Covered entities may require individuals to make requests for amendment in writing and to provide a reason to support the amendment, provided that it informs individuals in advance of such requirements. 4. Right to File Privacy ComplaintsThe individual has a right to file a complaint related to a privacy policy to the organization without alleging a violation of their rights. Also, any person who believes that a covered entity is not complying with the HIPAA Privacy Rule may file a complaint with the Office for Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS). Individuals do not have to be a patient or resident of the healthcare provider or a beneficiary of a health insurance plan to file a complaint. 5. Right to Request Confidential CommunicationsIndividuals have the right to request restrictions on how and where their PHI is communicated. To comply with the HIPAA Privacy Rule regarding confidential communications, the organization must permit individuals to request to receive communications of PHI by alternative means or at alternative locations. 6. Right to Request RestrictionsUnder HIPAA, individuals have the right to request that a covered entity restrict the use of their PHI. In those cases, disclosure of the restricted information is limited to be allowable under specific situations, such as emergencies. For patients, the HIPAA Privacy Rule means being able to make informed choices when seeking care and reimbursement based on how personal health information may be used. For organizations, it’s their responsibility to protect a patient’s right to ensure that their health information is accurate and used only for authorized and allowable purposes. Know What You Need to Know… ScopeThis policy applies to all personnel, regardless of affiliation, who create, access or store Protected Health Information (“PHI”) under the auspices of Indiana University, designated for purposes of complying with the final provisions of the security and privacy rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Please refer to the HIPAA Affected Areas document for a full list of units impacted within Indiana University.
Back to top Policy StatementRequired Notice of Privacy PracticesGeneral Rule The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices. IU Health Care Components must comply with the notice requirement. Content of the Notice Health Care Components are required to provide a notice in plain language that describes:
The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals. Providing Notice
The Right to Access PHIGeneral Access Under HIPAA, individuals have a right to examine and, if they wish, to receive a copy of, all the health information a covered entity has related to that individual, used to make decisions about them. If an individual wishes to examine their health information or designated record set (DRS), each Health Care Component should have a process in place to allow them to do so. If the patient wishes to examine their information held at other sites or multiple sites around campus such as their billing records, dental records, and chest x-ray images, the Health Care Component should provide them with a form designed for this purpose or refer them to the covered entity that houses their record (e.g., IUH - “Authorization to Release and Disclose Patient Information”). All requests for records must be accommodated within 30 days of the request. If an individual would like a copy of their PHI, the covered entity may charge a reasonable, cost-based fee for providing this. Attachment A – Sample Request to Access Access to Mental Health Records/Access to Psychotherapy Notes If an individual requests access to or copies of “psychotherapy notes”, then the request may be declined if the provider determines there is a substantial risk of significant adverse or detrimental consequences to an individual in seeing or receiving a copy of mental health records requested by the patient. The only requirements are as follows:
If an individual requests access to “mental health records” that do not qualify as psychotherapy notes (e.g., diagnosis and functional status summaries), the individual has the right of access to inspect and obtain a copy of the records, as long as the information is maintained in the DRS, unless an exception applies. Exceptions to the individual’s right to access
The Right to Amend PHIRequest to Amend Record An individual has a right to request that the Health Care Component amend the DRS or other information in the individual’s record. The individual must provide a written request for the amendment and provide the reason to support the requested amendment. The Health Care Component must inform individuals in advance of these requirements (i.e., that the request for an amendment be in writing and that the individual provide a reason to support a requested amendment). The Health Care Component must maintain the written request for 6 years. Attachment B – Sample Request to Amend Response to Request The Health Care Component must act on the individual’s request for an amendment no later than 60 days after receipt of such a request by either accepting and making the amendment, or denying the request in writing. If the Health Care Component is unable to act on the amendment within 60 days, it may have a one-time delay of no more than 30 days by providing the individual with a written statement of the reasons for the delay and the date by which action on the request will be completed within the initial 60 days of receipt of the request for an amendment.
If the Health Care Componentaccepts the amendment in whole or in part, the area must:
The Health Care Componentmay deny an individual’s request for amendment, if it determines that the record:
3. Notification of decision to Deny Request to Amend If the Health Care Componentdenies the request toamend, they must provide in writing:
An Individual’s Right to Request Restriction on the Uses and Disclosures of Protected Health Information (PHI)
Attachment C–Sample Request to Restrict PLACEHOLDER An Individual’s Right to Request Confidential CommunicationsThe Health Care Component must permit individuals to request communications of PHI from the area and must accommodate reasonable requests to receive communications of PHI by alternative means of communication or to alternative locations. The Health Care Component may not require the individual to explain the reason for the request. The area will accommodate reasonable requests if:
An Individual’s Right to Request an Accounting of Disclosures
Right to file a complaintBy law, health care providers (including doctors and hospitals) who engage in certain electronic transactions, health plans, and health care clearinghouses, (collectively, “covered entities”) had until April 14, 2003, to comply with the HIPAA Privacy Rule. (Small health plans had untilApril 14, 2004, to comply). Activities occurring before April 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement actions. After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred. The Secretary may waive this 180-day time limit if good cause is shown. Each Health Care Componentshould have a process in place to allow an individual to file a complaint as required under the HIPAA Privacy Rule. This process should be outlined in the notice of privacy practices as state in Section I. The Health Care Component should also provide the individuals with an opportunity to first file a complaint with the unit. You must also inform the individuals you will not retaliate against them for filing a complaint. Filing a complaint with Health Care Component Provide: Name of the Organization Title of the Individual with whom they can file a complaint (Privacy Officer) Write to: Address City, State Zip Call: Phone Number(as applicable) Email: email address (as applicable) Visit: Website (as applicable) Filing a complaint with IU Provide: Indiana University University HIPAA Privacy Officer Write to: 980 Indiana Avenue, Suite 4441 Indianapolis, Indiana 46202 Filing a complaint with the Department of Health & Human Services Provide: Department of Health & Human Services Office for Civil Rights Write to: 200 Independence Avenue, S.W. Washington D.C. 20201 Call: 1-877-696-6775 Visit: www.hhs.gov/ocr/privacy/hipaa/complaints/ Back to top Reason for PolicyIndiana University is committed to protecting the privacy of health information as required under the HIPAA Privacy and Security Rules. HIPAA affords individuals and their representatives certain rights, such as the right to receive a Notice of Privacy Practices and the right to access, inspect and copy their record or designated record set. This policy describes the rights afforded all individuals under the HIPAA Privacy Rule. Back to top Does HIPAA provides individuals with the right to request an accounting of disclosures of their PHI?Under the HIPAA Privacy Rule, an individual, under certain circumstances, has the right to receive an accounting of disclosures — HIPAA Accounting — of that individual's protected health information (PHI) made by a covered entity in the last six years prior to the date on which the account is requested.
What are the rights of an individual to PHI under HIPAA?The HIPAA Privacy Rule provides individuals with the right to inspect their PHI held in a designated record set, either in addition to obtaining copies or in lieu thereof, and requires covered entities to arrange with the individual for a convenient time and place to inspect the PHI.
Does HIPAA allows the use and disclosure of PHI for treatment?The HIPAA Privacy Rule allows covered entities to disclose individuals' protected health information (PHI) for purposes of treatment, payment, and health care operations (TPO). HIPAA does not require a written authorization, consent, or any other form of release for most TPO disclosures.
What is a HIPAA accounting of disclosures?HIPAA Disclosure Accounting or Accounting of Disclosures (AOD) is the action or process of keeping records of disclosures of PHI for purposes other than Treatment, Payment, or Healthcare Operations. You are required by law to provide patients a list of all the disclosures of their PHI that you have made outside of TPO.
|