Patients’ Rights and Your Responsibilities
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule standards address the use and disclosure of individuals’ Protected Health Information (PHI) by organizations subject to the Privacy Rule. The Rule also addresses standards for individuals’ privacy rights so that patients can understand and control how their health information is used and disclosed.
Patient Access to Information
Patients have the right to inspect and receive a copy of their PHI in a designated record set, which includes information about them in your medical and billing records. (Designated record sets are explained at the end of this chapter.) Generally, a CE must grant or deny the request for access within 30 days of receipt of the request. If the health information is held in electronic format and the patient requests to receive it in a specific electronic format, a CE must provide it in the electronic format requested by the patient if it is readily producible. If the format is not available, the CE must provide the health information in an electronic format agreed to by the patient and CE.
Under the Meaningful Use requirements, additional rights apply as well. For example, as your practice gains the capability to demonstrate Stage 2 Meaningful Use, you will be required to respond to any requests from your patients to transmit an electronic copy of PHI directly to persons or entities they designate. An individual may request that you transmit PHI in your records to his or her Personal Health Record (PHR) or to another physician. Your EHR developers, as your BAs, must cooperate in this obligation.
Amending Patient Information
Under the HIPAA Rules, patients have the right to request that your practice amend their PHI in a designated record set. Generally, a CE must honor the request unless it has determined that the information is accurate and complete. The CE must act on an individual’s request for an amendment no later than 60 days after the receipt of the request. If you accept an amendment request, your practice must make the appropriate amendment by identifying the records in the designated record set that are affected by the amendment and providing a link to the location of the amendment. If you refuse the request, additional requirements, including the patient’s right to file a statement of disagreement that stays with the health record, apply.
Accounting of Disclosures
Individuals have a right to receive an accounting of disclosures of their PHI made by your practice to a person or organization outside of your practice. An accounting of disclosures is a listing of the:
• Names of the person or entity to whom the PHI was disclosed
• Date on which the PHI was disclosed
• Description of the PHI disclosed
• Purpose of the disclosure This right to an accounting is limited, as the Rule does not require you to include disclosures made for treatment, payment, heath care operations, and several other purposes and situations. Your practice is required to provide an accounting of disclosures for the six years prior to the date on which the accounting was requested.
Rights to Restrict Information
Individuals have the right to request that your practice restrict certainly:
• Uses and disclosures of PHI for treatment, payment, and health care operations
• Disclosures to persons involved in the individual’s health care or payment for health care
• Disclosures to notify family members or others about the individual’s general condition, location, or death If your patient (or another person on behalf of the individual) has fully paid out-of-pocket for a service or item and also requests that the PHI not be disclosed to his/her health plan, your practice cannot disclose the PHI to a health plan for payment or health care operations. You should implement policies and procedures that ensure this directive can be carried out. Right to Confidential Communications Your practice must accommodate reasonable requests by your patients to receive communications from you by the means or at the locations they specify. For example, they may request those appointment reminders be left on their work voicemail rather than home phone voicemail.