This Policy 6 is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components. Show
6.1 Right to Notice of Privacy PracticesForms for each of the rights described in this section are available at http://www.bu.edu/hipaa/forms-for-health-care-providers/Notice of Privacy PracticesPatients have the right to be informed of the uses and disclosures of their PHI that may be made by the Covered Component, and of their rights and the Covered Component’s responsibilities under HIPAA. To this end, each Covered Component is required to have a Notice of Privacy Practices (“NPP”) approved by the BU HIPAA Privacy Officer. Under Massachusetts law, Covered Entities must include in their NPP a notice of the Covered Component’s records retention and destruction policy for its medical records. Posting the NPP The NPP must be posted in an area where patients will see it. If the services of the Covered Component are described on any website, the Covered Component shall also ensure the approved NPP is prominently posted on the Covered Component’s website. Providing NPP to PatientsThe Covered Component must provide a copy of its NPP to patients no later than the first date the Covered Component provides health services to the individual.
The Covered Component must make a good faith effort to obtain written acknowledgement from the individual of his/her receipt of the NPP. If the Individual declines to sign the acknowledgment for any reason, the Workforce member who offered the NPP shall document that s/he offered it, and that the Individual declined to sign. The Acknowledgment form shall be placed in the Individual’s medical record. In addition, Covered Components must make copies of the NPP available to any Individual who requests one at any time. 6.2 Right to Access and Copy Own Health RecordExcept in limited circumstances described below, individuals have the right to access, inspect and receive a copy of PHI about them in the Covered Component’s Designated Record Set. Use of Authorization FormA written request is not legally required in order to provide copies of the Designated Record Set, in whole or in part, to the patient to obtain his/her own information. However, a written request on BU’s approved Authorization form allows the Covered Component to ensure that it is providing what the individual wishes to have and is doing so in a timely manner. Approved Authorizations are found at http://www.bu.edu/hipaa/forms-for-health-care-providers/ When complete medical records are requested, the Covered Component should refer to its Designated Record Set procedure when a request for PHI is received to ensure disclosure of all documents subject to disclosure. Time Period to Respond and Provide AccessRequests for records for the purpose of a claim or appeal under any provision of the Social Security Act or any federal or state financial needs-based benefit program must be furnished within 30 days pursuant to Massachusetts law, without any extension of time. All other requests should be fulfilled as soon as practicable. If the Covered Component is not able to provide the requested records or respond to the request within 30 days, the Covered Component shall contact the BU HIPAA Privacy Officer and the BU HIPAA Privacy Officer may provide the Individual written notification of the reasons for the delay and the expected date of fulfilling the request. Format of RecordsThe Covered Component shall provide the information requested in the format requested by the individual, if reasonably possible. The BU HIPAA Security Officer is available to advise on producing PHI in an electronic format. The Covered Component shall contact the BU HIPAA Privacy Officer in the event it is not able to accommodate the individual’s preferred format. Inspection or Summary in Lieu of CopiesIf the individual requests inspection of the records rather than a copy, the Covered Component shall arrange for a mutually convenient time and place for the individual to inspect the Designated Record Set. The Covered Component may provide an individual with a summary or an explanation of the PHI requested, in lieu of providing access to the PHI, if the individual:
Clarification of Request PermittedThe Covered Component may discuss the scope, format, and other aspects of the request for access with the individual, as necessary to facilitate the timely provision of access or copies. Charges for copies
Electronic copies: Covered Components may charge a flat fee of $6. If a Covered Component receives a request for electronic copy of a record which will entail an unusual amount of work, the HIPAA Contact shall contact the BU HIPAA Security Officer for guidance; Paper copies: Covered Components may not charge a flat fee for paper copies. Any charges must be reasonable and based on the labor and supply costs of copying. When Requests for PHI May be DeniedGrounds for Denial:The Covered Component may deny an individual access to PHI in certain limited situations. Before denying access or copies, the Covered Component shall notify the BU HIPAA Privacy Officer, who will assist in ensuring the Covered Component fulfills its obligations under HIPAA, including written notification to the individual of the Covered Component’s decision. Unreviewable Ground for Denial – The Covered Component may deny an individual access, in whole or in part, without providing the individual an opportunity for review, in the following circumstances:
Reviewable Grounds for Denial:Denials of access based on reasons listed below are subject to review by a licensed healthcare professional who was not involved in the original decision to deny access, upon the written request of the individual. Reviewable grounds for denial include:
Procedure when Request Is DeniedThe Covered Component and BU HIPAA Privacy Officer shall notify the individual in writing of the denial, including:
In the case of denials subject to review, if an individual submits a written request for a review, the Covered Component shall:
6.3 Right to Request AmendmentPatients have the right to request in writing that PHI in a Covered Component’s Designated Record Set be amended. Note the patient does not have an unqualified right to amend, but has a right to request, and the Covered Component must consider the request as described below. Procedure for Individual to Request AmendmentAn individual who desires an amendment must provide the Covered Component a written statement identifying the portions of the record s/he considers inaccurate or incomplete, and the substitute or additional information s/he wishes to be added to the record. The individual may use BU’s approved form (see http://www.bu.edu/hipaa/forms-for-health-care-providers/) or may provide a substantially similar written request. Covered Component’s Response to RequestUpon receiving a Request to Amend, the Covered Component’s HIPAA Contact shall review it. If the request is to correct demographic information or any information that originally came from the individual and which the individual says was recorded inaccurately, the HIPAA Contact, in his/her judgment, may make the correction. Examples include correcting spellings, ethnicity, date of birth and similar matters. Any requests to amend information entered in the record by a treating health care provider (e.g., diagnosis; prognosis; history of condition; etc.) shall be forwarded to that provider and to the BU HIPAA Privacy Officer. The treating healthcare provider who made the entry will determine whether to allow the amendment. The request to amend may be denied if the original record is accurate. The decision to grant or deny a request to amend should be made within 60 days of the request. If after 30 days the Covered Component has not been able to make a decision, it should contact the BU HIPAA Privacy Officer. When the Covered Component Grants the Request to AmendWithin 60 days of receipt of the written request to amend, the Covered Component shall notify the individual that it has accepted the request, and shall make the change requested to the medical record, as follows: Paper Record: Amendments will be made by drawing a single line through the original entry in such a way that the original entry remains legible. Where the entry has been changed the word “amendment” should be clearly printed at the incorrect entry, the correct information shall be entered, and the Covered Component staff person making the change should initial and date the correction. Electronic Record: The Covered Component may make electronic corrections in such a way as to make it clear that an entry is being corrected, noting the person making the correction and the date of correction. In addition to notifying the individual and making the change, the Covered Component should determine whether the information subject to the amendment has been disclosed to anyone outside of the Covered Component who may have had reason to rely on the amended information, and if so, shall forward the amended entry to those recipients. When the Covered Component Denies the Request to AmendBefore denying a request to amend, the Covered Component must consult with the BU HIPAA Privacy Officer. The request to amend may be denied when the information to be amended:
The Covered Component must notify the individual of its decision, in plain language, including the following:
RecordkeepingThe completed Request for Amendment in Medical Record Form, the Covered Component’s Response and any statement of disagreement will be filed in the individual’s record. 6.4 Right to an Accounting of DisclosuresPatients have the right under HIPAA to request an Accounting of disclosures of their health information, and Covered Components have the obligation to fulfill such requests by following the procedures in this Policy. Covered Components should contact the HIPAA Privacy Officer if any Request for Accounting is received. What is in an Accounting?The Accounting includes disclosures made without the individual’s Authorization within the 6-year period prior to the date of the request, or such shorter period as the Individual may request. Example of disclosures included in an Accounting:
The following are excluded from an Accounting:
How the Individual Makes a Request for an AccountingRequests for an Accounting of disclosures of PHI must be made in writing to the Covered Component. The Individual may use the “Request for an Accounting of Disclosures” form or may provide substantially the same information in another writing. The Covered Component should consult with the BU HIPAA Privacy Officer on any request for Accounting. Time to RespondThe Covered Component must respond by providing the Individual an Accounting in writing within 60 days of the request. If after 30 days, it appears the Accounting may take longer, the BU HIPAA Privacy Officer may notify the individual in writing of the reason for the delay, and/or may extend time to provide the Accounting of disclosure by additional 30 days. Information about Each Disclosure in AccountingThe following elements must be included for each disclosure listed on the Accounting of Disclosure:
Accounting for disclosures made for research involving 50 or more individualsWhen disclosures are made for research involving 50 or more individuals, the Accounting of Disclosures may be limited to providing to the individual the following information:
Tracking Disclosures for Accounting PurposesIn order to be prepared to fulfill a request for Accounting, the Covered Component must track all disclosures of an individual’s PHI in the Designated Record Set that may be required in an Accounting. Charge for Providing an Accounting of DisclosuresThe Covered Component may not charge an individual requesting an Accounting of Disclosures for the first Accounting in a 12-month period. The Covered Component may charge a reasonable fee for subsequent requests in the same 12-month period. Each Covered Component shall document its procedure on fees for an Accounting. Denial Due to Special CircumstancesThe Covered Component must temporarily suspend an individual’s right to receive an Accounting of disclosures to a health oversight agency or law enforcement official if such agency or official provides the Covered Component with a written statement that providing such an Accounting to the individual would impede the agency’s or official’s activities and specifying the time for which such suspension is required. If the agency or official makes such a request orally, the Covered Component must document the statement including the name of the agency and official making the statement and must temporarily suspend the individual’s right to an Accounting of any disclosures made to such agency in accordance with the statement. Temporary suspensions may be allowed for a period not to exceed thirty (30) days from the date of an oral request; if the agency or official submits a written request for a suspension for a period longer than 30 days, the Covered Component shall comply. 6.5 Right to Request RestrictionTypes of Restrictions AvailablePatients have the right to request a restriction on uses and disclosure of their PHI. Typical requests include asking the Covered Component to not share any information, or a certain type of information, with a family member or friend of the Individual, which should be granted in most circumstances. The Covered Component should endeavor to accommodate all reasonable requests but should not agree to a restriction if it is not feasible to comply with it. All requests for restriction shall be forwarded to the Covered Component’s HIPAA Contact, who must consult the BU HIPAA Privacy Officer before denying. The Covered Component should inform the Individual in writing of its decision. An Individual may make a request for a restriction either in writing or orally. If an oral request is made, the Covered Component should document the request in the medical record. A form is available for requesting the restriction, but its use is optional. The Individual does not need to explain the reason for the request. HIPAA recognizes that Individuals may wish to obtain specific health care services without informing their health care insurers. To that end, the following restriction must be accepted and implemented by the Covered Component:
The following uses and disclosures may not be restricted:
Terminating a RestrictionThe Covered Component may terminate a restriction in the following circumstances:
The Covered Component may not terminate a restriction on disclosing information to the individual’s insurance company when the individual has paid for the services in full. 6.6 Right to Request Confidential and Alternate Modes of CommunicationsIndividuals have the right to request that Covered Components communicate with them by an alternative means (e.g., written, electronic or oral) or at an alternative location (e.g., work, school or home). Requests should be submitted by the Individual in writing. A form is available for this purpose. The Individual is not required to provide a reason for the request. Examples of alternate communication requests:
Non-Secure Email/Text RequestsThe Covered Component Workforce must use only the secure email system when communicating electronically with patients, and may not initiate, suggest or recommend non-secure email or text communications involving PHI. However, if a patient requests communication via non-secure email or text message, the Covered Component shall do the following:
If a Workforce member receives a non-secure email or text from a patient, s/he should respond by sending a new message (DO NOT REPLY to avoid re-publishing any identifiable health information sent by the patient in the initial message): Thank you for contacting me. [Covered Component] has a policy of not communicating with patients via regular email or text because they are not considered secure, and communications may be intercepted. We use DataMotion, an encrypted email program, to communicate securely. Please reply to tell me your preference:
Accepting/Denying Other RequestsThe Covered Component must consider any request to receive communications by an alternative means and make reasonable attempts to accommodate the request. However, the Covered Component should not agree to any request it cannot reasonably implement. Before denying any such request, the Covered Component’s HIPAA Contact must consult with the BU HIPAA Privacy Officer. Upon acceptance/denial of such a request, The Covered Component will inform the Individual of its decision. If any Business Associate of the Covered Component may communicate with the Individual requesting a restriction, the Covered Component must inform that Business Associate. 6.7 Right to ComplainCovered Components must provide a process for their patients to make complaints if they believe their information privacy or security rights have been violated. The Covered Component may not retaliate against any patient who makes such a complaint. BU EthicsPoint Anyone, including patients, staff and others, wishing to make a confidential report about a possible privacy breach may do so at BU’s confidential hotline, EthicsPoint. Alternatively, a report may be made by telephone at 866-294-8451. Resolution of ComplaintThe BU HIPAA Privacy Officer and HIPAA Contact will endeavor to satisfy the patient’s concerns. If the BU HIPAA Privacy Officer finds no violation, s/he will notify the Individual in writing. If the BU HIPAA Privacy Officer finds merit in the complaint after consultation with the Covered Component HIPAA Contact, s/he will notify the Individual of the findings and a proposed resolution to address harm, if any, to the Complainant. If investigation of the Complaint indicates a Workforce member has violated or contributed to a violation of these policies or of the law, disciplinary action will occur under Policy 7 Breaches, Section 7.5: Enforcement and Sanctions). What is the patient's right under the privacy Rule?With limited exceptions, the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.
Which of the following are patient privacy rights under HIPAA?What are HIPAA Patient Rights? Patients have a number of rights under the HIPAA Privacy Rule. These rights cover how and when protected health information can be used; the right of access to medical records; and the right to amend PHI.
How many basic rights are covered under HIPAA?What does HIPAA law protect? The HIPAA Privacy Rule protects 18 identifiers of individually identifiable health information.
What is privacy code for patient?Patient Privacy Code is a unique, 4-digit code provided to a patient or his/her personal representative that must be verified by healthcare providers to share information with family members, friends or others.
|