Disclaimer:  CMA/PrivaPlan PrivaGuide: Access, Amendment and Disclosure Accounting.

 

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice.  Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns. 

 

---

 

PrivaGuide: Access, Amendment and Disclosure Accounting
By Lesley Berkeyheiser and David Ginsberg

 

---

 

Introduction

HIPAA gives subject individuals (i.e. “patients” or “plan members”) the right to inspect protected health information (PHI) that pertains to them, to have incomplete or inaccurate information corrected, and to receive an accounting of disclosures of this information.  Specifically, this means:

• Access, amendment and disclosure accounting requests must be honored within a specific time frame.  If you cannot meet the deadline, you must communicate your reasons in writing.
• If you have a legitimate reason to deny a request, you must communicate this reason in writing.
• If you deny certain requests, the patient has the right to have a third party review the denial, and to have the reviewer’s decision communicated in writing.
• You must document the “designated record sets” that contain PHI pertaining to the patient.
• You must log certain types of disclosures so that this information is available, should the patient request a disclosure accounting.
• Under California law, you must also give the patient the option of adding an “addenda” to the patient’s medical records.
• Special rules may apply when you receive a request from the patient’s personal representative rather than the patient.

What is a “Designated Record Set?”

Patients do not have a right to access any and all information that pertains to them.  HIPAA gives patients the right to access information only in “designated record sets.”  Also, the patient’s right to amend incorrect or incomplete PHI applies only to designated record sets.

Basically, a designated record set is a group of records that is used to make decisions about the patient. This includes record sets that contain:

• The medical and billing information maintained by or for a health care provider;
• Enrollment, payment, claims adjudication or case management records maintained by or for a health plan; or
• Any other information that is used to make decisions about the patient.

How to do this:

This section contains implementation and maintenance suggestions for processing access, amendment and disclosure accounting requests.  “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities.  Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation and California law applies to you.

 

PROCEDURE—PROVIDING ACCESS TO PHI

Implementation Suggestions:

1. It is important to have written documentation signed by the patient or their personal representative whenever they wish to access their PHI. HIPAA does not require that access requests be made in writing.  HIPAA does, however, allow you torequire that these requests be submitted to you in writing (provided that you inform the subject individual of this requirement in your Notice of Privacy Practices.).  We recommend that all requests, responses, rebuttals, etc. be maintained in written form so that there will be a “paper trail” that can be used to establish the exact sequence of events.  You can use the Request for Access sample access request and response forms.
2. If the request is from the patient’s personal representative, determine whether the request should be honored.  See the section on handling requests from personal representatives in the “Procedures Manual” under the procedure for “Individual Permission Processing.”

3. Document the PHI that is available for access. HIPAA requires that you document the “designated record sets” that you maintain. Remember that some parts of the designated record set may be in the possession of a business associate.

4. Create a list of the most likely requested PHI and its location. This list should be readily available to help with locating and supplying PHI.

5. Determine the form of PHI and how it will be provided to a patient or their personal representative. Do you have a convenient location, perhaps a separate room that can be used for this purpose?

6. It is also important to determine how you will “protect” the information that is shown to a patient. HIPAA does not require that a staff member be present when a patient reviews his or her medical record.  However, we recommend that you always have a staff member in attendance (for example, it would be very easy for a patient to simply remove a troublesome part of the medical chart if left unattended).  

You’re not off the hook just because it isn’t your record.

If you don’t maintain the information the patient is requesting, but you know who does, you must tell the patient where to direct their request. For example if the request is for an operative note that is maintained by a referring surgeon, you must give the patient the name and contact information for that surgeon.

7. Don’t forget about electronic records. Some practices maintain the patient’s medical record electronically. HIPAA allows the patient to request their information in a form that is convenient for them. Consider how to provide access to electronic information that will maintain the integrity of the system.  For example if you elect to let the patient review their electronic record using a terminal, be sure the record is “read only” and that they cannot access any other part of your system.

8. Understand the time frames you must adhere to for access requests. California law requires that you allow inspection within five (5) working days and provide copies within fifteen (15) days of your receipt of a request.

9. Determine the kinds of PHI that you are concerned could cause “harm” if inspected. While you are generally required under HIPAA and California law to grant patient requests for access to their own PHI, there are some exceptions. These include:

• Mental Health Record Information—does not have to be revealed to the patient, if you believe this would create a substantial risk of significant adverse or detrimental consequences to the patient. However at the patient’s request these must be transferred to another mental health professional of the patient’s choice, and the other procedural requirements imposed by California law must be met. See the CMA ON CALL documents on access for further information and guidance.
• Information that has been collected in anticipation of a civil, criminal or administrative actiondoes not have to be made available in response to an access request, unless under California law, it is a “patient record”, i.e., a record which relates to the health history, diagnosis, or condition of a patient, or relates to treatment provided or proposed to be provided to a patient.
• Also, you do not have to grant access to a patient’s legal representative to PHI when you feel that such access would be reasonably likely to cause substantial harm to a minor or an incapacitated adult. Note: HIPAA provides the opportunity to deny access to any individual or personal representative if you are concerned for safety. When California law is taken into account however, this option is only available in the case of minors and incapacitated adults.

Therefore, it is important to spend some time with the providers determining what kind of information could cause harm. Keep a list of this kind of information for quick reference.

10. Identify a licensed health care professional who can act as a “reviewing Individual” to help you address patient appeals. If you choose to deny a patient the right to access their PHI (see above suggestion), the requestor has the right to “appeal” your decision if it was based on your concern for a child’s or incapacitated adult’s welfare, or your concern there would be a “substantial risk of significant adverse or detrimental consequences” to a patient in receiving the patient’s own mental health records.  In that case, the patient, a parent or other legal representative may insist that that another “reviewing individual” decide whether your decision to deny access should be upheld or overruled.  The reviewer must be a licensed health care professional other than the person who originally denied the request.  Therefore it is important to select a licensed health care professional who will perform this function. These individuals should understand the general reasons why the organization might deny such requests. If your office does not have additional licensed health care professionals on staff consider working with the practice’s “call group” to identify other reviewers. You can use a mid level practitioner, a registered nurse or of course another physician or provider in the practice to act as the reviewer.

11. Establish a reasonable fee for copying PHI. You are entitled to charge a fee whenever you must copy records for the purpose of access, amendment or disclosure accounting.  HIPAA requires that this be a “reasonable cost-based fee” based upon the necessary supplies, labor, and shipping. California law has established the fee for copies: up to 25¢ per page, or 50¢ per page for copies from microfilm and for copies of x-rays or tracings derived from EKG, EEG or EMG, actual costs. However, records needed to appeal a denial of eligibility for Medi-Cal, SSDI or SSI/SSP benefits must be provided without charge.  Unlike California law, however, the HIPAA Privacy Rules do not allow charges for retrieving or handling the information or for processing the request.  Again, please note that HIPAA rules do not permit charges for inspection, or for clerical costs related to making the records available for inspection or copying! California law does not expressly allow charging for mailing costs.

 

Remember, you do not have to grant access if you are concerned for a child’s safety.

 

For example: A pediatrician has repeatedly seen signs of abuse in a child and suspects the father. The pediatrician has complied with state notification requirements and documented this suspicion in the progress notes. The father, as the child’s guardian, requests access to the medical record under HIPAA. In this case the practice would be concerned for the safety of the child and the staff.  HIPAA and California allow you to deny access to a personal representative in such cases.

12. Be sure that you amend your bookkeeping and billing systems so you can create a billing statement and account for this charge and its subsequent payment.

 

13. Add this information to the Notice of Privacy Practices. When you have completed documenting your access procedures, update the “Your Health Information Rights” section of the notice of privacy practices to indicate how the subject individual may exercise this right.  Be sure to include any copying fees that you intend to charge.

 

 

Maintenance Suggestions:

 

1. If conducting clinical research:  Incorporate HIPAA compliance into your clinical research consent forms. Information that is the result of clinical research is exempt from the HIPAA access requirement during the course of the study. Remember, if your practice is engaged in clinical research, you need to be sure the clinical research consent now includes HIPAA compliant language. Specifically, you must designate that you are asking for the patient’s consent to suspend their right to review the associated PHI during the course of the study.  Explain that this right will be reinstated after the clinical trial is completed.  Also, make sure that this policy is consistent with the clinical research organization’s requirements.
2. Keep psychotherapy “process” notes separate from the rest of the medical record.  Most mental health care providers maintain “process notes” (i.e. notes taken during the course of a therapy session) separately from the medical record.   If process notes were to be included in the medical record, they would not be exempt from the HIPAA access requirement.  Note: To be considered “psychotherapy notes” the notes must be recorded by a licensed mental health care provider (physician, psychiatrist, clinical psychologist, licensed clinical social worker, marriage/family counselor, etc.). In California where there is no specialty licensing, every physician can be a mental health provider and take advantage of the rule shielding psychotherapy notes by keeping them separate from the rest of the medical record.  Of course, the physician must consider whether such notes are required for other purposes such as billing, in which case written authorization for disclosure is required.

3. This means that progress notes related to a patient’s mental health that are entered as part of a general medical record by a non-mental health professional would not generally qualify as a “psychotherapy note” under HIPAA.

4. Establish a process for approvals and denials. The privacy official should be responsible for tracking all access requests and making sure they are processed.  Another individual (with a high level of authority) should be responsible for approving or denying the requests. Whenever a request for access is denied, the reason for the denial must be stated and, if it is based on fear for a child’s or incapacitated adult’s safety the patient must be given an opportunity to have the decision reviewed by a third party. Be sure this process includes the precautions described above about accompanying a patient when they review original documents.

5. Verify the identity of requesting individuals. If you are uncertain about the identity of anyone other than the patient requesting PHI you must make a reasonable effort to verify identity. For example, governmental officials can be asked to produce an official badge or identity card and you can ask for a general switchboard number to call back and thus ensure they are employed there. You should ask for copies of any documents they are basing their request upon and ask for a written request that will be mailed or faxed to your office. Also, if you receive a request from another treating provider who is unknown to you ask that the request be put in writing and verify the address and phone numbers!

6. Incorporate training and ongoing awareness during your routine staff meetings of the patient’s right to inspect their PHI.

Implement medical record organization procedures to structure access: 

It is a good idea to implement chart or record organization procedures that separate information which generally should not be disclosed as a routine matter. Examples are psychotherapy notes, HIV test results, confidential communication from third parties, litigation records which are not patient records, and public health disclosures related to discussions of abuse, neglect and so forth. Of course whenever you “separate” a medical record it is important to have a system in place to alert the physicians and clinical staff that other related medical information exists separately.

 

PROCEDURE—AMENDMENT OF PHI

 

Implementation Suggestions:

 

1.     It is important to have written documentation signed by the patient or their personal representative whenever they wish to amend or add an addendum to their PHI. HIPAA does not require that amendment requests be made in writing.  HIPAA does, however, allow you to require that these requests be submitted to you in writing (provided that you inform the patient of this requirement).  We recommend that all requests, responses, rebuttals, etc. be maintained in written form so that there will be a “paper trail” that can be used to establish the exact sequence of events. You can customize the Request for Amendment sample amendment request and response form to meet the documentation standards of your organization.

You are not required to grant every amendment request.

HIPAA gives patients the right to request amendment of PHI that they believe to be incomplete or inaccurate.  You are not required to make these changes.  You may deny the patient’s request if:

• You believe that the information is already accurate and complete.
• The patient did not initially have the right to review that type of PHI.
• The information did not originate in your office.
• The information is not part of a designated record set.

2.     Determine the kinds of PHI that can be amended. For example, there could be significant medical-legal liability if you allowed an amendment to a progress note (such as a diagnostic result or patient vital signs).  The best way to do this is to review the PHI inventory forms created in PrivaPlan Stat Step 2 (and the related PrivaGuide “PHI Inventory”). You should also closely examine the patient’s medical record to anticipate any items they might want to amend. These steps should always be done with the physician in charge. Amendments and addenda to the medical or clinical notes require the skill and expertise of the physician!

3.     Recognize that under California law a patient also has the right to have a statement of up to 250 words attached as part of the patient’s medical record and included with each future disclosure of the contested portion of the patient’s records.

4.     If the request is from the patient’s personal representative, determine whether the request should be honored.  See the section on handling requests from personal representatives in the “Procedures Manual” under the procedure for “Individual Permission Processing.”

5.  Determine the best location and procedure to process an amendment or addenda. Generally, the request to amend or append will follow the request to inspect (see above).

6.   Determine how to store and log amendments and addenda. We suggest use of the sample amendment request form and storing this in the patient chart with a separate “tab” or section. However, if your organization uses an electronic medical record, you may need to create a separate “file” or patient amendment field in the record and some kind of alert mechanism to indicate that an amendment exists. For paper medical records you may want to flag those charts that contain an amendment. As a general rule never alter the original documents.  If the amendment is a correction that you agree to, and the physician chooses to amend the original “note”, draw a line through the note so it can still be read, make the correction, and then date and initial this amendment.

7.  Add this information to the Notice of Privacy Practices. When you have finished documenting your access procedures, update the “Your Health Information Rights” section of the notice of privacy practices.

Get all the help you can.

Your medical malpractice carrier may have valuable advice for amendment request procedures. Also, California has specific laws regarding the patient’s right to add an addendum to his or her medical record.  Go to the CMA ON-CALL documents and contact your professional society, professional liability carrier or legal/consulting resource for more information.

Maintenance Suggestions:

1. Notifying other people or organizations. If you agree to an amendment, the patient or their personal representative has a right to have the corrected information transmitted to a specific list of people or organizations (for example a life insurance carrier).  Additionally, you have a duty to transmit this amendment to parties who, to your knowledge, have received the incorrect or incomplete information in the past.  (Similarly, if you receive notice of an amendment request that has been accepted by another covered entity, you must make the appropriate changes to the information at your office.)  The PrivaPlan sample response to amendment request form contains sections to track these activities.  Similarly, a request for an addendum under California law must be incorporated in the patient’s medical record and included with each future disclosure of the contested information.

2. Provide staff training and on-going awareness about the patient’s right to amend or append to their PHI.

3. Establish a process for approvals and denials. The privacy official should be responsible for tracking all amendment requests and making sure they are processed.  Whenever a request for amendment is denied, the reason for the denial must be stated and the patient must be given an opportunity to insert a statement of disagreement in the record.  A sample response to request for amendment form is  appended to the end of the request for amendment form.  (You may also insert a statement of rebuttal to this disagreement in the record.)  Whenever the PHI in question is disclosed to anyone, the patient’s addendum or statement of disagreement must be included. HIPAA requires that amendments be handled within 60 days of the request. An additional 30 day extension can be granted if you provide the patient with a reason for the delay.

 

PROCEDURE — DISCLOSURE ACCOUNTING

 

Implementation Suggestions:

1. It is important to have written documentation signed by the patient or their personal representative whenever they wish an accounting of their PHI. HIPAA does not require that disclosure accounting requests be made in writing. We recommend that all requests, responses, rebuttals, etc. be maintained in written form so that there will be a “paper trail” that can be used to establish the exact sequence of events. See the Request for Disclosure Accounting form under Document Templates. 
2. If the request is from the patient’s personal representative, determine whether the request should be honored.  See the section on handling requests from personal representatives in the “Procedures Manual Template”.

 

Implementation Suggestion: 

1.   Tracking accounting of disclosures: HIPAA requires you give the patient an accounting of disclosures that have occurred over the last six years, except for:

• Disclosures made to carry out treatment, payment and health care operations.
• Disclosures made to the patients themselves.
• Disclosures made pursuant to an authorization signed by the patient.
• Disclosures made to persons involved in the individual’s care, where the patient has been given a chance to object.
• Disclosures to a health oversight agency or law enforcement official to the extent this medical practice has received notice from that agency or official that providing the patient with an accounting of those disclosures would be reasonably likely to impede the agency’s or official’s activities (such suspensions of disclosure accounting rights may be done only on a temporary basis).
• Disclosures of information which excludes direct identifiers for purposes of research, public health, or health care operations;
• Disclosures which are incident to a use or disclosure otherwise permitted or authorized by law.
• Disclosures made for national security or intelligence purposes.
• Disclosures made to correctional institutions or law enforcement officials if the patient is in their lawful custody.
• Disclosures that occurred prior to the compliance date for this organization (April 14, 2003).

Again, the first step is to review the PHI inventory and uses/disclosures inventory forms generated in Stat step 2.  This will give you a good idea of the kinds of PHI that are subject to the disclosure accounting requirement.  (Essentially these consist of the items listed in the notice of privacy practices other than treatment, payment or health care operations).

2.  Add this information to the notice of privacy practices. When you have completed documenting your access procedures, update the “Your Health Information Rights” section of the notice of privacy practices to indicate how the subject individual may exercise this right.  Be sure to include any copy or processing fees that you intend to charge.  (Important note:  You may not charge a fee for the first disclosure accounting in a twelve-month period.)

 

Maintenance Suggestions:

1.     Log each disclosure that is subject to disclosure accounting.  HIPAA requires that you keep a disclosure accounting log even if you are never asked to produce a disclosure accounting.  You must make an entry in this log each time you make a disclosure that is subject to disclosure accounting.  Each log entry must contain the mandatory elements that are to be included in the disclosure accounting.  These are:

• The date of the disclosure.
• The name and (if known) address of the person or organization that received the information.
• A description of the information disclosed.
• A statement of the purpose of the disclosure (or a copy of the signed authorization or the request for disclosure. Under Document Templates you will find a sample tracking form for the purpose of logging this information called the Tracking Accountable Disclosures Form.

You do not have to log most disclosures.

Most of the disclosures that you will make are not subject to the disclosure accounting requirements, so they do not have to be logged.  “Normal” disclosures related to treatment, payment or health care operations, to the patient or at the patient’s behalf or disclosures made to family and friends involved in the patient’s care do not require an authorization and do not require an accounting. 

2.     Use a written request form to document patient requests. For optimal management of this process use the “Request for Disclosure Accounting” form to document requests. The Request for Disclosure Accounting form also includes a response form that can be used to list all accountable disclosures. You can cut and paste these from the “Tracking Accountable Disclosures Form”.

3.     Keep copies of the completed forms in a central HIPAA patient request file.  While it may be more convenient to maintain these request forms in the patient’s chart, your professional liability carrier (i.e. malpractice insurance carrier) or other risk providers may suggest that you maintain a separate file for these forms.

4.     Incorporate staff training and on-going awareness about the patient’s right to an accounting of disclosures of their PHI. This can be done during routine staff meetings.

Make a list of “accountable” disclosures.

It may be helpful to make a list of all the times you report for public purposes.  Be sure to consider these common examples:

• Reporting for communicable diseases
• Reporting child abuse or elder abuse
• Lapses of consciousness (A California requirement)
• Reporting gunshot wounds
• Responding to a court order and subpoena

About the Authors:

 

This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine Hanson, Vice President and General Counsel of the CMA and Steve Fleisher, Esq. of Fleisher and Associates.

 

 

Lesley Berkeyheiser

 

Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.

 

Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610)-558-3332.  Email: lberkeyheiser@theclaytongroup.org.

 

 

David Ginsberg

 

Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.

 

David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.

 

Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.  Email:  dginsberg@PrivaPlan.com

 

 

 

PrivaPlan Associates Privacy Policy