Disclaimer:

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice.  Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.

 PrivaGuide: Access, Amendment and Disclosure Accounting
By Lesley Berkeyheiser and David Ginsberg

 Introduction

HIPAA gives individuals (patients or health plan members) the right to view or copy protected health information (PHI) that pertains to them, to have incomplete or inaccurate information corrected, and to receive an accounting of disclosures of this information.  Specifically, this means:

• You must respond to access, amendment and disclosure accounting requests within a specific time frame.  If you cannot meet the deadline, you must communicate your reasons in writing.
• If you have a legitimate reason to deny a request, you must communicate this reason in writing.
• If you deny a request, in certain circumstances the patient has the right to have a third party review the denial, and to have the reviewer’s decision communicated in writing.
• You must document the “designated record sets” (see PrivaTip #1) that contain PHI pertaining to the patient.
• You must log certain types of disclosures so that this information is available, should the patient request a disclosure accounting.

How to do this:

This section contains implementation and maintenance suggestions for processing access, amendment and disclosure accounting requests.  “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities.  Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.

 PROCEDURE—PROVIDING ACCESS TO PHI

Implementation Suggestions:

1. It is important to have written documentation signed by the patient (or a personal representative of the patient) whenever they wish to access their PHI. HIPAA does not require that access requests be made in writing.  HIPAA does, however, allow you to require that these requests be submitted to you in writing (provided that you inform the patient of this requirement).  We recommend that all requests and responses be maintained in written form so that there will be a “paper trail” that can be used to establish the exact sequence of events.  Under Docuemnt Templates you can find  a sample access request form.
2. Document the PHI that is available for access. HIPAA requires that you document the “designated record sets” that you maintain.  Remember that some parts of the designated record set may be in the possession of a business associate.

What is a “Designated Record Set?”

Patients do not have a right to access any and all information that pertains to them.  HIPAA gives patients the right to access information only in “designated record sets.”  Also, the patient’s right to amend incorrect or incomplete PHI applies only to designated record sets.

• Basically, a designated record set is a group of records that is used to make decisions about the patient. This includes record sets that contain:
• The medical and billing information maintained by or for a health care provider;
• Enrollment, payment, claims adjudication or case management records maintained by or for a health plan; or
• Any other information that is used to make decisions about the patient, such as a chart.

3. Create a list of the most likely requested PHI and its location. This list should be readily available to help with locating and supplying PHI.
4. Determine the form of PHI and how it will be provided to a patient or to his or her personal representative. Do you have a convenient location, perhaps a separate room that can be used for this purpose?
5. It is also important to determine how you will “protect” the information that is shown to a patient. HIPAA does not require that a staff member be present when a patient reviews his or her medical record.  However, we recommend that you always have a staff member in attendance (for example, it would be very easy for a patient to simply remove a troublesome part of the medical chart if left unattended).
6. Don’t forget about electronic records. Some practices maintain the patient’s medical record electronically. HIPAA allows the patient to request their information in a form that is convenient for them. Consider how to provide access to electronic information that will maintain the integrity of the system.  For example if you elect to let the patient review their electronic record using a terminal, be sure the record is “read only” and that they cannot access any other part of your system.
7. Understand the time frames allowed for access requests. The basic requirement is that you act on the request within 30 days.  If the requested information is not maintained on-site, you have 60 days to provide it.  Additionally, HIPAA allows a one-time delay of 30 days, provided that you inform the requestor in writing of the reasons why the request could not be satisfied in the allowed time frame.
8. Determine the kinds of PHI that you are concerned could cause “harm” if inspected. While you are generally required under HIPAA to grant patient requests for access to their own PHI, there are some exceptions. These include:

• Psychotherapy notes – “process notes” created by a licensed mental health professional during or following a counseling session – do not have to be revealed.  But “progress notes,” which are part of the medical record, must be made available.
• Information that has been collected in anticipation of a civil, criminal or administrative action does not have to be made available in response to an access request.
• Also, you do not have to grant access to PHI when you feel that such access would endanger the patient or another individual.

Therefore, it is important to spend some time with the providers determining what kind of information could cause harm. Keep a list of this kind of information for quick reference.

9. Identify a licensed health care professional who would be willing to perform the function of “reviewing individual” to help you address patient appeals.  (It would be even better if you could identify two such individuals, in case one of them is not available when needed.) If you choose to deny a patient the right to access their PHI (see above suggestion), or whenever you deny the right to amend PHI, the requestor has the right to “appeal” your decision.  A patient may insist that that another “reviewing individual” within your organization decide whether your decision to deny access should be upheld or overruled. The reviewer must be a licensed health care professional other than the person who originally denied the request.  Therefore, it is important to select at least one licensed health care professional within the practice who will perform this function. These individuals should understand the general reasons why the organization might deny such requests.
10. Establish a reasonable fee for copying PHI. You are entitled to charge a fee whenever you must copy records for the purpose of access, amendment or disclosure accounting.  HIPAA requires that this be a “reasonable cost-based fee” based upon the necessary supplies, labor, and shipping. Many offices have an established fee for copying records.  In some cases this fee is based upon contracts with health plans or with worker’s compensation carriers.  In other cases there may be guidelines established by the state or by your medical society.  In any event, it is important that the fee you charge meet the HIPAA “reasonableness” criterion. Fees charged to the individual for allowing access PHI must be based on actual costs and not intended to discourage access requests. Be sure that you amend your bookkeeping and billing systems so you can create a billing statement and account for this charge and its subsequent payment.
11. Add this information to the Notice of Privacy Practices (the template form is found under the Document Templates section of this website). When you have completed documenting your access procedures, update the “Your Health Information Rights” section of the notice of privacy practices to indicate how the individual may exercise this right.  Be sure to include any copy or processing fees that you intend to charge.

Maintenance Suggestions:

1. If conducting clinical research:  Incorporate HIPAA compliance into your clinical research consent forms. Information that is the result of clinical research may be exempt from the HIPAA access requirement during the course of the study, if the individual has agreed to this restriction in advance. If your practice is engaged in clinical research, you need to be sure the clinical research consent now includes HIPAA compliant language. Specifically, you must designate that you are asking for the patient’s consent to suspend their right to review the associated PHI during the course of the study. Explain that this right will be reinstated after the clinical trial is completed. Also, make sure that this policy is consistent with the clinical research organization’s requirements.
2. Keep psychotherapy “process” notes separate from the rest of the medical record. Most mental health care providers maintain “process notes” (that is, notes taken during the course of a therapy session) separately from the medical record.   If process notes were to be included in the medical record, they would not be exempt from the HIPAA access requirement. Note that to be considered “psychotherapy notes” the notes must be recorded by a licensed mental health care provider (psychiatrist, clinical psychologist, licensed clinical social worker, marriage/family counselor, etc.). This means that progress notes related to a patient’s mental health that are entered as part of a general medical record by a non-mental health professional (such as a family practice physician) would not generally qualify as a “psychotherapy note” under HIPAA.
3. Establish a process for approvals and denials. The privacy official should be responsible for tracking all access requests and making sure they are processed.  Another individual (with a high level of authority) should be responsible for approving or denying the requests. Whenever a request for access is denied, the reason for the denial must be stated and, if this is one of the “reviewable” denials, the patient must be given an opportunity to have the decision reviewed by a third party. Be sure this process includes the precautions described above about accompanying a patient when they review original documents.
4. Treat deceased individuals just as you would any other individual with regards to information disclosures. The personal representative of a deceased person must be treated as if they were the decedent themselves. This means that their personal representative may access the decedent’s medical records and may sign an Authorization for you to use or disclose these records to other individuals. Exactly who may act as the personal representative of a deceased patient, however, varies from state to state depending on state law. Check with your state laws to determine who may act on the decedent’s or the estates behalf.
5. Incorporate training and ongoing awareness during your routine staff meetings of the patient’s right to inspect their PHI.

PROCEDURE—AMENDMENT OF PHI

  Implementation Suggestions:

1. It is important to have written documentation signed by the patient (or the patient’s personal representative) whenever he or she wishes to amend his or her medical record. HIPAA does not require that amendment requests be made in writing.  HIPAA does, however, allow you to require that these requests be submitted to you in writing (provided that you inform the patient of this requirement).  We recommend that all requests, responses, rebuttals, etc. be maintained in written form so that there will be a “paper trail” that can be used to establish the exact sequence of events.  You can find the amendment request form under Document Templates that you can customize to meet the documentation standards of your organization.
2. Determine the kinds of PHI that can be amended. For example, there could be significant medical-legal liability if you allowed an amendment to a progress note (such as a diagnostic result or patient vital signs).  The best way to do this is to review the PHI inventory forms created in PrivaPlan Stat Step 2.
3. Determine the best location and procedure to process an amendment. Generally, the request to amend will follow the request to inspect (see above).
4. Determine how to store and log amendments. We suggest using the sample amendment request form found under Document Templates storing this in the patient chart with a separate “tab” or section. However, if your organization uses an electronic medical record, you may need to create a separate “file” or patient amendment field in the record and some kind of alert mechanism to indicate that an amendment exists. For paper medical records you may want to flag those charts that contain an amendment.
5. Add this information to the Notice of Privacy Practices. When you have finished documenting your amendment procedures, update the “Your Health Information Rights” section of the notice of privacy practices.

Maintenance Suggestions:

1. Notifying other people or organizations. If you agree to an amendment, the patient (or the patient’s personal representative) has a right to have the corrected information transmitted to a specific list of people or organizations (for example a life insurance carrier).  Additionally, you have a duty to transmit this amendment to parties who, to your knowledge, have received the incorrect or incomplete information in the past.  (Similarly, if you receive notice of an amendment request that has been accepted by another covered entity, you must make the appropriate changes to the information at your office.)  The PrivaPlan sample amendment request form contains sections to track these activities.
2. Provide staff training and ongoing awareness about the patient’s right to amend their PHI.
3. Establish a process for approvals and denials. The privacy official should be responsible for tracking all amendment requests and making sure they are processed.  Whenever a request for amendment is denied, the reason for the denial must be stated and the patient must be given an opportunity to insert a statement of disagreement in the record.  (You may also insert a statement of rebuttal to this disagreement in the record.)  Whenever the PHI in question is disclosed to anyone, the patient’s statement of disagreement must be included.

 PROCEDURE — DISCLOSURE ACCOUNTING

 Implementation Suggestions:

1. It is important to have written documentation signed by the patient (or the patient’s personal representative) for all disclosure accounting requests. HIPAA does not require that disclosure accounting requests be made in writing. We recommend that all requests, responses, rebuttals, etc. be maintained in written form so that there will be a “paper trail” that can be used to establish the exact sequence of events.  Under Document Templates you can find a sample disclosure accounting request form that you can customize.
2. Tracking accounting of disclosures: HIPAA requires you give the patient an accounting of disclosures that have occurred over the last six years, except for:

• Disclosures made to carry out treatment, payment and health care operations.
• Disclosures made to the patient (or the patient’s personal representative).
• Disclosures made on the basis of an authorization signed by the patient.
• Disclosures made to persons involved in the individual’s care, where the patient has been given a chance to object.
• Disclosures to a health oversight agency or law enforcement official to the extent this medical practice has received notice from that agency or official that providing the patient with an accounting of those disclosures would be reasonably likely to impede the agency’s or official’s activities (such suspensions of disclosure accounting rights may be done only on a temporary basis).
• Disclosures of information that exclude certain direct identifiers for purposes of research, public health, or health care operations.
• Disclosures that are incident to a use or disclosure otherwise permitted or required by HIPAA.
• Disclosures made for national security or intelligence purposes.
• Disclosures made to correctional institutions or law enforcement officials when the patient is in their custody.
• Disclosures that occurred prior to the compliance date (April 14, 2003 for most organizations).
   

Again, the first step is to review the PHI inventory and uses/disclosures inventory forms generated in Stat step 2.  This will give you a good idea of the kinds of PHI that are subject to the disclosure accounting requirement.  (Essentially these consist of the items listed in the notice of privacy practices other than treatment, payment or health care operations).  Many “public purpose” disclosures are subject to disclosure accounting.  See the Public Purpose Disclosure PrivaGuide under PrivaGuides.

3. Develop a procedure for tracking disclosures made by your business associates.  Under HIPAA, patients have a right to an accounting of disclosures made by both you and your business associates.  You must determine how you will account for disclosures that are made by your business associates.
4. Add this information to the notice of privacy practices. When you have completed documenting your access procedures, update the “Your Health Information Rights” section of the notice of privacy practices to indicate how the individual may exercise this right.  Be sure to include any copy or processing fees that you intend to charge.  (Important note:  You may not charge a fee for the first disclosure accounting in a twelve-month period.)

Maintenance Suggestions:

1. Log each disclosure that is subject to disclosure accounting.  HIPAA requires that you keep a disclosure accounting log even if you are never asked to produce a disclosure accounting.  You must make an entry in this log each time you make a disclosure that is subject to disclosure accounting.  Each log entry must contain the mandatory elements that are to be included in the disclosure accounting.  These are:

• The date of the disclosure.
• The name and (if known) address of the person or organization that received the information.
• A description of the information disclosed.
• A statement of the purpose of the disclosure (or a copy of the signed authorization or the request for disclosure).

The document templates folder contains a form that can be used both to log disclosures as they occur and to provide an accounting when requested under Document Templates.

2. Keep copies of the completed forms in a central HIPAA patient request file.  While it may be more convenient to maintain these request forms in the patient’s chart, your professional liability carrier (that is, your malpractice insurance carrier) or other risk providers may suggest that you maintain a separate file for these forms.
3. Incorporate staff training and on-going awareness about the patient’s right to an accounting of disclosures of their PHI. This can be done during routine staff meetings.

 About the Authors:

Lesley Berkeyheiser

Ms. Berkeyheiser has over 20 years of experience in the healthcare industry, mostly in managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She has either created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates). In addition, she actively participates as Co-Chair for Security and Privacy and was past Leader of the Vendor Technologies Interdependencies subgroup for Electronic Data Interchange Strategic National Implementation Process (WEDi SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.

Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610)-558-3332.  Email: lberkeyheiser@theclaytongroup.org.

David Ginsberg

Mr. Ginsberg is President and co-founder of PrivaPlan Associates, Inc.  He is a healthcare consultant with over 25 years of experience. Most recently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California. During his time with Intellectron/Medcobill he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.

Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707. 
Email:  dginsberg@PrivaPlan.com.

PrivaPlan Associates, Inc. would like to thank Ms. Catherine I. Hanson, Vice President and General Counsel of the California Medical Association, and Mr. Steven M. Fleisher, of Fleisher and Associates, for their generous contributions and suggestions for improvement of this PrivaGuide. 

PrivaPlan Associates Privacy Policy