Patient Access & Charging for Medical Records. General Right to Access. Requests for Access. Charging for Copies

Size: px

Start display at page:

Download "Patient Access & Charging for Medical Records. General Right to Access. Requests for Access. Charging for Copies"

Abraham Walker
5 years ago
Views:

Patient Access & Charging for Medical Records Copyright 2017 State Volunteer Mutual Insurance Company Today s Agenda 1 2 3 4 5 6 General

1 Patient Access & Charging for Medical Records Copyright 2017 State Volunteer Mutual Insurance Company Today s Agenda General Right to Access Requests for Access Providing Access Charging for Copies Patients Right to Direct PHI to a Third-Party Notes from HHS Guidance 1

General Right to Access General Right to Access HIPAA Privacy Rule Requires access to Protected Health Information (PHI) by the individual or the personal representative of the individual Patient Has

2 General Right to Access General Right to Access HIPAA Privacy Rule Requires access to Protected Health Information (PHI) by the individual or the personal representative of the individual Patient Has a Right Refers to the patient or the patient s personal representative Patient Has a Right To inspect their PHI, receive a copy of it, or both Patient Has a Right To ask to have PHI sent to a third party of their designation 2

3 General Right to Access Designated Record Set A group of records maintained by or for a covered entity that comprises the: Medical Records Any other records used to make health care decisions Billing Records Information Excluded from Access PHI not included in Designated Record Sets Quality assessment or improvement records Patient safety activity records Business planning, development or management records Psychotherapy notes Notes taken during a psychotherapy session and kept separate from the rest of the medical record Information compiled for use in civil, criminal or administrative actions or proceedings 3

4 Personal Representatives A person with authority, under state law, to make health care decisions for the individual Same rights to access PHI as an individual Requests for Access 4

Requests for Access Health care providers may Require written request on their own form Offer option of making request electronically (email, portal, etc.

not delay or serve as a barrier to patient access.

5 Requests for Access Health care providers may Require written request on their own form Offer option of making request electronically ( , portal, etc.) Verification No mandated form/process for verification Left to the discretion/professional judgement of the covered entity May be done orally or in writing Requests for Access Covered entities may not delay or serve as a barrier to patient access. You may not require an individual: Who wants a copy of her medical record mailed to her home to come to your office to request access and provide proof of identity in person To use your patient portal for requesting access, since all individuals may not have access to the portal To mail an access request if it would cause unreasonable delay to the individual s access Examples from HHS Guidance 5

6 Verifying Patient Identity What if the person requesting access is not the patient, but knows all of the patients information? Have a written policy and procedure for verifying patient identity Verify multiple pieces of personal information If individual is lying, the violation is on them, not on the practice Providing Access 6

Providing Access Privacy Rule requires patient access to PHI In the form/format requested by the

willingness to produce Providing Access Request for Paper Copy Request for Electronic Copy

paper form Vs Required to provide electronic copy of paper records, if readily producible For

7 Providing Access Privacy Rule requires patient access to PHI In the form/format requested by the patient, if It can be readily produced in that form/format Readily Produced Does not mean willingness to produce Providing Access Request for Paper Copy Request for Electronic Copy Regardless of how the PHI is maintained HHS Expects the patient to be provided with a copy in paper form Vs Required to provide electronic copy of paper records, if readily producible For example, scanned into electronic format Paper copy is acceptable if records cannot be converted to electronic format 7

If form/format is not readily producible, must provide an agreed upon electronic alternative A paper copy may only be provided when the

8 Providing Access Request for Electronic Copy Required to provide electronic copy of electronic records in form/format requested CD, USB, , Patient Portal, etc. If form/format is not readily producible, must provide an agreed upon electronic alternative A paper copy may only be provided when the patient declines all electronic formats readily producible by the practice Providing Access Delivery of PHI Access must be provided in the manner the patient requests Mail Pick up at office HHS considers mail and readily producible by all covered entities 8

included in Security Risk Assessment Emailing PHI Encrypted Email Secure Include in security risk assessment Typically not secure

9 Communicating PHI Electronically HIPAA Security Rule requires appropriate physical, administrative and technical safeguards for all electronic PHI Any method used to create, store, transmit or receive PHI must be included in Security Risk Assessment must be included in Security Risk Assessment ing PHI Encrypted Secure Include in security risk assessment Typically not secure Never use personal to transmit PHI Can create a HIPAA issue for the entire practice Free Safe harbor for breach notification 9

Email Provider May be Business Associate Covered Entity failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public

10 Provider May be Business Associate Covered Entity failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public providers that these entities would appropriately safeguard the ephi received from Covered Entity. a/enforcement/examples/pcsurgery_agreement.pdf Patient Request for Unencrypted Must accommodate request, even if encryption is not available Must provide a brief warning to the patient that the PHI could be read or accessed by a third-party while in transit AND confirm that the patient still wants to receive the PHI in this manner Sample form available at SVMIC.com 10

Patient Request for Unencrypted Email Patient sends request by email If patient replies, yes, practice may send PHI by email Practice responds to email with warning (email not secure) Asks patient if

11 Patient Request for Unencrypted Patient sends request by If patient replies, yes, practice may send PHI by Practice responds to with warning ( not secure) Asks patient if they still wish to receive PHI in this manner Timeliness in Providing Access Access must be provided within 30 days of request May extend time by an additional 30 days if unable to provide access in first 30 days Must inform patient in writing TN 10 days 11

Charging for Copies Charging Patients/Personal Representatives for Copies Only a reasonable, cost-based fee for making the copy (electronic or paper) may be charged

12 Charging for Copies Charging Patients/Personal Representatives for Copies Only a reasonable, cost-based fee for making the copy (electronic or paper) may be charged Cannot charge a retrieval fee, even if state law allows Cannot charge the patient based on state law, if the actual cost to make the copy is less than what state law allows 12

Cost associated with verification / documentation Searching for and retrieving PHI Maintaining systems

13 Reasonable Cost-Based Fee The fee may include only: Labor for copying the PHI (paper or electronic) Supplies for creating copy Postage, if the patient requests the copy by mail The fee may NOT include: Cost associated with verification / documentation Searching for and retrieving PHI Maintaining systems Recouping capital for data access or storage Actual Cost Labor to make copy Supplies used to make copy Postage costs 13

14 Actual Cost Example 15 pages Medical Records Clerk $12.00/hr x 15 minutes $12.00 X.25 = $3.00 Supplies used to make copy Paper ($3.50 per ream/500 =.007 per page) Toner ($190/5000 =.038 per page) Labor $ 3.00 Supplies $ 0.68 Postage $ 1.35 $ 5.03 Average Cost Average labor cost Supply costs Postage costs 14

Average Cost Example Medical Records Clerk $12.00/hr x 15 minutes $12.00 X.25 = $3.00 $3.00 / 15 pages = $ 0.20 per page Supplies used to make copy Paper ($3.50 per ream/500 =.

15 Average Cost Example Medical Records Clerk $12.00/hr x 15 minutes $12.00 X.25 = $3.00 $3.00 / 15 pages = $ 0.20 per page Supplies used to make copy Paper ($3.50 per ream/500 =.007 per page) Toner ($190/5000 =.038 per page) Labor $ 0.20 Supplies $ Avg. Per Page Cost $ Calculating Fees $6.50 FLAT FEE Flat $6.50 fee for electronic copy May be used only for records already in electronic form Inclusive of all labor, supplies and applicable postage 15

16 Patient s Right to Direct PHI to a Third-Party Patient Directing Access to Third-Party Patient request must be in writing and contain Patient signature Designated person to receive PHI Where to send the PHI Request may be made electronically (via a secure web portal) that includes an electronic signature or by sending an electronic copy of signed request Sample form available at SVMIC.com 16

Patient Directing Access to Third-Party Patient Directing PHI to a Third Party An authorization form is not required, only the written request from the

cost-based Patient Directing Access to Third-Party Requests From a Third Party with Patient s Written Request Must be treated the same as if the request came

17 Patient Directing Access to Third-Party Patient Directing PHI to a Third Party An authorization form is not required, only the written request from the patient Written request must include Patient s signature Who is to receive the information Where to send the information Charges have to be reasonable and cost-based Patient Directing Access to Third-Party Requests From a Third Party with Patient s Written Request Must be treated the same as if the request came directly from the patient Should include Patient signature Who is to receive the information Where to send the information May only charge a reasonable cost-based fee 17

18 Patient Directing Access to Third-Party Requests from a Third Party (not at patient s request) Must include an authorization form Third-party may be charged based on state law Other Notes from HHS Guidance 18

19 Notes from HHS Guidance HHS expects patients to be provided with free access to their PHI Complaints regarding access will be taken very seriously Authorization forms should not be used for patient access to PHI Information obtained from other physicians and included in the medical record, should be provided to the patient upon request Covered entities who maintain PHI electronically are required to have the capability to provide an electronic copy Things to do Read the Guidance Review current policies/procedures for access Review current charges for copies Develop new policies/procedures to ensure compliance Train staff Monitor compliance 19

20 Resources Resources Health and Human Services Access Guidance Health IT Security Risk Analysis tool SVMIC Sample forms 20

21 Questions? Loretta Duncan, MS, FACMPE Senior Medical Practice Consultant

Patient Right Access to PHI Understanding Recent OCR Guidance. Sondra Hornsey, CHC, CHPC HIPAA Privacy Officer, Washington University March 31, 2016

Patient Right Access to PHI Understanding Recent OCR Guidance Sondra Hornsey, CHC, CHPC HIPAA Privacy Officer, Washington University March 31, 2016 OCR Guidance Why Now? While the HIPAA Privacy Rule has