Families USA: The Voice for Health Care Consumers
    
Loading
Home
Tell Us Your Story
Sign Up
About Us
Action Center
Annual Conference
Donate
Contact Us


Issue Areas

Accessing Medical Records and the HIPAA Privacy Regulation

April 24, 2003

 

Sonya Schwartz, Private Insurance Coordinator, and Cheryl Fish Parcham, Medicaid Coordinator, jointly hosted the call.  The HIPAA Privacy Regulation took effect on April 14, 2003.  Many programs have already been noticing changes in responsiveness when they request medical records.  Ms. Schwartz has written an issue brief entitled Rights to Access Medical Records Under the HIPAA Privacy Regulation (April 2003), which addresses individuals' access their medical records, including the interaction of HIPAA with state laws and other federal laws. Ms. Fish-Parcham's forthcoming issue brief, Health Insurance Portability and Accountability Act (HIPAA):  Questions and Answers for Consumer Health Assistance Programs describes the rights consumer health assistance programs to request medical records on behalf of clients.

 

Ms. Schwartz introduced the guest speaker, Janlori Goldman.  Ms. Goldman is the Director of the Health Privacy Project (HPP), which she started in 1997.  Prior to establishing the Health Privacy Project, Ms. Goldman had been a visiting scholar at Georgetown and worked at the ACLU. 

 

 

I. Health Assistance Partnership and Health Privacy Project Materials

Rights to Access Medical Records Under the HIPAA Privacy Regulation

The HIPAA privacy regulation protects access to "protected health information" (PHI) held by "covered entities."  This issue brief examines in detail the rights and limitations of individual consumers in obtaining their medical records and the procedures that they and the covered entities must follow to ensure that neither access nor privacy are compromised  The issue brief provides links to the regulations and relevant CMS sites as well as other helpful materials.

 

Definition of Protected Health Information (PHI) 

HIPAA's definition of PHI requires that PHI be 1) health information and 2) individually identifiable.  Health information is broadly defined and means any oral information relating to the past, present, or future physical or mental health of an individual; the provision of care to the individual; or payment for health care.  Individually identifiable means information that identifies or reasonably can be used to identify the individual (and does not include information that has been de-identified).

 

If a consumer health assistance program contacts a health plan about general criteria for treatment or for an explanation of a delay in a consumer's getting an appointment with a doctor, such conversations probably do not rely on PHI and should not be affected by the HIPAA Privacy Regulation. 

 

Definition of Covered Entities  

"Covered entities are 1) health plans, 2) health care clearinghouses, and 3) health providers that transmit information in electronic form in connection with specified financial and administrative transactions.  A good way to figure out whether a particular organization is a covered entity is to use the covered entity decision tool available at (http://www.cms.hhs.gov.hipaa2/support/tools/decisionssupport/default.asp).  

Health Insurance Portability and Accountability Act (HIPAA):  Questions and Answers for Consumer Health Assistance Programs (available at http://www.healthassistancepartnership.org)

 

Ms. Fish-Parcham asked participants for questions to include in her forthcoming issue brief.  This issue brief, in the form of questions and answers, includes to date how to make an authorization form HIPAA-compliant; how to request psychotherapy notes; what to expect to be charged for medical records; how to meet HIPAA requirements when trying to resolve disputes with a health plan by phone; where to file complaints; how to know whether a consumer health assistance program is a covered entity under HIPAA.

 

Health Privacy Project (HPP)

Ms. Goldman noted that since April 14, a lot of misinformation about HIPAA and its implementation has been reported.  HPP's Web site (http://www.healthprivacy.org/ ) offers a summary of the law and a discussion of some of the most misunderstood provisions of the law. Ms. Goldman emphasized the importance of educating the public to understand how the law should be interpreted and applied.  HPP has a sample complaint form on its Web site, and Ms. Goldman invited participants to use or adapt that form.  If programs and their clients are willing to share, HPP is interested in seeing the kinds of complaints that are filed and a list documenting problems.  HPP also has state reports summarizing the health privacy statutes of all the states.  It is not a preemption analysis but gives a good basis of understanding the state law.  HPP did a preemption analysis of California, funded by the California Healthcare Foundation, and that analysis is available at (http://www.chcf.org).  Ms. Goldman's favorite document is Myths and Facts about the Health Privacy Regulation (April 4, 2001 http://www.healthprivacy.org/usr_doc/MYTHS%20FACTS%2Epdf), which was developed to respond to and correct much of the misinformation out there. An updated 'Myths and Facts' document will be posted on the Health Privacy Project's website soon.

 

II. CHAP Essentials about the HIPAA Privacy Rule

 

  1. Some CHAPs Are Separate From Covered Entities

Many consumer health assistance programs are entirely separate from covered entities, such as programs in a state attorney general's office, or a nonprofit legal services program.  Consumer health assistance programs that are separate from covered entities most likely will need a HIPAA-compliant authorization form. We sent out a few examples of these forms and can make them available if you email us. HAP is working with some programs already to make authorization forms compliant with HIPAA and relevant state law.  These separate programs are not, for example, a sub-agency of a Department of Health or Medicaid agency that is intertwined with a covered entity.  Cheryl will talk about these more complicated CHAPs.

Elements of a HIPAA-Compliant Authorization FormMs. Goldman said that one of the good things about the regulation is that it is fairly specific about what elements must be included in the authorization.  It is a bit of a roadmap, but you still have to read it with state law. If a state is more specific, for example, in HIV or mental health area, you may need to include that information in the authorization form as well.  Also, the authorization form is distinct from any other kind of disclosure mandated by law.  The basic elements of a HIPAA-compliant authorization form follow:

    1. Describe information to be used or disclosed in a specific and meaningful fashion.
    2. Name who is going to receive the information or the class of persons who will receive it.
    3. Describe the purpose of the request, trying to get to the fact that information that is used for one purpose is not going to be used for another purpose.  If an individual authorizes her story to be used by a hospital for its fund raising for breast cancer, the information cannot be shared outside that fund raising effort. 
    4. Include a date or event after which the information can no longer be released one year, two years, time it takes to complete the purpose (for example, until the research is complete or until the case is closed or until the problem is solved).  It is quite an open-ended section.
    5. The form must be signed and dated.  You could get an authorization by email if you had a valid digital signature, although it may not be realistic to have this capacity.

The authorization also must also include notice to the consumer and is an opportunity to educate people about their rights.

    1. Opportunity to revoke the authorization. A consumer may want another caseworker or not want to pursue the case.  S/he may not want to participate in the research project.  Consumers need to be aware that this information used in reliance on the authorization cannot be called back by the consumer.  A revocation is not retroactive.
    2. Notice that if the person to whom authorization is given is not a covered entity under HIPAA or is not subject to other laws,  the information might be disclosed.
    3. Covered entities cannot condition the delivery of benefits or services on obtaining the authorization.  For example, covered entities cannot say they will not give services unless a consumer agrees to participate in a research project. 

Ms. Goldman advised that it is good practice that the individual receives a copy of any revocation.

Ms. Goldman noted that some institutions are using the privacy regulation to suggest that they cannot disclose information.  Often this practice is an overreading of the regulation.  She wanted to know whether people have had that experience and would welcome hearing these stories.  She is trying to differentiate between where HIPAA creates real barriers and where it is being used as an excuse for not responding to requests.  Both Ms. Goldman and Ms. Fish-Parcham asked participants to let them know when the HIPAA privacy regulation is used as a reason why information will not be provided. .

  1. Some CHAPs Are Intertwined with Covered Entities 

Many Medicaid consumer health assistance programs are contractors to the Medicaid agency, and some have access to online information or are part of government in the Medicaid agency or in a related agency.  The HIPAA regulation says that the Medicaid program as a whole is a covered entity. A Department of Health as a whole could be a covered entity or the department could designate parts, such as just the Medicaid administration, to be covered entities.  States will vary in their approach, but generally if your program is contracting with covered entities, such as a Medicaid program, to perform a function on behalf of the Medicaid program, you should have what is called a business associate agreement.  A business association agreement 1)  binds you to hold the information that is shared with you in the course of business as confidential information and 2) gives you privileges to receive information from the covered entity with which you are associated without having to get an authorization for that information exchange.  

 

A business associate agreement is a contract entered into by a covered entity and any organization that the covered entity would want to have as its agent or contractor.  It allows the business associate to step into the shoes of the covered entity for a particular purpose.  The agreement should specify: 1) what is the activity?, 2) what is the use of the information?, and 3) what are the limits on re-use and redisclosure?  The business associate is not directly liable under the regulation in terms of criminal or civil penalties or investigations.  The business associate is technically contractually bound to adhere to the rule but is not bound in terms of the federal regulation.  It would be the job of the covered entity to come after the business associate in terms of indemnifying itself and collecting recovering penalties.

 

Programs in Minnesota and other states have been dealing with this very issue, where a statewide ombudsman program uses county advocates more loosely affiliated with that program.

 

In Minnesota, the whole Department of Human Services is dealing with HIPAA.  The Office of the Ombudsman for Managed Health Care is within the Medicaid agency and has the responsibility to do education and training and work with 80 advocates who are all county employees and working with a covered entity.  Over time, they have done a lot of information sharing, particularly with health plans, where the contractual language says that the health plans must respond to the state ombudsman and the county programs.  HIPAA has added another layer of concerns not just for health plans but for providers.  Advocates have been calling the Office of the Managed Care Ombudsman saying that health plans customer service refuses to give them information on or gives them difficulty in getting information on claims, payments, services.  Advocates are also having more difficulty with providers.  The Office of the Managed Care Ombudsman is drafting a letter that would support its authority to share information, but the letter is not yet complete because more information about HIPAA and HIPAA terminology is needed.  

 

Many states have now drafted an addendum to their contracts with health plansa business associate and trade partners agreementthat includes procedures for sharing information with county programs.  Meanwhile, the Minnesota Office of the Managed Care Ombudsman will make changes to its authorization forms and will try to get the health plans involved in getting information from providers when advocates have trouble.

When issues are addressed over the telephone, a three-way call that includes the consumer should work as implied consent for a covered entity to provide information orally.  Since the consumer has the right to the information, the advocate's being in on the same phone call should not change that right.

Early Barriers Detected

Problems getting information has arisen at pharmacies.  Providers are using HIPAA as a way not to divulge information. 

Ms. Goldman explained that often barriers are created because the rule is being implemented inappropriately.  She said that we need to be aggressive with OCR (the Office of Civil Rights in the U.S. Department of Health and Human Services) and with professional associations.  For example, hospitals are implementing directory information in a way that is contrary to the rule.  HIPAA says that hospitals may release information about a hospitalized person (such as the presence of the person at the hospital and the hospital room telephone number),unless the person opts out.  Hospitals are doing the opposite.  Ms. Goldman suggested that hospitals might be doing this to show that the rule is unworkable.  It is important to sift through where the regulation is wrong or misunderstood.

 

Minnesota newspapers have carried stories about hospitals refusing to accept flower deliveries. Ms. Goldman pointed out that that is hospital policy, and nothing in HIPAA requires this type of response. 

  1. Some CHAPs are Health Oversight Agencies 

Some programs are part of health oversight agencies.  For example, some mental health ombudsman programs have a right to inspect all records or some programs are authorized to review all records serious injury or death.  There is a specific memo by AOA addressing nursing home ombudsman programs.  Health oversight agencies have special privileges to review information to conduct oversight activities and do not need specific authorization from a consumer, as long as they are doing carrying out their oversight purpose. 

 

III.                Questions and Answers

HAP has received a lot of interesting questions from programs in the past few weeks, and Ms. Goldman was asked to respond to them. 

 

Q. Under Wisconsin state privacy law, individuals have a right to sue.  However, the underlying Wisconsin state law is "less stringent" because the rules for accessing records are more limited than HIPAA but also "more stringent" because the law  has a right to sue, which is more protective of the consumer than HIPAA. 

A. With the caveat that she was not giving legal advice but trying to help everyone understand the law, she noted that the preemption law is not easy.  If the state law is "more stringent" and not in conflict with a federal law, the state law  stands.  "More stringent" can be interpreted as more protective for the consumer.  So, for example, if getting a copy of a record is cheaper under state law, it is more stringent.  In terms of remedies, the federal law does not include a right to sue.  Many state statutes do have a private right of action.  If the substantive law is less stringent than HIPAA, then the weaker statute falls out, and the remedy also falls out.  The remedy is not severable from the underlying law.  (Note, if the less stringent law is not in the same statute as the right to sue, the right to sue may not be preempted). 

Ms. Schwartz mentioned that there are ways to save the state right to sue.  A state could amend the substantive part of the law to make it as stringent as HIPAA and the right to sue would be preserved.

Q. What about personal representatives?

A. Ms. Goldman said that it was a good idea for a consumer to grant someone a health care power of attorney, so that person would be recognized under HIPAA as a "personal representative" and have a right of access to medical records on behalf of the consumer.

Q: One program asked if there is a way to simplify or streamline the process of getting medical records, given how many requests must be made?

A: One program answered that in Maryland, each local health department has a HIPAA compliance officer who can ask questions of their state Department of Health.  Maryland's state law is more restrictive about confidentiality concerning Medicaid clients, so that business should not be different than usual.  However, providers are having are not understanding when they can communicate with local ombudsman and care managers, so the state has sent them an explanatory letter.

Ms. Fish-Parcham mentioned that it would be helpful for HAP to have state letters about HIPAA and consumer health assistance program on file if participants are comfortable sharing them.

Q: One program asked a question about the authorization being a barrier to advocating for consumers.  Some programs have thousands of calls, and a signed authorization will take time to get, and some consumers can't wait that long. 

A: Ms. Goldman asked to be kept informed about problems such as this.  HHS can modify the rules at any time if modifications are not substantial, and can make substantial changes once a year.  Some of the problems consumer advocates are experiencing were not considered as the rules were drafted. 

Q: A mental health ombudsman asked how hospitals are to decide a patients' wishes regarding disclosure if the patient is not competent to indicate her intent?

A: Ms. Goldman said that hospitals are often stating policy that is contrary to the regulations.  In most instances, hospitals can disclose information to people involved with a patient as long as the patient does not opt out.  The hospital must give the patient an opportunity to object, rather than affirmatively getting the patient's consent.

Q: Does the covered entity need to name all its business associates in the privacy notice?

A: No, it must provide a general description of the circumstances under which disclosure will occur. 

[Return to top]
Update Your Profile | Site Map | Privacy Policy | Contact Us | Printer-Friendly Version | Copyright and Terms of Use