Electronic Copies of Protected Health Information 

The final HIPAA rule expands an individual’s right to all electronic protected health information maintained in any designated record set. (The HITECH Act of 2009 only required that individuals be given electronic access to their protected health information as part of an electronic health record.)

In other words, covered entities must allow individuals access to their own protected health information in the electronic form and format requested, unless the material cannot be readily provided in that format. In that case, the covered entity and the individual can agree on a legible electronic format in which the information can be provided. As a fallback, if the individual declines electronic formats that can be provided, then the covered entity can comply with the request for an electronic copy by providing a hard copy of the protected health information. The final rule also decreases the time allowed to the covered entity to provide access to paper or electronic records.

Covered entities must respond within 30 days of the date of the request (but may have a 30-day extension if necessary), and this maximum period of 60 days applies, even if the protected health information is kept off-site.

REQUIRED ACTION:

UPDATE THE “PROVIDING INDIVIDUALS ACCESS TO THEIR PHI” POLICY AND PROCEDURE TO COMPLY WITH THIS REQUIREMENT.

Right to Restrict Access

Applicability Date: This rule was originally effective on February 18, 2010 in Proposed Rules (and has applied to covered entities since that date); the final rule made the below requirement permanent.

While individuals may request a restriction on the use of their protected health information, typically the covered entity can deny the request. This is not the case, however, when the disclosure is for a purpose other than “treatment,” and the individual has paid in full for the service. In this instance, the covered entity is required to comply with the request to restrict access to the protected health information. However, only covered entities that are health care providers must include this right of restriction in the Notice of Privacy Practices; all other covered entities may maintain language in the Notice of Privacy Practices noting that they are not required to agree to the requested restriction.

REQUIRED ACTION:

UPDATE AND RE-DISTRIBUTE THE “NOTICE OF PRIVACY PRACTICES.” WILLIS HAS UPDATED THE MODEL NOTICE OF PRIVACY PRACTICES TO INCLUDE THIS RESTRICTION OF ACCESS; HOWEVER, COVERED ENTITIES THAT ARE NOT HEALTH CARE PROVIDERS MAY CHOOSE TO REMOVE THIS PROVISION FROM THE NOTICE OF PRIVACY PRACTICES.

Immunization Records

Generally, while individuals may request a restriction on the use of their protected health information, the covered entity may disclose proof of immunization to a school when this information is required prior to student admission.

Written authorization will no longer be required; instead, covered entities may obtain verbal authorization from the individual (if an adult or emancipated minor) or a parent, guardian, or any other person standing in the place of the student’s parent.

Powered by Willis