Archive for the ‘HIPAA – Health Information Privacy’ Category

Providing Protected Health Information in Response to Subpoena

Monday, March 12th, 2018

By Fisher, JD, CHC, CCEP

unauthorized release phi subpoena

OCR Citation for Improper Disclosure of PHI in Response to a Subpoena

A health care provider or other covered entity under HIPAA is permitted to disclose protected health information if it receives a lawful order from a court or administrative tribunal.  this does not mean that a provider can simply release everything it has in a patient record when it receives a court order.  Some records, such as mental health or substance abuse records might have special protections or limitations that apply.  Additionally a provider should closely review the relevant order and only disclose the information that is specifically required by the order.

The ability to release information in response to a subpoena, as opposed to an order of a court, is subject to different rules.  Patient information can only be provided under subpoena if certain notification requirements of the Privacy Rule are met. The notification requirements require the provider who received the subpoena to obtain evidence that there were reasonable efforts to notify the person who is the subject of the information about the request.  This is intended to give the individual an opportunity to object to the disclosure, or obtain a protective order from the court.

The application of these rules are

Read more here: Health Law Blog

  

Medical Alerts – HIPAA Implications of Flagging Patient Records

Wednesday, March 7th, 2018

By Fisher, JD, CHC, CCEP

AIDS identification external alert HIPAA

Identification of AIDS Status Through Medical Alert System

Dentist Revises Process to Safeguard Medical Alert PHI

A recent OCR investigation of a dental practice’s flagging of patients records highlights a potential HIPAA violation.  The OCR investigation confirmed allegations that the dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover.   Records were handled so that other patients and staff without need to know could read the sticker.  A patient complaint commenced an OCR investigation into whether the practice potentially identified the AIDS status of patients within the office.

When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant’s file. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Further, the covered entity’s Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology.

The lesson here is not to place special medical alerts on the outside of physical patient records.  This is a particularly bad practice in a dental office where the typical office setup can

Read more here: Health Law Blog

  

Applying Section 1557 Discrimination Rules to Employer Sponsored Health Plans

Sunday, February 11th, 2018

By Fisher, JD, CHC, CCEP

Health Plan 1557 Compliance

Section 1557 Covered Entities and Employer Sponsored Health Plans

Section 1557 of the Affordable Care Act (ACA) prohibits “covered entities” discrimination in health programs that receive federal financial assistance from the Department of Human and Health Services.  Regulations were issued in 2016 that define the details of compliance with Section 1557 which prohibits discrimination based on race, color, national origin, age, disability and sex.  (including discrimination based on pregnancy, gender identity and sex stereotyping).  The stated purpose for the rules is to expand access and eliminate barriers to the ability to obtain health care coverage.

The definition of “covered entities” to which Section 1557 apply is extremely broad.  Through the broad definition, the requirements of Section 1557 apply to any health program or activity that received federal financial assistance through the Department of Health and Human Service.  This definition includes most health care providers, such as hospitals, nursing homes, and physician, who receive Medicare or Medicaid reimbursement, insurance marketplace and exchanges and participating health plans.

The Section 1557 rules extend to some (but not all) employers that are group health plan sponsors.  Determining whether Section 1557 applies to a specific employer can be quite complicated and is based on several factors such as

Read more here: Health Law Blog

  

Medical Record Copying Charges In Wisconsin

Wednesday, May 7th, 2014

Wisconsin Law Release of Patient Medical Records

Wisconsin Law requires health care organizations to provide records are to patients “on request.”  Records can be provided directly to the health care provider subject to payment of the statutory fees.  Patient must deliver an “informed consent” to the organization consenting to release of their records.

Fees were revised as provided below:

(a) A patient’s health care records shall be provided to the patient’s health care provider upon request and, except as provided in s. 146.82 (2), with a statement of informed consent.

(b) The health care provider under par. (a) may be charged reasonable costs for the provision of the patient’s health care records.

(2) The health care provider shall provide each patient with a statement paraphrasing the provisions of this section either upon admission to an inpatient health care facility, as defined in s. 50.135 (1), or upon the first provision of services by the health care provider.

(3) The health care provider shall note the time and date of each request by a patient or person authorized by the patient to inspect the patient’s health care records, the name of the inspecting person, the time and date of inspection and identify the records released for inspection.

 (3f)

(a) Except as provided in sub. (1f) or s. 51.30 or 146.82 (2), if a person requests copies of a patient’s health care records, provides informed consent, and pays the applicable fees under par. (b), the health care provider shall provide the person making the request copies of the requested records.

 (b) Except as provided in sub. (1f), a health care provider may charge no more than the total of all of the following that apply for providing the copies requested under par. (a):

Revised Fees for Patient records:

 Wisconsin Medical Record Maximum Fees through June 30, 2014 — (last year’s fees noted for reference)

Paper copies

  • First 25 pages: $1.04/page ($1.02/page)
  • Pages 26-50: 77 cents/page (76 cents/page)
  • Pages 51-100: 52 cents/page (51 cents/page)
  • Pages 101 and above: 31 cents/page (30 cents/page)

Microfiche or Microfilm: $1.55/page ($1.52/page)

Print of an X-ray (per image): $10.32 ($10.15)

If the requestor is not the patient or a person authorized by the patient

  • Certification of copies: $8.26 ($8.12)
  • Retrieval fee: $20.65 ($20.30)

When Does HIPAA Override State Medical Privacy Laws

Thursday, March 14th, 2013

HIPAA Preemption of State Law

The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law:

  • relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information
  • provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
  • requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

Additional areas that permit State law to have an exception from the Federal preemption rules can be created by formal request from the State if certain requirements are met.  The Department of Health and Human Services (HHS) may, following request from a State, determine that a provision of State law which is “contrary” to the Federal requirements – as defined by the HIPAA Administrative Simplification Rules – and which meets certain additional criteria, will not be preempted by the Federal requirements. The Secretary of HHS must determine that one of the following criteria apply before granting and exception from the HIPAA preemption rules. These criteria require a showing that the state law at issue:

  1.  is necessary to prevent fraud and abuse related to the provision of or payment for health care,
  2. is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
  3. is necessary for State reporting on health care delivery or costs,
  4. is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
  5. has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

Only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. In order to be considered “contrary”  it must be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.