Personal Rights Under HIPAA
The HIPAA privacy regulations were promulgated as a result of perceived abuses that were occurring with patients’ confidential information. These perceived abuses included the sale of patient health information for marketing purposes. Since occurrences of the abuse were observed throughout the United States, the Department of Health and Human Services felt it appropriate to address the issue on a national level. The privacy regulations have as their core for existing the declaration of certain minimal patient rights held by everyone. The rights specifically created by HIPAA are not intended to be exhaustive and do not replace any more generous rights conferred by state law. In fact, several of the “new” rights created by HIPAA have existed in Pennsylvania for many years.
The patients have the following rights under HIPAA:
- The right to access, copy and inspect their health information;
- The right to request an amendment to their healthcare information;
- The right to obtain an accounting of certain disclosures of their health information;
- The right to request restrictions on disclosures for treatment, payment of other health care operations;
- The right to alternative means of receiving communications from covered entities; and
- The right to complain about alleged violations of the regulations and the covered entity’s own information policies.
It is these rights that give rise to the HIPAA framework and serve as the foundation of the information covered entities must convey to their patients.
Notice of Practices
All patients have the right to receive a copy of the covered entity’s “Notice of Privacy Practices.” This form may become the most visible creation under the HIPAA privacy regulations. It can be compared to the Notice of Privacy Rights everyone has received from financial institutions, credit card companies and the like for the past two years. In addition to being similar in form, its purpose is also intended to alert recipients of what may become of their information.
The regulations require that the Notice must be written in plain language. Further, although its content may vary with the provider, there are certain required elements and even certain language that must be included.
The following language must appear as a header or otherwise be prominently displayed in the Notice:
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
The other required elements include identifying the uses and disclosures that may be made. These include identifying use of the information for Treatment, Payment, and other Health Care Operations. When identifying these potential uses, the Notice must include at least one example. When referencing treatment, it would be sufficient to disclose: “We may use or disclose your health information to a physician or other healthcare provider providing treatment for you.” Other permissible disclosures should be included, identifying where appropriate that an authorization may be required.
If the covered entity intends to engage in certain activity, such as the use of reminder notices, it also must be disclosed in the Notice. Typical headings in a Notice, in addition to Treatment, Payment, and other Health Care Operations, would include:
Your Authorization: This section would alert the patient of his or her right to authorize the entity to disclose the information for other purposes.
Your Family and Friends: This section would alert the patient of the ability to discuss the treatment with individuals close to the patient as long as the patient agrees to such a disclosure.
Persons involved in your care: This alerts the patient that disclosure may be made to assist in notifying people of the patient’s location or condition. If able, the patient is given the opportunity to object. If not, the healthcare provider is to use his or her professional judgment to determine what is in the best interests of the patient.
Marketing efforts: This section informs the patient that the health information will not be used for marketing communications without the patient’s written authorization.
Required by Law: This section would alert of a disclosure if required by law.
Abuse or neglect: This section would alert the patient of the disclosure in the event of suspected abuse, neglect or belief the patient is the victim of a crime. The information disclosed will be limited to that needed to avert a serious threat to the patient’s health or the health of others.
National Security: This section alerts the patient of the possible disclosure to the armed forces of information pertaining to the military as well as disclosures to other governmental entities involved in national security, intelligence activities and similar endeavors.
Appointment reminders: This section alerts the patient to the use or disclosure of health information to provide appointment reminders.
The Notice of Privacy Practices must also include a section informing the patients of their rights as created under HIPAA. The patient rights as contained in the regulations include discussion of the following:
Access: This section alerts the patient of the right to look at and get copies of his or her health information. It is also permissible in this section to detail the cost of obtaining such copies. This section also provides the patient with the opportunity to request to receive the records in a format other than photocopies as long as the request can reasonably be carried.
Disclosure Accounting: This section alerts the patient of his or her right to receive a list of occurrences in which the covered entity or its business associates have disclosed protected health information for purposes other than treatment, payment or health care operations. If a disclosure is requested more than once a year, a reasonable cost-based fee can be charged.
Restriction: This section alerts the patient of the right to request that the covered entity place additional restrictions on the use or disclosure of health information. This section also informs the patient that the covered entities are not required to agree to the additional restrictions.
Alternative Communication: This section informs the patient that he or she has the right to request that the covered entity communicate about the health information by alternative means or alternative locations. It can also inform the patient of the need to make the request in writing. The request should specify the alternate means or locations and provide satisfactory explanation how payments will be handled under the alternate means or location.
Amendment: This section informs patients of their right to request that their health information be amended. The request should be set forth in writing and must explain why the information should be amended. This section should also inform the patients that the covered entity has the right to deny the request under certain circumstances.
Electronic Notice: This section informs the patient that if the notice is received by website or by electronic mail, the patient is entitled to receive a copy of the notice in written form.
The Notice of Privacy Practices must also disclose to the patients the covered entity’s legal duty. Although this requirement of the notice follows after the uses and disclosures of the health information and patient’s rights in the regulations, many practitioners are placing it first in terms of the substantive disclosures made in the notice. In addition to generally identifying the obligation to keep certain information private, the legal duty discloses the need to give the patient a copy of this notice. Oftentimes, this section will also include the covered entity’s right to amend or change its privacy practices. Before any significant change in privacy practice is made, the notice should be amended and new notices made available upon request. This section also concludes with an invitation to request copies of the notice at any time and directing any additional information or questions to the contact person later identified in the notice.
The final section of the Notice of Privacy Practices required under the regulations covers questions and complaints. Initially, an invitation to request additional information or raise any questions is provided.
In addition, patients are informed that if they have any concerns over the privacy practices or believe that their privacy rights have been violated, they have the opportunity to submit a written complaint to the U.S. Department of Health and Human Services or complain directly to the covered entity. The section concludes by identifying the contact person responsible for receiving any such complaints, including address, telephone numbers, faxes and where applicable E-mail addresses.
This document must be made available to all patients and posted conspicuously in the covered entity’s facility (if a health care provider).
All covered entities are required by April 14, 2003, to make a good faith effort to obtain their patient’s acknowledgment that the Notice of Privacy Practice had been received and reviewed prior to the disclosure of any health care information. The acknowledgment should be a separate document and need not be any more involved than merely listing the patient’s name and having him or her acknowledge receipt and review of the notice of privacy practices.
The U.S. Department of Health and Human Services recognizes that it may not be possible to obtain the acknowledgment from every patient. Therefore, all that is required of the covered entity is a good faith effort. The acknowledgment form can also include a section wherein the health care provider could document the basis for its inability to obtain the acknowledgment. The form might list matters such as emergency, communication barriers, refusal or other, as potential grounds for the inability to obtain an acknowledgment.
An acknowledgment either signed by the patient or properly noted by office personnel as to the inability to obtain a signed acknowledgment should be placed in every patient’s chart. Again, once a child gains the age of majority or is otherwise emancipated, an acknowledgment should be obtained directly from the child to replace any previous acknowledgment provided by his or her parents.
Individual’s Access, Amendment and Accounting Of Phi
Although it was the recognition of some universal rights that gave rise to the promulgation of the HIPAA privacy regulation, the actual recitation of these right does not appear until the end of the regulatory framework. It is here that the substance of the rights and procedure for enforcement is spelled out.
Access of Individuals to Protected Health Information: The regulations provide as a general rule that an individual has a right of access to inspect and obtain a copy of protected health information about the individual for as long as the protected health information is maintained in the records. Specific exceptions listed are psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative actions or proceedings; and protected health information maintained by a covered entity that is subject to the Clinical Laboratory Improvement Amendments or exempt from such Amendments.
The regulations also provide when a covered entity has refused to provide access under one of the exceptions, the decision may or may not be reviewable.
In order to gain access to the records, the covered entity must permit an individual to request access to inspect or obtain a copy of the protected health information about the individual. The covered entity may require individuals to make requests for access in writing as long as this requirement is expressed to the patient.
The covered entity must act within 30 days after receipt of the request. Its response must either be to grant the access and provide the information or provide the individual with a written denial. In the event the requested information is not maintained by the covered entity on site, it must respond within 60 days. In addition, a covered entity may obtain a 30-day extension within which to respond under either time limitation, as long as notice of the extension is provided in writing to the individual. Further the writing notifying of the extension must identify the date by which the covered entity will complete its response.
A covered entity may provide the individual with a summary of the protected health information in lieu of providing access to the protected health information, as long as the individual requesting the information agrees in advance to such a summary and the individual agrees in advance to the fees imposed, if any, by the covered entity for producing the summary or explanation.
The regulations provide that the covered entity may impose a reasonable cost-based fee, as long as the fee includes only the cost of copying, including the cost of supplies for and labor of copying the protected health information, postage and the time required in preparing an explanation or summary of the protected health information if agreed to by the individual.
In the event the covered entity denies access, it must, to the extent possible, give the individual access to any other protected health information requested after excluding the protected health information as to which the covered entity has a ground to deny access. In informing the patient of the denial, the covered entity must provide written notice which includes, in plain language, the basis for the denial; if applicable, a statement of the individual’s review rights under the regulations, including a description of how the individual may exercise such review rights; and a disclosure of how the individual may complain regarding the denial.
If the covered entity does not maintain the protected health information that has been requested but knows where the records are maintained, this information must be shared with the individual.
Amendment of Protected Health Information: The regulations provide an individual with the general right to request a covered entity to amend protected health information or a record about the individual for as long as the protected health information is maintained in the designated records. In turn, a covered entity may deny an individual’s request for an amendment if it is determined that the protected health information or record that is subject to the request was not created by the covered entity (unless the individual provides a reasonable basis to believe that the originator of the protected health information is no longer available to act on the requested amendment); is not part of the designated record; would not be available for appropriate inspection; or the record accurate and complete.
It is permissible for the covered entity to require the individual to make any request for an amendment in writing and to provide a reason to support a requested amendment, provided that it informs the individual in advance of such a requirement. This notice should be provided in the Notice of Privacy Practices.
Again, the regulations place a requirement on the covered entity to act in a timely fashion. Specifically, the covered entity must act on the individual’s request for an amendment no later than 30 days after receipt of the request. If the covered entity is unable to act on the amendment within the 30-day time period, it is permitted to extend the period for no more than an additional 30 days as long as it provides the individual with a written statement of the reason for the delay, and the date by which the covered entity will complete its action on the request. If the covered entity accepts the requested amendment in whole or in part, the covered entity must make the amendment by identifying in the records the amendment or otherwise providing a link to the location of the amendment. In addition, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual’s identification of an agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared. Upon making the amendment, the covered entity must make reasonable efforts to inform persons identified by the requesting individual as having received protected health information about the individual and needing the amendment and persons, including any business associates, that the covered entity knows have the protected health information that is subject to the amendment and that may have relied, or could reasonably rely, on the information to the detriment of the individual.
In the event the covered entity denies the requested amendment, it must provide the individual with a timely written denial. The denial must, in plain language, inform the individual of the basis for the denial, the individual’s right to submit a written statement disagreeing with the denial, and how the individual may file such a statement. In addition, the covered entity must provide a statement that if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual’s request for the amendment and the denial with any disclosures of the protected health information. Finally, a description of how the individual may complain to the covered entity or the Department of Health must be provided.
The covered entity must allow the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of the requested amendment and the basis of such disagreement. The covered entity is allowed to reasonably limit the length of the statement. Upon receipt of a statement of disagreement, the covered entity may prepare a written rebuttal. In the event the statement of disagreement is received, the covered entity must include that material with any future disclosures of the protected health information. If no such statement was received, the covered entity must include the individual’s request for amendment and its denial with any subsequent disclosures only if the individual has requested such action.
A covered entity that receives notice from another covered entity as to an amendment of an individual’s protected health information must amend the protected health information in its possession.
Accounting of Protected Health Information: The HIPAA privacy regulations provide the individual with a right to receive an accounting of disclosures of protected health information made by the covered entity in the six (6) years prior to the date on which the accounting is requested. The accounting need not list disclosures: for TPO; to the individual of the protected health information; incident to a use or disclosure otherwise permitted or required by HIPAA; pursuant to an authorization granted by the patient; for the facility’s directory or persons involved in the individual’s care or other notification purposes; for national security or intelligence purposes; to correctional institutions or law enforcement officers; or that occurred prior to the compliance date for the covered entity. Due to the numerous exceptions to the accounting requirement, only those disclosures that can be classified as being outside the normal practice or procedure of the covered entity are likely to need to be identified in the accounting. Additionally, since the disclosures will be of the unusual variety, keeping track of the same should not be difficult.
The written accounting provided to the individual must include all disclosures of protected health information during the six (6) years prior, unless the individual requests a shorter period. The accounting must include the date of the disclosure; the name of the entity or person who received the protected health information and, if known, the address of such entity or person; a brief description of the health information disclosed and a statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.
If numerous disclosures have been made to the same person or entity, the accounting should list the information required generally as well as the frequency or number of disclosures made during the accounting period and the date of the last such disclosure during the accounting period. In addition, in the event the covered entity has made a disclosure as a result of a particular research purpose, the accounting should identify the name of the protocol or other research activity; a description in plain language of the activity, including the purpose of the research and criteria for selecting particular records; a brief description of the type of protected health information that was disclosed; the date or period of time during which the disclosure occurred; the name, address and telephone number of the entity that sponsored the research; and a statement that the protected health information of the individual may or may not have been disclosed for a particular protocol or research activity.
The covered entity must act on the individual’s request for an accounting no later than 60 days after receipt of the request. Such action must include the entity providing the individual with the accounting requested or, if the covered entity is unable to provide the accounting within the timeframe, do so within an additional 30 days as long as the covered entity informs the individual of the extension in writing and the writing identifies the reason for the delay and the date by which the covered entity will provide the accounting.
Covered entities must provide the first accounting to an individual in any 12-month period without charge. For any subsequent requests within a 12-month period, the covered entity may impose a reasonable cost-based fee.
The covered entity must maintain a copy of the written accounting and a list of the titles of the persons or offices responsible for receiving and processing requests for accountings by individuals.
Right Of The Individual to Request Restriction On Use Or Disclosure
For uses that require a patient’s authorization, such as marketing, the patient retains exclusive control over any such disclosure. Mere refusal to grant the authorization would preclude the covered entity from using the information in this fashion. This control could also be exercised by the individual with regard to whom the information may be disclosed. As identified in the suggested language pertaining to the Notice of Privacy Practices, disclosure to friends or family members can only occur in the event the patient agrees.
In addition to this control, the patient has the right to request that the covered entity restrict uses or disclosures of protected health information about the individual to carry out treatment, payment or health care operations. In addition, the individual could restrict disclosures for purposes of others’ involvement in an individual’s care and notification purposes.
However, unlike the situation with marketing, the covered entity is not required to agree to such a restriction. In the event the covered entity does agree to such a restriction, the entity may not use or disclose the protected information in violation of the restriction.
A covered entity that agrees to a restriction must document the existence of the restriction in its charts. The agreement as to a restriction may be terminated if the individual agrees to it or requests the termination in writing; the individual orally agrees to the termination, and the overall agreement is properly documented; or the covered entity informs the individual that it is terminating its agreement to a restriction.
In addition to requests for limitations on the use or disclosure, the individual has the right to request confidential communications. The health care provider must accommodate a reasonable request by individuals to receive communications of protected health information by alternative means or at alternative locations. The health care provider must accommodate a reasonable request if the individual clearly states the disclosure of all or part of the information could endanger the individual.
For purposes of implementation, the covered entity may require the individual to make the request in writing. The covered entity may condition the reasonable accommodation on identification of how payment will be handled and the specification of an alternative address or other method of contact. The covered entity may not require an explanation as to why the individual requests the accommodation.
An example of reasonable accommodations includes receiving reminder notices in an envelope, as opposed to postcard form. Further, discussions about patient care in a waiting room could occur in private areas of the office. Actual restructuring or changing of the practice facility is not required.
Right to Complain
In perhaps one of the greatest examples of excessive regulation, the HIPAA privacy rights provide individuals with the specific right to complain how their confidential information is handled. For certain individuals, this was obviously not necessary.
The regulations provide the individuals with the right to complain to the Secretary of the Department of Health and Human Services. The complaint must be filed in writing, either on paper or electronically. In addition, the complaint must include the name of the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the HIPAA regulations. The complaint must be filed within 180 days of when the individual knew or should have known of the act or omission which is the subject of the complaint.
In addition to complaining to the Department of Health and Human Services over a perceived failure to follow the regulations, individuals are afforded the opportunity of complaining directly to the entity. In fact, the covered entity must designate a contact person who is responsible for receiving the complaints. The covered entity is required to document all complaints received and their disposition.
Penalties for Failure To Comply
The HIPAA privacy standards provide for the possibility of civil penalties in the event of a violation. These penalties can be up to $100 for each offense with an annual cap of $25,000 for repeated violations of the same requirement.
In April of 2003, interim final rules were published setting forth a detailed administrative procedural framework within which to assess and adjudicate the imposition of the civil penalties. The interim final regulations set forth procedures for the issuance of investigative subpoenas and inquiries. In addition, the regulations provide the Secretary of the Department of Health and Human Service with the ability to settle any case or to compromise a penalty. Notice of the proposed determination is to be given by certified mail to the respondent. The notice informs the respondent of the right to request a hearing before an Administrative Law Judge. Absent the request for a hearing, the Secretary of the Department of Health and Human Services is to impose the proposed penalty or any less severe penalty permitted by the Act. In the event no hearing is requested, the respondent does not have the right to appeal the imposition of the penalty.
Once a penalty has been imposed, it can be recovered in any civil action brought in the United States District Court for the district where the respondent resides, is found, or located. Additionally, the amount of the penalty, once finally determined, can be deducted from any sum then or later owed by the United States or by a state agency to the respondent.
Respondents have the right to request a hearing, as long as the same is done in writing by the respondent or the respondent’s attorney. A request for a hearing must be made within 60 days after notice of the proposed determination is received by the respondent.
The request for the hearing must clearly and directly admit, deny or explain each finding of fact contained in the Notice of Proposed Determination. The request for a hearing is also to state the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual or legal basis for opposing the penalty.
Due process rights afforded the parties include the right to be represented by counsel and to participate in any conferences held by the Administrative Law Judge. Limited document discovery is permitted. Both parties are entitled to present and cross-examine witnesses and to present oral argument as permitted by the Administrative Law Judge. Finally, the parties have a right to submit written briefs and proposed findings of fact and conclusions of law following the hearing. Prior to the hearing, the parties must exchange witness lists, copies of prior written statements of proposed witnesses, and copies of proposed hearing exhibits at least 15 days before the hearing, unless the Administrative Law Judge orders an earlier exchange. The Administrative Law Judge will also have the authority to issue subpoenas to compel the attendance of witnesses.
Finally, the regulations go so far as to mandate the form of any filings and requirements of service and proof of service.
Following the hearing, the Administrative Law Judge may require the parties to file post-hearing briefs. In no event shall the time for filing such briefs exceed 60 days from the date the parties receive the transcripts of the hearing.
The Administrative Law Judge’s decision is due within 60 days after the time for submission of post-hearing briefs. In the event the Administrative Law Judge fails to meet the deadline, he must notify the parties in writing as to the reason for the delay and set a new deadline. The Administrative Law Judge’s decision is construed as the final decision of the Secretary of the Department of Health and Human Services, and as such is appealable.
The Act also sets forth a number of substantive limitations on the Secretary of the Department of Health and Human Services’ authority to impose civil monetary penalties. First, a civil monetary penalty may not be imposed with respect to an act that “constitutes an offense punishable under the criminal penalty provisions of the Act.” Second, a civil monetary penalty may not be imposed if it is established to the satisfaction of Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision. Third, a civil monetary penalty may not be imposed if the failure to comply was due to reasonable cause and not to willful neglect and is corrected within a certain time period. Finally, a civil monetary penalty may be reduced, if not waived entirely, to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.
As referenced in the exceptions to the civil monetary penalty, the Act does provide for the possibility of criminal penalties. The knowing, wrongful use of individually identifiable health information is punishable criminally at various levels depending upon the culpability of the individual. For knowing misuse of individually identifiable health information, criminal penalties can be up to $50,000 and/or one year in prison. For misuse of the information under false pretenses, penalties can range up to $100,000 and/or 5 years in prison. Finally, for offenses to sell for profit or malicious harm, penalties can range up to $250,000 and/or 10 years in prison.