Review/Revised Date: 10/19/2017
1. PURPOSE: To ensure that patients' rights related to their health information are protected as required by the Health Insurance Portability and Accountability Act (HIPAA) and Alabama state law.
2. PHILOSOPHY: UAB recognizes and respects the rights of patients with regard to their health information as contained in HIPAA.
3. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UABHS Covered Entities: University Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time-to-time). For purposes of this policy, UAB and UABHS Covered Entities shall be collectively referred to as "UAB."
4. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164.
4.1. Designated Record Set: A group of records maintained by or for a UAB covered entity that is: (1) with respect to UAB providers, the medical records and billing records about individuals maintained by them; (2) with respect to VIVA Health, Inc., the enrollment, payment claims adjudication, and case or medical management record systems maintained by them; or (3) used, in whole or in part, by or for the UAB covered entity to make decisions about individuals. For purposes of this definition, €record€ means any item, collection, or grouping of information that includes protected health information (PHI) and is maintained, collected, used, or disseminated by or for the UAB covered entity.
4.2. Disclosure: The release, transfer, provision of, access to, or divulging in any other manner of information outside the UAB covered entity holding the information.
4.3. Healthcare Operations: Any of the activities set forth in the regulations that includes, but is not limited to, the following:
4.3.1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions that do not include treatment;
4.3.2. Reviewing the competence or qualifications of health care professionals, evaluating performance, conducting training programs for healthcare and non-healthcare professionals, and participating in accreditation, certification, licensing or credentialing activities;
4.3.3. Underwriting, premium rating and other activities relating to health plan contracts;
4.3.4. Conducting medical review, legal services auditing, and compliance functions;
4.3.5. Business planning and development and business management and general administrative activities including, but not limited to customer service, resolution of internal grievances, and due diligence.
4.4. Payment: The activities described in the regulation, including, but not limited to, those undertaken by a provider to obtain or provide reimbursement for the provision of health care, including, but not limited to, determinations of eligibility or coverage; risk adjusting amounts due; billing, claims management, and collection activities; review of health care services with respect to medical necessity and coverage; utilization review activities, including precertification and preauthorization of services; and disclosure to consumer reporting agencies of the following information: name/address, date of birth, social security number, payment history, account number, and name and address of the provider.
4.5. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies an individual, or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.
4.6. Psychotherapy Notes: Notes recorded by a provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
4.7. Treatment: The provision, coordination, or management of health care services by providers, including the coordination or management of health care by a provider with a third party; consultation between providers relating to a patient; or the referral of a patient for health care from one provider to another.
4.8. Use: The sharing, employment, application, utilization, examination, or analysis of PHI within the UAB covered entity that maintains the PHI.
5. POLICY STATEMENTS:
5.1. Right to Request Restriction of Use and Disclosure of PHI
5.1.1. UAB patients have the right to request that UAB restrict or limit the use and disclosure of PHI about the patients in the following circumstances:
126.96.36.199. when PHI is used or disclosed for treatment, payment, and healthcare operations
188.8.131.52. for disclosures of PHI to individuals involved in the patient's care or payment for that care, i.e. family, friends, or other representative.
5.1.2. UAB is NOT required to agree to the request. However, if UAB agrees to the request to restrict the use and disclosure of PHI, UAB must ensure that the request is honored, except in the event a provider requires the use and disclosure of the PHI for emergency medical treatment. Any agreed-upon restrictions may be terminated by UAB by furnishing the patient with written notification of the termination.
184.108.40.206. Each UAB covered entity is responsible for developing a process to review and respond to patient requests to restrict use and disclosure of PHI. This process shall include a method to maintain written or electronic documentation of any agreed-upon restrictions.
5.1.3. If any UAB covered entity participates in the Alabama One Health Record System (Alabama's Health Information Exchange), then its patients have the right to opt out of this system.
220.127.116.11. Each UAB covered entity is responsible for developing a process to review and implement patients' requests to opt out of the Alabama One Health Record System.
18.104.22.168. The UAB covered entity may require the patient to submit the opt out request in writing.
5.2. Right to Receive Restriction on Disclosure to Health Plans for Out-of-Pocket Payments
5.2.1. UAB patients have the right to request and receive agreement that UAB will restrict disclosure of PHI about the patients to a health plan if
22.214.171.124. The disclosure is for payment of health care operations.
126.96.36.199. The disclosure is not required by law AND
188.8.131.52. The individual or person on the individual's behalf (including another health plan) pays for the item or service out-of-pocket in full.
5.2.2. Each UAB Covered Entity is responsible for developing a process to review and respond to these requests. This process shall include a method to maintain documentation of any agreed upon restrictions.
5.3. Right to Receive Confidential Communication by Alternative Means
5.3.1. UAB patients have the right to request to receive communications of PHI by alternative means or at alternative locations.
5.3.2. UAB must accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations, as follows:
184.108.40.206. UAB may require the patient to submit the request in writing
220.127.116.11.1. UAB covered entities, except VIVA Health, Inc., shall not require an explanation for the basis of the request.
18.104.22.168.2. VIVA Health, Inc. may require the individual to clearly state that the disclosure, in all or part, could endanger that individual.
22.214.171.124. UAB may require, if appropriate, information as to how payment, if any, will be handled.
126.96.36.199. UAB may require the individual to specify an alternative address or other method of contact.
5.4. Right to Access (Inspect and Copy) PHI
5.4.1. UAB patients have the right to inspect and obtain a copy of their PHI maintained in a designated record set about themselves, for as long as the PHI is maintained in the designated record set, except for the following types of information:
188.8.131.52. Psychotherapy notes
184.108.40.206. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
5.4.2. UAB will provide the individual with access to the PHI in the form and format requested (paper or electronic) if it is readily producible in the requested form. If it is not readily producible in the form requested by the patient, the PHI will be furnished in a form and format agreed to by UAB and the requesting individual.
220.127.116.11. If copy of PHI is not readily producible and maintained in paper, then readable hard copy will be provided. If not readily producible and maintained electronically, then electronic copy (PDF is the default) will be provided.
5.4.3. At the patient's written request, UAB will transmit the PHI directly to a designated third party if the written request identifies the patient; clearly identifies the third party to whom to send the PHI, and clearly identifies the address/location to send the PHI.
5.4.4. Grounds for Denial €“ Unreviewable. UAB may deny access to the PHI without providing the individual an opportunity for review, under the following conditions:
18.104.22.168. The PHI falls in the exceptions noted in Sections 22.214.171.124 through 126.96.36.199.
188.8.131.52. The individual requesting the PHI is an inmate and the correctional institution determines obtaining the PHI would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates or the safety of an officer, employee, other person at the correctional institution, or individual responsible for the transporting of the inmate.
184.108.40.206. The PHI is created or obtained by UAB during the course of ongoing research that includes treatment; provided that the individual agreed to this condition as part of the informed consent to participate in the research and provided the individual will have the right of access to the PHI upon completion of the research.
220.127.116.11. The PHI is contained in records subject to the Privacy Act and the Privacy Act authorizes the denial of access.
18.104.22.168. The PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
5.4.5. Grounds for Denial - Unreviewable. UAB may deny access to the PHI as set forth below. For denials under this section, UAB must grant the individual the right to review the denial in accordance with Section 22.214.171.124.
126.96.36.199. A physician has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
188.8.131.52. The PHI refers to another person and a licensed healthcare professional has determined in the exercise of professional judgment that the access requested is reasonably likely to cause substantial harm to such other person.
184.108.40.206. The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
5.4.6. Processing Requests for Access
220.127.116.11. Each UAB covered entity shall designate, in writing, one individual or office responsible for receiving and processing requests for access by individuals.
18.104.22.168. UAB must respond to an individual's written request for access to their PHI no later than thirty (30) days after receipt of the request.
22.214.171.124.1. Exception: UAB may extend the required 30-day response time by an additional thirty (30) days if UAB furnishes the individual with a written statement of the reasons for the delay within the 30-day period and the date by which UAB will act on the request.
5.4.7. Granting Requests for Access
126.96.36.199. If UAB grants the request for inspection of or access to the PHI, it must so inform the individual and arrange for the inspection or copying.
188.8.131.52.1. UAB must provide the individual with access to the PHI in the form requested by the individual, if it is readily producible in such form or, if not, in a readable hard copy form.
184.108.40.206.2. With the advance agreement of the individual, UAB may furnish a written summary of the PHI in lieu of providing access to the PHI.
220.127.116.11. UAB covered entities may charge the individual for the reasonable costs of furnishing the PHI, including the furnishing of a written summary of the PHI.
5.4.8. Denying Requests for Access
18.104.22.168. If the request for access to PHI is denied pursuant to Section 5.4.4 or Section 5.4.4, UAB must do the following;
22.214.171.124.1. furnish the individual with a written denial containing the basis for the denial; the right to review the denial, if applicable; and a description of how the individual may submit a complaint to the covered entity
126.96.36.199.2. grant the individual access to any other PHI that does not qualify for a denial
188.8.131.52.3. if the PHI is not held by UAB and UAB knows where the PHI is located, inform the individual where the PHI is located.
184.108.40.206. If the request for access to PHI is denied pursuant to Section 5.4.5 and the patient requests that the denial be reviewed, then, in addition to meeting the requirements in Section 220.127.116.11, UAB must arrange for a review of the denial.
18.104.22.168.1. UAB covered entities shall designate a physician who was not directly involved in the denial to review the decision to deny access to the PHI.
22.214.171.124.2. UAB must promptly refer denials under Section 5.4.5 to the reviewer. The reviewer must determine, within a reasonable period of time, whether or not to deny the access.
126.96.36.199.3. The reviewer's decision will be forwarded in writing to the individual and represents UAB's final decision.
5.5. Right to Request Amendment of PHI
5.5.1. Individuals have the right to submit written requests to amend their PHI that is contained in a Designated Record Set.
5.5.2. UAB may deny the requests to amend the PHI on any one of the following bases:
188.8.131.52. The PHI in the designated record set is accurate and complete.
184.108.40.206. The PHI is not in designated record set.
220.127.116.11. The PHI was not created by UAB, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the request to amend.
18.104.22.168. The PHI is not available for access by the individual under Section 5.4 of this standard.
5.5.3. Granting Requests to Amend PHI: If UAB grants the request to amend the PHI, it must do the following:
22.214.171.124. include the amendment in the PHI designated record set
126.96.36.199. inform the individual in writing that the amendment is accepted and obtain the individual's identification of and agreement to have the entity notify the relevant person with which the amendment needs to be shared
188.8.131.52. make reasonable efforts to inform and provide the amendment within a reasonable time to the following persons:
184.108.40.206.1. persons identified by the individual as having received PHI and needing the amendment
220.127.116.11.2. persons, including Business Associates, that the entity knows have the PHI and that may have relied, or could foreseeable rely, on the PHI to the detriment of the individual
5.5.4. Denying Requests to Amend PHI: If UAB denies the request to amend the PHI, it must do the following:
18.104.22.168. send a written notice of denial to the individual that contains the following information:
22.214.171.124.1. the basis for the denial
126.96.36.199.2. the individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement
188.8.131.52.3. a statement that, if the individual does not submit a statement of disagreement, the individual may request that the entity provide the individual's request for amendment and the denial with any future disclosures of the PHI
184.108.40.206.4. a description of how the individual may submit a complaint to the entity
220.127.116.11. permit the individual to submit a written statement disagreeing with the denial and the basis of the disagreement
18.104.22.168. prepare a written rebuttal to the individual's written statement that is forwarded to the individual
22.214.171.124. include in the designated record set the request, notice of denial, individual's written statement and entity's written rebuttal
126.96.36.199. transmit the request, notice of denial, written statement, and written rebuttal in all future disclosures of the PHI.
188.8.131.52.1. If the disclosure is made using a standard transaction that does not permit the additional material to be included with the disclosure, the entity may separately transmit the material.
5.5.5. If UAB is informed by another covered entity of an amendment to an individual's PHI, then UAB must amend the PHI in their designated record sets accordingly.
5.6. Right to Accounting of Disclosures
5.6.1. An individual has the right to receive an accounting of certain disclosures of PHI made by UAB in the six years prior to the date of the request.
184.108.40.206. Exceptions: No accounting must be furnished for disclosures for the following reasons:
220.127.116.11.1. to carry out treatment, payment and health care operations
18.104.22.168.2. to individuals of PHI about themselves
22.214.171.124.3. incident to an otherwise permitted use or disclosure
126.96.36.199.4. pursuant to an authorization
188.8.131.52.5. for the entity's directory or to persons involved in the individual's care or other notification purposes
184.108.40.206.6. for national security or intelligence purposes
220.127.116.11.7. to correctional institutions or law enforcement officials
18.104.22.168.8. as part of de-identified data or a limited data set
22.214.171.124.9. that occurred prior to the HIPAA compliance date
126.96.36.199. Exception: Temporary suspension of accounting for disclosures to health oversight agency or law enforcement official.
188.8.131.52.1. If a health oversight agency or law enforcement official submits a written request to temporarily suspend an accounting of disclosures to their agencies because such an accounting would reasonably likely impede the agency's activities, UAB will not furnish an accounting of the disclosures to those agencies for the time period specified in the written request.
184.108.40.206.2. If a health oversight agency or law enforcement official verbally requests that the entity not furnish an accounting of disclosures of PHI to their agencies, UAB must take the following steps:
220.127.116.11.2.1. document the statement, including the identity of the agency or official making the statement
18.104.22.168.2.2. temporarily suspend the individual's right to an accounting of disclosures to these agencies
22.214.171.124.2.3. limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted during the 30-day period.
126.96.36.199. To account for research disclosures that were made without patient authorization, UAB covered entities will rely on the alternative method of accounting by furnishing a list maintained by the UAB Institutional Review Board of protocols that involve health information and that fall within the following categories:
188.8.131.52.1. Waiver of authorization
184.108.40.206.2. Preparatory to research
220.127.116.11.3. Decedent review (Note: Decedent information is no longer PHI 50 years after the death of the individual.)
18.104.22.168. Contents of Accounting: The accounting of disclosures of PHI must meet the following criteria:
22.214.171.124.1. include disclosures of PHI that occurred during the six years prior to the date of the request, provided that no accounting is required for disclosures prior to the HIPAA effective date
126.96.36.199.2. include the following information:
188.8.131.52.2.1. the date of the disclosure
184.108.40.206.2.2. the name and, if known, address, of the entity or person who received the PHI
220.127.116.11.2.3. a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such a statement, a copy of the individual's written authorizations or a copy of a written request for disclosure.
18.104.22.168. Process for Responding to Requests for Accounting
22.214.171.124.1. Each UAB covered entity shall designate, in writing, one individual or office responsible for receiving and processing requests for accountings of disclosures of PHI in designated record sets.
126.96.36.199.2. UAB must respond to an individual's written request for disclosures of their PHI no later than sixty (60) days after receipt of the request.
188.8.131.52.3. Exception: UAB may extend the required 60-day response time by an additional thirty (30) days if UAB furnishes the individual with a written statement of the reasons for the delay within the 60-day period and the date by which UAB will act on the request.
184.108.40.206.1. UAB must furnish the first accounting in any 12-month period without charge. UAB may impose a reasonable, cost-based fee for each subsequent disclosure during the 12-month period, provided UAB informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request.
5.7. Each UAB covered entity shall develop processes and policies to implement this standard.
6. REFERENCES: None
7. SCOPE: This policy applies to all UAB Covered Entities and to UABHS Covered Entities identified in Section 3.
8. ATTACHMENTS: None.
To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.