HIPAA Core Policy: Patient Health Information Rights   

 

 

Abstract: 
This policy establishes guidelines for implementing patient rights related to health information by UAB/UAB Health System Covered Entities, in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and Alabama state law.

Effective Date: 01/09/04

 

Review/Revised Date: 05/02/2023

 

Category: Ethics and Integrity

 

Policy Owner: Provost

Policy Contact: Chief Privacy Officer

 

   
 
 

1. PURPOSE: To ensure that patients' rights related to their health information are protected as required by the Health Insurance Portability and Accountability Act ("HIPAA") and Alabama state law.

2. APPLICABILITY:    This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, Callahan Eye Hospital and Clinics, UAB Health Centers, Medical West Hospital , an Affiliate of UAB Health System, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., Valley Foundation, and other UAB Medicine managed entities that may be added from time-to-time. For purposes of this policy, UAB and UAB Medicine Covered Entities shall be collectively referred to as “UAB.”

3. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164.

3.1.Designated Record Set:  A group of records maintained in any medium by or for a UAB covered entity that is: (1) with respect to UAB providers, the medical records and billing records about individuals maintained by the health care providers; (2) with respect to health plans, the enrollment, payment claims adjudication, and case or medical management record systems maintained by or for the health plan; or (3) used, in whole or in part, by or for the UAB covered entity to make decisions about individuals.   For purposes of this definition, “record” means any item, collection, or grouping of information that includes protected health information (PHI) and is maintained, collected, used, or disseminated by or for the UAB covered entity. 

3.2. Disclosure: The release, transfer, provision of, access to, or divulging in any other manner of information outside the UAB covered entity holding the information.
 

  1. 3.3.  Health Information Exchange (HIE): Using secure Internet technology to exchange or move health-related information between organizations such as hospitals and providers according to nationally recognized standards.

3.4. Healthcare Operations: Any of the activities set forth in the regulations that includes, but is not limited to, the following:

3.4.1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions that do not include treatment;

    1. 3.4.2. Reviewing the competence or qualifications of health care professionals, evaluating performance, conducting training programs for healthcare and non-healthcare professionals, and participating in accreditation, certification, licensing or credentialing activities;
    2.  
    3. 3.4.3. Underwriting, premium rating and other activities relating to health plan contracts;
    4.  
    5. 3.4.4. Conducting medical review, legal services auditing, and compliance functions;
    6.  
    7. 3.4.5.Business planning and development and business management and general administrative activities including, but not limited to customer service, resolution of internal grievances, and due diligence.

3.5. Payment: The activities described in the regulation, including, but not limited to, those undertaken by a provider to obtain or provide reimbursement for the provision of health care, including, but not limited to, determinations of eligibility or coverage; risk adjusting amounts due; billing, claims management, and collection activities; review of health care services with respect to medical necessity and coverage; utilization review activities, including precertification and preauthorization of services; and disclosure to consumer reporting agencies of the following information: name/address, date of birth, social security number, payment history, account number, and name and address of the provider.

3.6. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies an individual, or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

3.7. Psychotherapy Notes: Notes recorded by a provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

3.8. Treatment: The provision, coordination, or management of health care services by providers, including the coordination or management of health care by a provider with a third party; consultation between providers relating to a patient; or the referral of a patient for health care from one provider to another.

3.9. Use: The sharing, employment, application, utilization, examination, or analysis of PHI within the UAB covered entity that maintains the PHI.

 

4. POLICY STATEMENTS:

4.1. Right to Request Restriction of Use and Disclosure of PHI

4.1.1. UAB patients have the right to request that UAB restrict or limit the use and disclosure of their PHI about the patients in the following circumstances:

4.1.1.1. when PHI is used or disclosed for treatment, payment, and healthcare operations

4.1.1.2. for disclosures of PHI to individuals involved in the patient's care or payment-for that care, i.e. family, friend, or other representative.

4.1.2. UAB is NOT required to agree to the request. However, if UAB agrees to the request to restrict the use and disclosure of PHI, UAB must ensure that the request is honored, except in the event a provider requires the use and disclosure of the PHI for emergency medical treatment. Any agreed-upon restrictions may be terminated by UAB by furnishing the patient with written notification of the termination.

4.1.3. Each UAB covered entity is responsible for developing a process to review and respond within 30 days to patient requests to restrict use and disclosure of PHI. This process shall include a method to maintain written or electronic documentation of any agreed-upon restrictions.

4.1.4. If any UAB covered entity participates in a health information exchange (HIE), then its patients have the right to opt out of the HIE.

      1. 4.1.4.1 Each UAB covered entity is responsible for developing a process to review and implement patients’ requests to opt out of the HIE.
      2. 4.1.4.2 The UAB covered entity may require the patient to submit the opt out request in writing.

4.2. Right to Receive Restriction on Disclosure to Health Plans for Out-of-Pocket Payments

4.2.1. UAB patients have the right to request and receive agreement that UAB will restrict disclosure of their PHI to a health plan if

4.2.1.1. The disclosure is for payment of health care operations.

4.2.1.2. The disclosure is not required by law AND

4.2.1.3. The individual or person on the individual's behalf (including another health plan) pays for the item or service out-of-pocket in full.

4.2.2. Each UAB Covered Entity is responsible for developing a process to review and respond to these requests. This process shall include a method to maintain documentation of any agreed upon restrictions.

4.3. Right to Receive Confidential Communications by Alternative Means

4.3.1. UAB patients have the right to request to receive communications of their PHI by alternative means or at alternative locations.

4.3.2. UAB must accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations, as follows:

4.3.2.1. UAB may require the patient to submit the request in writing

4.3.2.1.1. UAB covered entities, except VIVA Health, Inc., shall not require an explanation for the basis of the request.

4.3.2.1.2. VIVA Health, Inc. may require the individual to clearly state that the disclosure, in all or part, could endanger that individual.

4.3.2.2. UAB may require, if appropriate, information as to how payment, if any, will be handled.

4.3.2.3. UAB may require the individual to specify an alternative address or other method of contact.

4.4. Right to Access (Inspect and Copy) PHI

4.4.1. UAB patients have the right to inspect and obtain a copy of their PHI maintained in a designated record set about themselves, for as long as the PHI is maintained in the designated record set, except for the following types of information:

4.4.1.1. Psychotherapy notes

4.4.1.2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding

4.4.2. UAB will provide the individual with access to the PHI in the form and format requested (paper or electronic) if it is readily producible in the requested form. If it is not readily producible in the form requested by the patient, the PHI will be furnished in a form and format agreed to by UAB and the requesting individual.

4.4.2.1. If copy of PHI is not readily producible and maintained in paper, then a readable hard copy will be provided. If not readily producible and maintained electronically, then an electronic copy (PDF is the default) will be provided.

4.4.3. At the patient's written request, UAB will transmit their PHI directly to a designated third party if the written request identifies the patient; clearly identifies the third party to whom to send the PHI, and clearly identifies the address/location to send the PHI.

4.4.4. Grounds for Denial - Unreviewable. UAB may deny access to the PHI without providing the individual an opportunity for review, under the following conditions:

4.4.4.1. The PHI falls in the exceptions noted in Sections 4.4.1.1 through 4.4.1.2.

4.4.4.2. The individual requesting the PHI is an inmate and the correctional institution determines obtaining the PHI would jeopardize the health, safety, security, custody, or rehabilitation of the individual or other inmates or the safety of an officer, employee, other person at the correctional institution, or individual responsible for the transporting of the inmate.

4.4.4.3. The PHI is created or obtained by UAB during the course of ongoing research that includes treatment; provided that the individual agreed to this condition as part of the informed consent to participate in the research and provided the individual will have the right of access to the PHI upon completion of the research.

4.4.4.4. The PHI is contained in records subject to the Privacy Act and the Privacy Act authorizes the denial of access.

4.4.4.5. The PHI was obtained from someone other than a health care  provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

4.4.5. Grounds for Denial - Reviewable. UAB may deny access to the PHI as set forth below. For denials under this section, UAB must grant the individual the right to review the denial in accordance with Section 4.4.6.2.

4.4.5.1. A physician has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.

4.4.5.2. The PHI refers to another person and a licensed healthcare professional has determined in the exercise of professional judgment that the access requested is reasonably likely to cause substantial harm to such other person.

4.4.5.3. The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

4.4.6. Processing Requests for Access

4.4.6.1. Each UAB covered entity shall designate, in writing, one individual or office responsible for receiving and processing requests for access by individuals.

4.4.6.2. UAB must respond to an patient's written request for access to their PHI no later than thirty (30) days after receipt of the request.

4.4.6.2.1. Exception: UAB may extend the required 30 day response time by an additional thirty (30) days if UAB furnishes the individual with a written statement of the reasons for the delay within the 30-day period and the date by which UAB will act on the request.

4.4.7. Granting Requests for Access

4.4.7.1. If UAB grants the request for inspection of or access to the PHI, it must so inform the individual and arrange for the inspection or copying.

4.4.7.1.1. UAB must provide the individual with access to the PHI in the form requested by the individual, if it is readily producible in such form or, if not, in a readable hard copy form.

4.4.7.1.2. With the advance agreement of the individual, UAB may furnish a written summary of the PHI in lieu of providing access to the PHI.

4.4.7.2. UAB covered entities may charge the individual for the reasonable costs of furnishing the PHI, including the furnishing of a written summary of the PHI.

4.4.8. Denying Requests for Access

4.4.8.1. If the request for access to PHI is denied pursuant to Section 4.4.4 or Section 4.4.5, UAB must do the following:

4.4.8.1.1. furnish the individual with a written denial containing the basis for the denial; the right to review the denial, if applicable; and a description of how the individual may submit a complaint to the covered entity

4.4.8.1.2. grant the individual access to any other PHI that does not qualify for a denial

4.4.8.1.3. if the PHI is not held by UAB and UAB knows where the PHI is located, inform the individual where the PHI is located.

4.4.8.2. If the request for access to PHI is denied pursuant to Section 4.4.5  and the patient requests that the denial be reviewed, then, in addition to meeting the requirements in Section 4.4.8.1, UAB must arrange for a review of the denial.

4.4.8.2.1. UAB covered entities shall designate a physician who was not directly involved in the denial to review the decision to deny access to the PHI.

4.4.8.2.2. UAB must promptly refer denials under Section 4.4.5 to the reviewer. The reviewer must determine, within a reasonable period of time, whether or not to deny the access.

4.4.8.2.3. The reviewer's decision will be forwarded in writing to the individual and represents UAB's final decision.

4.5. Right to Request Amendment of PHI

4.5.1. Individuals have the right to submit written requests to amend their PHI that is contained in a Designated Record Set.

4.5.2. UAB may deny the requests to amend the PHI on any one of the following bases:

4.5.2.1. The PHI in the designated record set is accurate and complete.

4.5.2.2. The PHI is not in designated record set.

4.5.2.3. The PHI was not created by UAB, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the request to amend.

4.5.2.4. The PHI is not available for access by the individual under Section 4.4 of this policy.

4.5.3. Granting Requests to Amend PHI: If UAB grants the request to amend the PHI, it must do the following:

4.5.3.1. include the amendment in the PHI designated record set

4.5.3.2. inform the individual in writing that the amendment is accepted and obtain the individual's identification of and agreement to have the entity notify the relevant person with which the amendment needs to be shared

4.5.3.3. make reasonable efforts to inform and provide the amendment within a reasonable time to the following persons:

4.5.3.3.1. persons identified by the individual as having received PHI and needing the amendment

4.5.3.3.2. persons, including Business Associates, that the entity knows have the PHI and that may have relied, or could foreseeably rely, on the PHI to the detriment of the individual

4.5.4. Denying Requests to Amend PHI: If UAB denies the request to amend the PHI, it must do the following:

4.5.4.1. send a written notice of denial to the individual that contains the following information:

4.5.4.1.1. the basis for the denial

4.5.4.1.2. the individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement

4.5.4.1.3. a statement that, if the individual does not submit a statement of disagreement, the individual may request that the entity provide the  individual's request for amendment and the denial with any future disclosures of the PHI

4.5.4.1.4. a description of how the individual may submit a complaint to the entity

4.5.4.2. permit the individual to submit a written statement disagreeing with the denial and the basis of the disagreement

4.5.4.3. prepare a written rebuttal to the individual's written statement that is forwarded to the individual

4.5.4.4. include in the designated record set the request, notice of denial, individual's written statement and entity's written rebuttal

4.5.4.5. transmit the request, notice of denial, written statement, and written rebuttal in all future disclosures of the PHI.

4.5.4.5.1. If the disclosure is made using a standard transaction that does not permit the additional material to be included with the disclosure, the entity may separately transmit the material.

4.5.5. If UAB is informed by another covered entity of an amendment to an individual's PHI, then UAB must amend the PHI in their designated record sets accordingly.

4.5.6.Each UAB covered entity is responsible for developing a process to review and respond within 60 days to patient requests to amend their PHI. A one-time extension shall be granted for no more than 30 days if, within the initial 60 days of receipt of the request, the patient is provided with a written statement explaining the delay and the date by which the patient will receive a response. This process shall include a method to maintain written or electronic documentation of any agreed-upon restrictions.
 

4.6. Right to Accounting of Disclosures

4.6.1. An individual has the right to receive an accounting of certain disclosures of their PHI made by UAB in the six years prior to the date of the request.

4.6.1.1. Exceptions: No accounting must be furnished for disclosures for the following reasons:

4.6.1.1.1. to carry out treatment, payment and health care operations

4.6.1.1.2. to individuals of PHI about themselves

4.6.1.1.3. incident to an otherwise permitted use or disclosure

4.6.1.1.4. pursuant to an authorization

4.6.1.1.5. for the entity's directory or to persons involved in the individual's care or other notification purposes

4.6.1.1.6. for national security or intelligence purposes

4.6.1.1.7. to correctional institutions or law enforcement officials

4.6.1.1.8. as part of de-identified data or a limited data set

4.6.1.1.9. that occurred prior to the HIPAA compliance date

4.6.1.2. Exception: Temporary suspension of accounting for disclosures to health oversight agency or law enforcement official.

4.6.1.2.1. If a health oversight agency or law enforcement official submits a written request to temporarily suspend an accounting of disclosures to their agencies because such an accounting would reasonably likely impede the agency's activities, UAB will not furnish an accounting of the disclosures to those agencies for the time-period specified in the written request.

4.6.1.2.2. If a health oversight agency or law enforcement official verbally requests that the entity not furnish an accounting of disclosures of PHI to their agencies, UAB must take the following steps:

4.6.1.2.2.1. document the statement, including the identity of the agency or official making the statement

4.6.1.2.2.2. temporarily suspend the individual's right to an accounting of disclosures to these agencies

4.6.1.2.2.3. limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement is submitted during the 30-day period.

4.6.1.2.3. To account for research disclosures that were made without patient authorization, UAB covered entities will rely on the alternative method of accounting by furnishing a list maintained by the UAB Institutional Review Board of protocols that involve health information and that were approved via waiver of authorization. 

4.6.1.3. Contents of Accounting: The accounting of disclosures of PHI must meet the following criteria:

4.6.1.3.1. include disclosures of PHI that occurred during the six years prior to the date of the request, provided that no accounting is required for disclosures prior to the HIPAA effective date

4.6.1.3.2. include the following information:

4.6.1.3.2.1. the date of the disclosure

4.6.1.3.2.2. the name and, if known, address, of the entity or person who received the PHI

4.6.1.3.2.3. a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such a  statement, a copy of the individual's written authorizations or a copy of a written request for disclosure.

4.6.1.4. Process for Responding to Requests for Accounting

4.6.1.4.1. Each UAB covered entity shall designate, in writing, one individual or office responsible for receiving and processing requests for accountings of disclosures of PHI in designated record sets.

4.6.1.4.2. UAB must respond to an individual's written request for disclosures of their PHI no later than sixty (60) days after receipt of the request.

4.6.1.4.3. Exception: UAB may extend the required 60 day response time by an additional thirty (30) days if UAB furnishes the individual with a written statement of the reasons or the delay within the 60-day period and the date by which UAB will act on the request.

4.6.1.5. Fees

4.6.1.5.1. UAB must furnish the first accounting in any 12-month period without charge. UAB may impose a reasonable, cost-based fee for each subsequent disclosure during the 12-month period, provided UAB informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request.

4.7 Right  To Revoke Authorization

4.7.1 An individual has the right to revoke an authorization to use or disclose his/her medical information except to the extent that action has already been taken in reliance on the authorization. 

4.8 Right to a Paper Copy of the Notice of Health Information Practices

4.8.1 An  individual has the right to a paper copy of the covered entity's Notice of Health Information Practices at any time. 

4.9. Each UAB covered entity shall develop processes to implement this policy.

5. REFERENCES: None
6. ATTACHMENTS: None

To view other HIPAA Core Policies and for more information, please click here.