We always look at the security rule aspects of HIPAA because they deal with the easier parts for people to deal with when it comes to lowering their risk, but today we are diving into some privacy rule guidelines, because there is new HIPAA privacy guidance that has just been published.
The security rule, with its addressable standards, gives you some wiggle room as you determine what is reasonable and appropriate in your environment. There are roughly 8 pages to manage and sort out. While the technical nature of those standards can make them complex it does make it fairly clear what is expected. The privacy rule, however, is huge. But, it is important to know enough of it to be able to manage and assess most of the situations that may arise in your office. Some cases may even require an attorney’s opinion just because of the level of complexity that can occur.
When it comes to privacy, the rules apply to very specific scenarios. Often, you may not even figure out you need to plan for one of those scenarios until they arise. Or, there are so many varying opinions relating to the application of the rule that things can get very confusing. This new HIPAA privacy guidance tries to address areas OCR feels has become to variant or, some would say, out of control.
Patient Medical Records
OCR/HHS released new HIPAA privacy guidance clarifying several aspects relating to providing records to your patients. There is a link that will help you say that what I am going to tell you isn’t just “I said so” stuff.
The right for an individual’s access to their own records has been a major topic recently. HHS has a good point that if we are changing the way that our healthcare system operates, then the patient should be involved more and have more responsibility in their care.
The guidance is intended to make it clear that HHS wants to limit the conditions for excluding information when considering the patient’s right to access their medical records. This is a general rule of what you are supposed to do and you need to figure out how to apply it to your business properly. It is a business decision and you have to be able to substantiate your decisions. Psychotherapy notes and information compiled with reasonable anticipation of or for use in a civil, criminal, or administrative action or proceeding are excluded from the right of access.
Buried in all the stuff included in the guidance it can be hard to find specific details. However, during the recent National HIPAA Summit there was a lengthy discussion about the new HIPAA privacy guidance topic. Jocelyn Samuels, Director of OCR, and Deven McGraw, Deputy Director for Health Information Privacy for OCR, were the ones saying it so, again, I feel pretty confident with the information we are sharing.
When asked about sending medical records to patients, what do you do if patients do not want to deal with security and encryption? What if they request an unsecured method of sending the records to them?
Their answer was that you should provide the information in the format that the patient requests unless you do not have the capability of providing it in that manner. (That is lawyer speak for you need to give it to them any way that they ask for it as long as you can create it that way.)
But, there’s more…..
A follow up question asked about documenting that you told the patient the information is not properly secured without encryption. They said something very important:
- You must tell the patient the information is not secured properly without encryption.
- We do not require you to get written verification of that conversation.
- We would accept notes in the chart of the date and time of a conversation you confirmed this with a patient if you do not have it in writing.
- However, if you do not have anything to prove you told the patient and for some reason the patient challenges that you told them….. OCR will ask you for proof that you told them the records are not properly secured.
So while the new HIPAA privacy guidance may say you can send it unsecured without documenting it, the lawyers say you should be documenting just in case someone ever asks.
Calculating Fees for MR
The new HIPAA privacy guidance also covered the fees you could charge to make copies of medical records. With so many records now being digital the fees being charged haven’t changed since someone had to make huge stacks of paper copies. This guidance makes it clear how you can charge for this.
Actual costs. A covered entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity. The covered entity may add to the actual labor costs any applicable supply (e.g., paper, or CD or USB drive) or postage costs.
Average costs. In lieu of calculating labor costs individually for each request, a covered entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests, as long as the types of labor costs included are the ones which the Privacy Rule permits to be included in a fee (e.g., labor costs for copying but not for search and retrieval) and are reasonable. Covered entities may add to that amount any applicable supply (e.g., paper, or CD or USB drive) or postage costs.
Flat fee for electronic copies of PHI maintained electronically. A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage.
So, it is really a business decision just like most of HIPAA.
1. Decide how you want to address this new HIPAA privacy guidance,
2. Set your internal policies and procedures to address it that way,
3. Document every single part of those decisions as well as the activity itself.
4. Return to step one.
New HIPAA Privacy Guidance Links
Distinguished Speakers Links