Policy/Memo 119

Number: Policy Memo 119
Date Issued: April 1, 2003
Policy File Ref: A1830
Subject: Access to and Amendment of PHI, Individual Rights

PURPOSE:

To issue instructions to EBD workforce members regarding an individual's right to access or request amendment of their protected health information maintained by EBD.

Background:

HIPAA mandates that individuals be given the right to access protected health information (PHI) about them that is maintained by a health plan in a designated record set, as well as the right to request amendments within certain limitations. The HIPAA requirements specify the health plan's obligation to comply with the individual's request, within limitations, and to provide the process through which they may submit their requests.

As an alternative to this HIPAA right, in accordance with the Personal Privacy Protection Act, Part 81 of the Regulations of the Department of Civil Service (President's Regulations) defines the rights of individuals to request either access to or amendment of the personal information maintained by the Department. These regulations further define an individual's right to appeal if their request has been denied in whole or in part, and the process by which they can do so.

Policy:

The Division will provide a process for individuals to request access to inspect and obtain a copy of protected health information (PHI) about them in a designated record set maintained by EBD, unless otherwise prohibited or disallowed under HIPAA. All requests must be made in writing, specifically identifying the information to be accessed, the form or format required. Requests must be submitted to the EBD Privacy Official for review. The Privacy Official will act on the request no later than 30 calendar days after receipt of the request by:

• Accepted Requests: Informing the individual of the acceptance and providing access at a convenient time or place;
• Denied Requests, in whole or in part: Providing the individual with a written denial, written in plain language, containing the basis for the denial, if applicable the individual's review rights, and a description of how to complain to the division or the Secretary of the Department of Health and Human Services (Secretary). If the request is for information maintained by another entity, the response will indicate where to properly direct the request for access.

EBD may charge a reasonable cost-based fee for copying, or preparation of summaries.

The individual does not have the right to access information that is:

• psychotherapy notes; or,
• is compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding.

The Division will accept requests for amendment of protected health information about the individual in a designated record set. The Division may deny these requests as allowed under HIPAA. All requests for amendment must be made in writing, specifically identifying the information to be amended and the reason for the proposed amendment. Requests must be submitted to the EBD Privacy Official for review and must clearly indicate that the individual is requesting to exercise a HIPAA right. Routine requests for correction of records will continue to be handled under normal work processes.

Procedure:

Requests received from individuals to access or to amend their protected health information should be forwarded to the EBD Privacy Official. The EBD Privacy Official will log in each valid request and review for acceptability.

Agreeing to Requests for Access
The EBD Privacy Official will reply to valid requests to access, inspect or copy health information within 30 days of receipt of the request and agree on an acceptable format, time and place with the requestor. If the request is for protected health information not maintained or accessible on site, the reply must be within 60 days of receipt of the request. The Privacy Official, within these time limits, may obtain one 30 day extension by sending a statement to the requestor with a completion date and reason for the delay.

The individual may obtain a summary or explanation of the information requested, in lieu of access to the protected health information, if agreed to in advance with respect to the summary or explanation and agrees to any fees. The Privacy Official may also agree to mail copies of the information to the requestor. If the requestor wants to personally inspect the information on-site, the Privacy Official will assign an EBD staff member to assist the individual.

Denying Requests for Access:

Unreviewable grounds for denial:
The EBD Privacy Official may deny an individual access to information without providing an opportunity for review when:

• The individual does not have the right to access the information
• The requested information is not in the EBD Designated Record Set
• The requested information is protected health information obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of information.

Reviewable grounds for denial:
Access may be denied when a licensed health care professional has determined, in the exercise of professional judgment, that:

• the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
• that access to information making reference to another person, but not a health care provider, is reasonably likely to cause substantial harm to such other person;
• that access to a personal representative is likely to cause substantial harm to the individual or another person.

If access is denied under one of these grounds, the individual can have the denial reviewed by another licensed health care professional designated by EBD. EBD will designate a professional, not involved in the earlier review, to determine within a reasonable period of time as stated above. EBD will promptly notify the individual of the outcome of the second professional review.

Denials must be timely, according to the same time standards as accepted requests. The denial must be written in plain language containing the basis for the denial, any applicable review rights, and a description of how to file a complaint with the Division or the Secretary. If EBD does not maintain the information and knows where it is maintained, the denial must inform the individual where to properly direct the request for access. If requested, EBD will provide access to other information beyond that which access to has been denied.

Requests for Amendment:
Valid written requests for amendment, specifically identified as exercising HIPAA rights, will be reviewed and processed by the EBD Privacy Official. Requests will be denied if the subject is information:

• that was not created by EBD, unless the originator is no longer available to act;
• that is not part of the designated record set;
• that would not be available for access or inspection;
• that is already accurate and complete.

If denied, the Privacy Official will send a prompt written response indicating the reasons for the denial, the individual's right to file a statement of disagreement and a description of how the individual may complain to EBD or the Secretary. EBD may then prepare and include a rebuttal statement, if necessary. Future disclosures including disputed amendments must be noted with appropriate documentation. EBD will act on a request within 60 days and inform the individual, business associates and others identified by the individual.

Documentation:
EBD will document the designated record sets accessible by individuals and the titles of persons responsible for receiving and processing requests for access or amendment. EBD will maintain this documentation and copies of written requests and responses for six (6) years.