Right to Access Health Records

AMADOR COUNTY

CLIENTS’ RIGHTS POLICY:

RIGHT TO ACCESS HEALTH RECORDS

Purpose

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates, among other things, the uses and disclosures of protected health information and the client’s rights relating to his or her protected health information. It is the policy of Amador County that all County agencies and departments subject to HIPAA (hereinafter referred to as “Covered Agency” or “Covered Department”) preserve the integrity and the confidentiality of “Protected Health Information” (PHI), as that term is defined in HIPAA regulations [45 CFR §164.501], pertaining to their clients/patients, and enforce the rights afforded to those clients/patients by HIPAA.

One of the rights clients have is that of access to their health records, which includes the right to inspect and obtain a copy of their records, with certain limitations. The purpose of this policy is to identify clients’ rights of access to their health records, and to establish procedures for the client’s exercise of those rights in accordance with HIPAA regulations [45 CFR §164.524].

Policy

1.General.

A.Relationship Of This Policy To The Notice Of Privacy Practices. Each Covered Agency/Department will use the “Notice of Privacy Practices” to inform its clients about how they may obtain access to their PHI contained within records created and maintained by the Covered Agency/Department.

B.Client’s Access Rights.

Each individual receiving services from a Covered Agency/Department

(hereinafter referred to as a “client”) has the right of access to inspect and obtain

a copy of his or her PHI contained in that Covered Agency/Department’s records

(“designated record set”), for as long as the information is maintained in the

(HIPAA Client’s Rights: Access to PHI Policy 06/2003)

designated record set, subject to certain exceptions or limitations as set forth in

section 1.E below.

C.Procedure For Client’s Request For Access. A client must be permitted to request access to inspect or to obtain a copy of his or her PHI in a designated record set. The request must:

i.Be in writing, and submitted to a specified County Agency/Department recipient;

ii.Specify the form in which the client wishes to receive a copy of his or her PHI from a designated record set, (such as in hard-copy written form, by e-mail, etc.). If the requested information is not readily producible in the form requested, the Covered Agency/ Department may require the client to specify such other form as is agreed to by the Covered Agency/Department and the client.

D.Covered Agency/Department’s Response To Request For Access. If a client makes a request for access to his or her PHI in a designated record set, the Covered Agency/Department must respond to the request as follows:

i.Form of Response: The Covered Agency/Department may provide the

client with a summary of the PHI requested in lieu of providing access to

the requested information, or may provide an explanation of the PHI to

which access has been provided, if the client agrees in advance to such a

summary or explanation and the client agrees in advance to the fees

imposed, if any, by the Covered Agency/Department for such summary or

explanation.

ii.Time for Response: The Covered Agency/Department must respond to a request for access no later than 30 days after receipt of the request, as follows:

(a)If the request is granted in whole or in part, the Covered

Agency/Department must inform the client of the acceptance

(HIPAA Client’s Rights: Access to PHI Policy 06/2003)

of the request and provide the access requested, including

arranging with the client for a convenient time and place to

inspect or obtain a copy of the requested information, or mailing a

copy of the information at the client’s request. The Covered

Agency/Department may also discuss the scope, format and other

aspects of the request with the client as necessary to facilitate

the timely provision of access.

(b)If the request is denied in whole or in part, the Covered Agency/ Department must provide the client with a written denial, in plain language, which contains the basis for the denial; a statement explaining and describing the client’s review rights; and an explanation and description of how the client may file a complaint to the County Complaint Official or the Secretary of Health and Human Services. If the denial is only partial, the Covered Agency/Department must exclude the information for which it has grounds to deny access, and must give the client access to the information which is accessible.

(c)If the protected health information to which access has been requested is not maintained by the Covered Agency/Department and the Covered Agency/Department knows where the requested information is maintained, it must inform the client where to direct his or her request for access.

iii.Extension of Time For Response. The Covered Agency/Department may extend the time for its response to a request for access for a period of no more than 30 days, if it is unable to respond within the first 30 days following the request. The Covered Agency/Department may have only one such extension of time within which to respond to a request, and must provide the client with a written statement of the reason(s) for the delay and the date by which the response will be completed.

iv.Multiple Designated Record Sets. If the PHI to which the client has requested access is maintained in more than one designated record set at more than one location, the Covered Agency/ Department need only produce the information once in response to the request.

(HIPAA Client’s Rights: Access to PHI Policy 06/2003)

v.Fees: A Covered Agency/Department may impose a reasonable, cost-based fee for the copying of PHI requested, or for the preparation of a summary or explanation of such information as set forth in paragraph 1.D.i. above. Said fee may include only the cost of copying, including the cost of supplies and labor, and postage when the client has requested mailing.

E.Denial of Access. Generally, a client’s request for access to inspect and copy his or her PHI may not be denied by the Covered Agency/Department, except:

i.A client may be denied access to his or her psychotherapy notes;

ii.A client may be denied access to information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;

iii.A client may be denied access to his or her PHI if it is prohibited by law or if it is exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2);

iv.If the client is in the custody of law enforcement officials at the time of the request, he/she may inspect his or her PHI in a designated record set, but may not be entitled to receive a copy of it.

F.Unreviewable Denials of Client’s Request For Access. A Covered Agency/Department may deny a client’s request for access to inspect or obtain a copy of his or her PHI in a designated record set without providing the client an opportunity for review in the following circumstances:

i.The PHI is neither maintained by or for the Covered Agency/Department, nor is used by or for the Covered Agency/ Department to make decisions about the client;

ii.The PHI is excepted from the right of access for any of the reasons stated in paragraph 1.E.i-iv above;

(HIPAA Client’s Rights: Access to PHI Policy 06/2003)

iii.The client fails to follow the proper procedures in making his or her request for access;

iv.The client is an inmate, and the Covered Agency/Department is a health care provider and is acting under the direction of a correctional institution. In this case, the Covered Agency/Department may deny, in whole or in part, an inmate’s request to obtain a copy of his or her PHI if obtaining such a copy would jeopardize the health, safety, security, custody, or rehabilitation of the client or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for transporting the inmate;

v.The client’s access to PHI created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the client agreed to the denial of access when consenting to participate in the research, and the covered provider has informed the client that his or her right of access will be reinstated upon completion of the research;

vi.The client’s PHI is contained in records that are subject to the Privacy Act [5 U.S.C. §552a] and the denial of access meets the requirements of the Privacy Act; or,

vii.The client’s PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

G.Reviewable Grounds For Denial of Client’s Request For Access. A Covered Agency/Department may deny a client’s request for access to inspect or obtain a copy of his or her PHI in a designated record set, provided that the client is given a right to have such denial reviewed, in the following circumstances:

i.A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the client or of another person;

(HIPAA Client’s Rights: Access to PHI Policy 06/2003)

ii.The PHI makes reference to another person, other than a health care provider, and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the client or to another person;

iii.The request for access is made by the client’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the client or to another person.

H.Review of Covered Agency/Department’s Denial of Access. If a client’s request for access to his or her PHI in a designated record set is denied and the grounds for denial are reviewable (as set forth in paragraph 1.G.i-iii above), the client has the right to have a the denial reviewed by a licensed health care professional who is designated by the Covered Agency/ Department to act as a reviewing official and who did not participate in the original decision to deny access.

The Covered Agency/Department must designate the licensed health care

professional to conduct a requested review, and must promptly refer a request for

review to the designated reviewing official. The designated reviewing official

must determine whether or not to deny the access requested based on the

standards set forth in paragraph 1.F.i-iii. above, within a reasonable time, and

must inform the Covered Agency/Department of his or her decision. The

Covered Agency/Department must provide written notice to the client of the

designated reviewing official’s decision, and must provide or deny access in

accordance with the determination of the designated reviewing official.

2.Documentation Required.

The Covered Agency/Department must document the designated record sets that are

subject to access by clients as well as the titles of the persons or offices responsible

for receiving and processing requests for access by clients, and must retain said

documentation for a period of 6 years from the date of its creation or the date when it was last in effect, whichever is later.

(HIPAA Client’s Rights: Access to PHI Policy 06/2003)