HIT 105 RESEARCH PAPER:
INVESTIGATING SPECIFIC REGULATIONS OF THE PRIVACY RULE AND OTHER REQUIREMENT OF HIPAA
92 Academy St
South Berwick, ME 03908
Student ID: 21307800
Law and Ethics, HIT 105
Research Project # 40903100
As part of the requirements under HIPAA 1996, regulated by the Office for Civil Rights under the Department of Health and Human Services [HHS], federal guidelines must set a standard for the protection of individually identifiable health information (2003). These regulations and requirements are outlined under the Privacy Rule. Specifically, it addresses the use and disclosure of records and data by organizations subject to the privacy rule (aka covered entities), as well as outline the rights to knowledge and control over individuals’ medical information (HHS, 2003). The following is a discussion of particular aspects of the Privacy Rule as it relates to specified circumstances addressed.
Question 1: Does HIPAA affect patient’s access to his or her medical record? If so, what it the effect and procedure for obtaining records?
HIPAA’s Privacy Rule specifically states that: “except in certain circumstances, individuals have the right to review and obtain a copy of their personal health information in a covered entity’s designated record set” (HHS, 2003, pg. 12). These exceptions include psychotherapy notes limited to counseling sessions that are separate from the medical notes, information compiled for legal proceedings, lab results in which the Clinical Laboratory Improvement Act prohibits access to, data involved in research in which the patient has waived consent to view, or in such situations as when the provider feels access could harm the individual or another (HHS, 2003 and SAMHSA, 2004). HHS (2003) extends these rights to access information to include a personal representative unless there is a strong belief that the personal representative is neglecting or abusing the patient or state law has regulated that the medical treatment of the patient does not require the authorization of the personal representative. An example of this would be when state law has outlined that a minor does not require parental consent for mental health treatment (Flight, 2004).
The procedural requirements of the Privacy Rule state that each covered entity designate a contact person of office responsible for providing the patient with information regarding their rights under HIPAA, and at such requests provide the information within a timely manner (usually within 30 days) (HHS, 2010). The privacy rule allows programs to create their own written documentation for patient requests to access and copy records (SAMHSA, 2004). Once petitioned for by the individual, the copies of records must be sent to the individual by any reasonable means requested, even if it does not follow routine procedures and method of the facility (HHS, 2003). The covered entity cannot charge for retrieval of the information or deny access due to nonpayment of services, but may charge the individual a fee for copying and postage (HHS, 2003). In regards to a denial of access under special, discretionary circumstances by the covered entity, HHS further states the individual has the right to have the denial reviewed by a licensed health care professional for a second opinion (2003).
The effects of this access to records is higher disclosure to the patient and possible scrutiny of the physician. Flight (2004) discusses physicians response to greater patient accessibility of documentation, noting that some may find that full disclosure only strengthens the trust in the doctor-patient relationship, while others are weary of misinterpretations, especially of subjective data. This may be a somewhat valid concern as the Privacy Rule also grants individuals the right to request amendments to any information they find to be inaccurate or in error, via a...