Health Law Blog - Healthcare Legal Issues

Posts Tagged ‘HIPAA’

Providing Protected Health Information in Response to Subpoena

Thursday, February 22nd, 2018

OCR Citation for Improper Disclosure of PHI in Response to a Subpoena

unauthorized release phi subpoenaA health care provider or other covered entity under HIPAA is permitted to disclose protected health information if it receives a lawful order from a court or administrative tribunal.  this does not mean that a provider can simply release everything it has in a patient record when it receives a court order.  Some records, such as mental health or substance abuse records might have special protections or limitations that apply.  Additionally a provider should closely review the relevant order and only disclose the information that is specifically required by the order.

The ability to release information in response to a subpoena, as opposed to an order of a court, is subject to different rules.  Patient information can only be provided under subpoena if certain notification requirements of the Privacy Rule are met. The notification requirements require the provider who received the subpoena to obtain evidence that there were reasonable efforts to notify the person who is the subject of the information about the request.  This is intended to give the individual an opportunity to object to the disclosure, or obtain a protective order from the court.

The application of these rules are illustrated by a relatively recent OCR settlement involving a hospital that was accused of improperly disclosing PHI in response to a subpoena.  The hospital apparently failed to determine that reasonable efforts had been made to notify that individual whose PHI was being sought under the subpoena.  This had the effect of denying the individual the right to object or seek a protective order.

As part of the settlement with the Hospital, OCR required the hospital to revise its subpoena processing procedures. The new policies adopted by the offending hospital hold a lesson for all covered entities.  If a subpoena does not meet the requirements of the Privacy Rule, policy should require the covered entity to reach out to the party who issued the subpoena to explain the notification requirements.  Until those requirements are complied with, the information cannot be released.

Court Orders and Subpoenas – Release of Protected Health Information

Mental Health Center Settlement for Failure to Provide Patient Record Copies

Tuesday, February 20th, 2018

OCR Sanction for Failing to Provide Patient Access to Protected Health Information

OCR Settlements Illustrate Area of HIPAA Risk

Access to Medical RecordsIn this case that was settled with the Office of Civil rights, the provider was a mental health center that was accused of refusing to provide a patient with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist.  However, the provider failed to provide the patient with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement if they are separately maintained by the covered entity. Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Center’s obligation to provide the complainant with a copy of her records. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals.

The regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protect the privacy and security of individuals’ identifiable health information and establish an array of individual rights with respect to health information, have always recognized the importance of providing individuals with the ability to access and obtain a copy of their health information. With limited exceptions, the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.  Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.

In addition, two categories of information are expressly excluded from the right of access:

  1. Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
  2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).

Don’t Overlook Special Status of Behavioral Health Records

Monday, January 9th, 2017

Most health care providers have implemented HIPAA compliant policies and procedures and have made them operational.  We often see providers who have not given appropriate levels of thought to behavioral health records.  HIPAA and state laws generally provide different levels of protection for patient information that relates to mental health issues or alcohol and drug treatment.  This requires providers to have policies and procedures in place that help employees identify these types of records and which describes appropriate precautions and special rules that apply.

Generally, Federal law treats general mental health records in the same way it treats other types of health information.  Many state statutes require more protection over confidentiality of mental health records than general health information.  Further distinction is made between general mental health/behavioral health records and the subset of those records that include psychotherapy notes.   Psychotherapy notes are rarely subject to disclosure to third parties.  In many cases even the subject patient can be denied access to psychotherapy notes.

It is important that policies and procedures clearly define mental health records and psychotherapy notes and describe the special restrictions that are applicable to both.  Clearly, the special restrictions on psychotherapy notes must be honored.  It is also important that healthcare providers do not apply the broader restrictions that are applicable psychotherapy notes to more general mental health records. Failing to understand the distinction between the various types of records can have adverse consequences under applicable laws and can even put patient care at risk.

This issue is further complicated because State and Federal protections can be different and even conflicting.  This requires providers to perform a preemption analysis to determine which law to follow.  That analysis can be different depending on the type of record involved and the purpose and nature of the contemplated release.

Psychotherapy notes are given special treatment under Federal law.  Psychotherapy notes are defined under Federal law as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.  Psychotherapy notes can rarely be released to a third party and often even the patient can be denied access to these records.  Certain information is not included within the definition of psychotherapy notes such as medical prescriptions, session start and stop times, frequency of treatment, results of clinical tests, summaries of diagnosis, symptoms, prognosis, etc.  This information is considered to be mental health records but does not receive the same special protection as psychotherapy notes.

Organizations should read and understand the distinction between general mental health records and psychotherapy notes.  Separation is key to complying with restrictions that are applicable to psychotherapy notes.  Psychotherapy notes should be stored separately from the patient’s medical records (which includes behavioral and mental health records).

Organizations that use electronic medical records (EMR) system must devise ways to separate psychotherapy notes from other types of medical records.  This might include integration of special naming and filing standards into the electronic record. Staff training is required to assure that the differences between psychotherapy notes and mental health records is maintained.

Some state laws complicate the analysis even further by provided additional restrictions on general mental health records.  Depending on your state, this analysis can become quite complicated and dependent on the purpose and nature of the contemplated release, application of preemption rules, and interpretation of state and Federal statutes and regulations.

Model Patient Privacy Notice Forms Privacy Rule Compliance

Thursday, September 19th, 2013

Patient Privacy Notice Forms

patient privacy notice formsThe HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of the health care providers and their privacy rights with respect to their personal health information. Providers are obligated to provide patients with a clear and concise description of their rights.

The HHS Office for Civil Rights and Office of the National Coordinator for Health Information Technology have released model Notices of Privacy Practices for health care providers and health plans. The model was created by collaboration between the two agencies with jurisdiction over patient privacy issues. The models express the views of these agencies concerning what health care providers should be communicating to their patients.

The Model Notices can be found at the following page of the HHS web site. Model Privacy Notices

It is notable that the model Notices of Privacy are not as in depth as the forms that have been used by many health care providers in the past. There is a simplicity to the model which seems to be directed toward communicating basic information to patients as opposed to an approach that includes “everything under the sun” in order to protect the provider. The less complicated approach seems to be more consistent with the regulatory requirement that providers develop and distribute a notice that provides a clear, user friendly explanation of these rights and practices.

The model released by the agencies provides a variety of formats that providers can consider depending on the context and their personal preference. The optional format include:

  • Notice in the form of a booklet
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages
  • A notice with the design elements found in the booklet, but formatted for full page presentation
  • A text only version of the notice

The models integrate the regulatory changes contained in the Omnibus Rule. Providers may use these models to serve as the baseline for compliance with the new requirements. For example, relatively new changes to patient access rights to information that is held in an electronic health record is covered. Providers who have not recently updated their notices may not include this information in their disclosure form.

The provided forms are set up so that providers can simply enter their specific information in the model forms. They can then be printed, posted, and otherwise used in connection with their practices.

The agencies seem to be actively encouraging providers to use these standard forms. Providers should take the opportunity to review their Notice of Privacy Policies and consider updating them to conform with the government provided standard forms unless the provider has a compelling reason to be more inclusive in its disclosure.

 

The Model Notices can be found at the following page of the HHS web site. Model Privacy Notices

OCR HIPAA Audit Resources For Healthcare Providers

Monday, July 30th, 2012

 HIPAA Audit Resources for OCR Audit of Health Care Providers

 HIPAA Information For Covered Entities

 HIPAA Audit Protocol

 Office of Civil Rights (OCR) HIPAA Notification Page

HIPAA New Archives

Patient Safety Confidentiality (PSQIA)

Sample Business Associates Contract

 Things To Do Before a HIPAA Audit is announced

Before you even have notice that you may be the subject of a HIPAA audits, you should be certain that your HIPAA “ducks” are in a row.  Taking last minute action when an audit is announced will not be nearly as effective as demonstrating that you have had a long term committment to HIPAA compliance.  Here are a few things that you should do now, before you are the subject of an audit.  This list is not meant to me all inclusive.

  • Review all policies and procedures that are required in order to comply with HIPAA. Consider an external review by an independent party.
  • Document a plan of correction if deficiencies are identified and document the correction process.
  • Designate departmental individuals who are responsible for HIPAA issues and prepare them to address the process of implementation in their area of responsibility.
  • Conduct a thourough risk analysis in accordance with OCR risk assessment guidance (referenced below).
  • Assure that your compliance training program is up to date and that employees have signed off on receiving required training.  Corret any discovered deficiencies in training.
  • Audit every outside vendor and contracting party and make certain that there is an appropriate Business Associates Agreement in place.

Major Issues Arising In First Round of HIPAA Audits

  • Patient record request review process, specifically denial process;
  • Providers failing to provide patients with access to their records;
  • Insufficient or non-existant policies and procedures;
  • Inproper use of information relating to decedents;
  • Disclosure of intformation to personal representatives;
  • Risk Assessment process; and
  • Difficulties with Business Associate Agreements.

HIPAA’s Security Rule requires that covered entities periodically conduct a risk analysis.  The OCR has issued guidance on conducting such an analysis.  In the event of an audit, the results of your audit are likely to be requested. A review of your HIPAA policies should be conducted on an annual basis.  Any deficiencies should be identified and addressed in a corrective action plan.  Carefully document your review and the process you use to correct any identified deficiencies.  OCR Audist Guidelines

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

Search
Disclaimer
The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.