HIPAA Access to Protected Health Information
|Title||HIPAA Access to Protected Health Information|
|Sub-category||Health Affairs Matters - General|
Effective: September 19, 2013
Revised: April 14, 2003; January 8, 2004; February 5, 2010; October 8, 2010; February 18, 2012 (related to access to PHI in electronic format); September 18, 2013; January 27, 2016
Transitioned from Interim to Permanent: July 17, 2014.
ECU HIPAA Privacy Office, 252-744-5200
"Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule," 78 Federal Register 17 (25 January 2013), pp. 5566-5702.
1.1. East Carolina University's Health Care Components ("ECU Health Care Components") have a legal duty to provide individuals with the ability to review or obtain copies of their protected health information ("PHI"). The purpose of this regulation is to define how ECU's Health Care Components will implement individual Access to PHI created or maintained within the Designated Record Set of an ECU Health Care Component.
2.1. Access means the individual's right to inspect and obtain a copy of their PHI.
2.2. Designated Record Set means:
2.2.1. A group of records maintained by or for an ECU Designated Health Care Component that is:
184.108.40.206. The medical records and billing records about individuals maintained by or for a covered health care provider;
220.127.116.11. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
18.104.22.168. Used, in whole or in part, by or for an ECU Health Care Component to make decisions about individuals.
2.2.2. For purposes of this definition, the term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for an ECU Designated Health Care Component.
2.3. Fee means a reasonable, cost-based fee that an ECU Health Care Component may impose if an individual requests a copy of their PHI or agrees to a summary or explanation of such information.
2.3.1. A fee includes only the cost of:
22.214.171.124. Labor for copying the PHI requested by the individual, whether in paper or electronic form.
126.96.36.199.1. Labor costs could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning PHI to media, distributing the media, and time spent preparing an explanation or summary of PHI.
188.8.131.52. Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media.
184.108.40.206.1. Supplies could include physical media such as a compact disk (CD) or universal serial bus (USB) flash drive.
220.127.116.11. Postage, when the individual has requested the copy, or summary or explanation, be mailed.
18.104.22.168. Preparing an explanation or summary of the PHI, if agreed to by the individual.
3.1. ECU Health Care Components must permit individuals Access to PHI about the individual stored in the Component's Designated Record Set, for as long as the Designated Record Set is maintained, and have a standard operating procedure to comply with this regulation. If additional PHI is maintained in the Designated Record Set of other ECU Health Care Components, then the individual may have to make additional requests for access to the respective Component. In the event that PHI is stored in the ECU Health Care Component's Designated Record Set in electronic format, the individual shall have the right to obtain from such Component a copy of such PHI in an electronic format.
4. Exceptions and Denials to Access to PHI
4.1. Exceptions: The following PHI is not governed by this right of access:
4.1.1. Psychotherapy notes;
4.1.2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and
4.1.3. PHI maintained by an ECU Health Care Component that is:
22.214.171.124. Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of Access to the individual would be prohibited by law; or
126.96.36.199. Exempt from the Clinical Laboratory Improvements Amendment of 1988, pursuant to 42 CFR 493.3(a)(2).
4.2.1. Unreviewable Grounds for Denial: An ECU Health Care Component may deny an individual Access without providing the individual an opportunity for review, in the following circumstances:
188.8.131.52. A covered health provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a copy of PHI, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.
184.108.40.206. An individual's Access to PHI created or obtained by a covered health care provider in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of Access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of Access will be reinstated upon completion of the research.
220.127.116.11. An individual's Access to PHI that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of Access under the Privacy Act would meet the requirements of that law.
18.104.22.168. An individual's Access may be denied if the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the Access requested would be reasonably likely to reveal the source of the information.
4.2.2. Reviewable Grounds for Denial: An ECU Health Care Component may deny an individual Access, provided the individual is given a right to have such denials reviewed as required by paragraph 5.4.3 for review, in the following circumstances:
22.214.171.124. A licensed health care professional has determined, in the exercise of professional judgment, that the Access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
126.96.36.199. The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the Access requested is reasonably likely to cause substantial harm to such person; or
188.8.131.52. The request for Access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of Access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
5.1. Requests for Access to PHI and Timely Action
5.1.1. Written Request: Individuals must make their requests for Access to PHI in writing using the ECU Individual Request for PHI form available on the ECU HIPAA Privacy forms website. Individuals making their request for Access by telephone or e-mail should be forwarded a copy of the form. The request form must be maintained in the individual's Designated Record Set indefinitely.
5.1.2. Timely Action: An ECU Health Care Component must act on a request for Access to PHI no later than 30 calendar days after receipt of the request.
184.108.40.206. If an ECU Health Care Component is unable to take action within 30 calendar days, such Component may extend the time for such action by no more than 30 calendar days provided that:
220.127.116.11.1. The individual is provided with a written statement, within 30 calendar days of receipt of the request, of the reasons for the delay and the date by which the Component will complete its action on the request; and
18.104.22.168.2. The Component may have only one such extension of time for action on a request for Access to PHI.
5.2. Provision of Access to PHI
If an ECU Health Care Component provides an individual with Access to PHI, in whole or in part, the Component must comply with the following requirements:
5.2.1. Providing Access to PHI Requested: An ECU Health Care Component must provide the Access to PHI requested by the individual. If the same PHI that is subject to the request is maintained in more than one Designated Record Set or at more than one location, the Component need only produce the PHI once in response to a request for Access to PHI.
5.2.2. Form of Access to PHI Requested: An ECU Health Care Component must provide the individual with Access to PHI in the form and format requested by the individual, if it is readily producible in such form and format; or if not, in a readable hard copy form or such other form and format as agreed to by the Component and the individual.
22.214.171.124. Email Communication: If an ECU Health Care Component chooses to use email to provide an individual with Access to their PHI, such Component must have a policy and procedure in place for emailing PHI to patients that has been approved by the ECU HIPAA Privacy Officer and the Office of University Counsel.
126.96.36.199. Electronic Designated Record Sets: If the PHI requested is maintained in one or more Designated Record Sets electronically and if the individual requests an electronic copy of such information, the ECU Health Care Component must provide the individual with Access to PHI in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
188.8.131.52. Summary or Explanation of PHI requested: An ECU Health Care Component may provide the individual with a summary of the PHI requested in lieu of providing Access to PHI, or may provide an explanation of the PHI to which Access to PHI has been provided, if:
184.108.40.206.1. The individual agrees in advance to such a summary or explanation; and
220.127.116.11.2. The individual agrees in advance to the Fees imposed, if any, by the Component for such summary or explanation.
5.2.3. Time and Manner of Access to PHI: An ECU Health Care Component must provide Access to PHI as requested by the individual in a timely manner as required by paragraph 5.1.2, including arranging with the individual for a convenient time and place for Access to PHI, or mailing the copy of the PHI at the individual's request. The Component may discuss the scope, format, and other aspects of the request for Access to PHI with the individual as necessary to facilitate the timely provision of Access to PHI.
18.104.22.168. Requests to Transmit PHI to a Third Party: If an individual's request for Access directs an ECU Health Care Component to transmit the copy of PHI directly to another person designated by the individual, the Component must provide the copy to the person designated by the individual.
22.214.171.124.1. Written Requirement: The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of PHI.
5.3. Charging a Fee for Access to PHI
5.3.1. An ECU Health Care Component may charge a Fee according to local procedures for copies of PHI, or a summary or explanation of such PHI.
5.3.2. A Fee must be cost-based and cannot exceed any limit set by State law. For example:
126.96.36.199. If a State permits a charge of 25 cents per page, but an ECU Health Care Component is able to provide a copy at a cost of five cents per page, then the Fee charged may not be more than five cents per page.
188.8.131.52. If a State permits a charge of 25 cents per page, but an ECU Health Care Component's cost is 30 cents per page, then the Fee charged may not be more than 25 cents per page.
5.4. Denial of Access to PHI
If an ECU Health Care Component denies Access to PHI, in whole or in part, the Component must comply with the following requirements:
5.4.1. Make other Information Accessible: An ECU Health Care Component must, to the extent possible, give the individual Access to any other PHI requested, after excluding the PHI to which the Component has a ground to deny Access to PHI.
5.4.2. Time and Manner of Denial to Access: An ECU Health Care Component must provide a timely, written denial to the individual, in accordance with paragraph 5.1.2, using the Denial for Individual's Request for Access, Use or Disclosure of PHI form. The denial must be in plain language and contain:
184.108.40.206. The basis for the denial;
220.127.116.11. If applicable, a statement of the individual's review rights under paragraph 5.4.3, including a description of how the individual may exercise such review rights; and
18.104.22.168. A description of how the individual may complain to the Component or the Secretary of Health and Human Services.
5.4.3. Review of Denial of Access to PHI Requested: If the individual has requested a review of a denial under paragraph 4.2.2, an ECU Health Care Component must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny Access.
22.214.171.124. The Component must promptly refer a request for review to such designated reviewing official.
126.96.36.199. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny Access requested based on the standards in paragraph 4.2.2.
188.8.131.52. The Component must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required to carry out the designated reviewing official's determination.
5.4.4. Requested Access to PHI not Maintained by ECU Health Care Component: If an ECU Health Care Component does not maintain the PHI that is the subject of the individual's request for Access, and the Component knows where the requested information is maintained, the Component must inform the individual where to direct the request for Access.
5.5.1. ECU Health Care Components must document the following and retain the documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.
184.108.40.206. The Designated Record Sets that are subject to Access by individuals; and
220.127.116.11. The titles of the persons or offices responsible for receiving and processing requests for Access by individuals.