Hi103 week 6 chpt 15

© 2017 American Health Information Management Association© 2017 American Health Information Management Association
Chapter 15: Access, Use,
and Disclosure of Health
Information
Fundamentals of Law for Health
Informatics and Information
Management, Third Edition

© 2017 American Health Information Management Association
Review of Terms—Access, Use,
and Disclosure
• HIPAA definitions
• Access: Right of an individual to inspect and
obtain a copy of his or her own health information
that is contained in a designated record set
• Use: Sharing, employment, application, utilization,
examination, or analysis of individually identifiable
health information within an entity that maintains
such information
• Disclosure: Release, transfer, provision of, access
to or divulging in any other manner of information
outside the entity holding the information

Release of Information
• Release of information differs from
disclosure
– Refers to providing access to PHI to an
individual or entity authorized to receive or
review it

Ownership and Control of
Health Record and Health
Information
• Who owns the health/medical record?
– Primary data source vs. secondary data
• What right does the patient have to their
primary and secondary data?

Access to Patient Health
Information
• Federal regulations: HIPAA
– Individual has certain rights to access, use, and
disclose his or her protected health information (PHI)
– Authorization and accounting of disclosure
requirements—See HITECH
• ONC offers guidance for patients to opt in or opt
out of sharing information with HIEs
• Most state regulations provide patients right to
access their health information and protect patient
confidentiality

Who Can Access Health
Information?
• Competent adult
– Age of majority
– Individual’s authorized personal
representative
– Individual who holds persons
• Durable power of attorney (DPOA) or
• Durable power of attorney for healthcare decisions
(DPOA-HCD)

Information?
• Competent adult
– Uniform Health-Care Decision Act
• Surrogate or next of kin
• Decision making priority
– Spouse
– Adult child
– Parent
– Adult sibling
– Adult nonrelative familiar with patient
– Court appointed individual

Information?
• Incompetent adult
– Age of majority but is incapacitated
• Court must legally deem person incompetent and
appoint legal guardian who may be spouse,
parent, sibling, agent, attorney, or surrogate.
• Rights of competent adult or legal
guardian of incompetent adult
– To request, receive, examine, copy and
authorize disclosure/release of PHI

Information?
• Minors
– Individuals under the age of 18 who are not legally
emancipated (declared an adult) by the court require
parental authorization
– Minor is considered legally incompetent and unable to
make decisions regarding treatment or handling of
health information unless, per state law, a minor can
consent to treatment for abortions, mental health,
substance abuse treatment, or venereal disease
treatment. In those cases, they can authorize access,
use, and disclosure of their own healthcare
information.

Information?
• Minors
– Parental authorization typically required as
recognized by law
• Married biological parents
• Separated or divorced biological parent(s)
• Adoptive parents
• Foster parents
• Grandparents
• Legal guardians
• Relative with guardianship while parent is overseas or in
service
– State law defines parent who can sign

Information?
• Parental authorization not required
– Emancipated minor: Under the age of majority and
self-supporting with parents who have surrendered
their rights of custody, care, and support
– Minor who is married or previously married
– Minor in the military
– Minor who is a parent of a child
– Minor who reaches age of majority while under
treatment
– Minor treated for drug or alcohol dependency, mental
health, STDs or HIV/AIDS, contraception and abortion
per state laws

Information?
• Rights of a noncustodial parent or others
– Parent who does not have legal custody of
the child
– Legally endowed with parental rights which
allow access unless stated otherwise by state
law
– Scenario: Father seeks medical records of his child. It is
learned that the father has visitation rights with the child,
but is the non-custodial parent. Should the requested
records be given to him?

Information?
• Best practice regardless of person’s age or
competence
– Minors: In case of noncustodial parent, seek
authorization whenever possible
– Emancipated minor: Request copy of court order
and/or other proof that minor is emancipated
– Incompetent adult: Require legal documentation of
the incompetent adult’s legal position and the reason
the adult is unable to sign the authorization along with
documentation of the personal representative’s
authority to access or authorize disclosure of the
incompetent adult’s PHI

Information?
• Employer, employee and other workforce members
– By nature of job or work relationship access may occur
• Employers
• Employees
• Physicians
• Students
• Attorneys
• Vendors
– Need specific rules as to who in workforce may access,
who has legitimate right
• See HIPAA and state regulations

Types of Sensitive Health
Information
• Behavioral (mental) health information
• Substance (alcohol and drug) abuse records
• HIV/AIDS records
• Genetic information
• Adoption information
Specific authorization required

Behavioral Health Records
• General rule: Mental health information is
to be kept confidential
• What state law says: (insert state law)
– Provides protections
– Provides exceptions

(continued)
• Requests by patients
– Historically, denied (believed injurious to their
mental health)
– Today, facility policies may still provide for
asking the physician first
– Some states specifically grant right of access
to patient, which is consistent with HIPAA
Privacy Rule

(continued)
• Requests by others
– Right of access is generally per state statute
(insert law)
• Factors to consider:
– Authorization form shall specify that release of
behavioral health information is authorized
– Identity of mental health patients are often
protected by state statute. Why? How has HIPAA
changed this?
– State statute must comply with HIPAA

(continued)
• Duty to warn
– Required under certain circumstances
• State laws may permit or even compel
psychologists and psychiatrists to use their
discretion to warn intended victims of potential
harm without the patient’s authorization.
– Tarasoff vs. the Regents of the University of
California

Substance Abuse Records
• Governed by federal law
– Agency charged with oversight Substance Abuse
and Mental Health Services Administration
(SAMHSA )
– Drug Abuse Prevention, Treatment and
Rehabilitation Act of 1972
– Comprehensive Alcohol Abuse and Alcoholism
Prevention, Treatment and Rehabilitation Act of
1970
– Protect confidentiality of patients seeking
substance abuse treatment

(continued)
• Federal laws apply to:
– Any “federally assisted” drug and alcohol
programs (broadly defined)
– “Programs” providing diagnosis, treatment or
referral for drug and alcohol abuse (also broadly
defined)
• Entity dedicated to these services
• Unit of a general medical facility dedicated to these
services
• Medical personnel with primary function to provide
these services

(continued)
• Federal law
– Protects the identity of substance abuse patients (not just
their clinical information)
– Form shall specify release of substance abuse information
is authorized; must contain certain items to be valid
– If minor can consent to treatment per state law, minor
authorizes release of the records
– Limited exceptions to authorization requirement: medical
emergency, scientific research, audits, program evaluation,
court order, suspected child abuse
– If federal and state law conflict, the most restrictive (most
protective of patient confidentiality) wins
• Efforts to update regulations in progress

HIV/AIDS
• Competing interests
– Patient with a need for heightened sensitivity
– Healthcare providers who need to protect
selves while also providing care
– Government, which needs access for
research and to monitor its spread
– Third parties who may be exposed to the
disease

HIV/AIDS (continued)
• General rule: HIV/AIDS information is to be kept
confidential
• Example of an HIV/AIDS state law that
– Provides protections
– Then provides exceptions
• Wrongful disclosure leads to civil penalties
• Example: Ohio law protects
– ID of individual receiving HIV test
– Results of HIV test in form that IDs individual
– ID of individual diagnosed with AIDS or AIDS related
condition (ARC)

HIV/AIDS (continued)
• HIV (+) healthcare providers. To disclose or not to disclose?
– CDC guidelines:
• If known before treatment: Yes, if invasive, exposure-prone procedure
• If learned after treatment: Case by case basis
• HIV acquired through blood transfusion. To disclose or not
disclose the donor?
– Courts are split
• No: Otherwise, will deter needed donations due to donors’ fear of
inquiry into private lives
• Yes: Patient interest in discovering donor outweighs donor’s privacy
rights
• Specific HIV policies and procedures are key to proper
protection and disclosure (keeping in mind both state law and
HIPAA)

Genetic Information
• Possible because of Human Genome
Project led by National Human Genome
Research Institute
• Powerful potential use of genetic
information requires need to protect
information

Genetic Information (continued)
• Potential problems with misuse of
genetic information
– Insurers to deny, limit, or cancel health
insurance
– Raise premiums
– Employers may discriminate against
individual in workplace

• Genetic Information Nondiscrimination Act
(GINA) of 2008
– Prohibits discrimination by health insurers and
employers based on genetic information
– Title I effective, December 7, 2009, focuses on
genetic nondiscrimination in health insurance and
states that health plans may not use genetic
information to make eligibility, coverage,
underwriting, or premium-setting decisions

• Title I of GINA modifies the HIPAA Privacy Rule
– Genetic information is health information and prohibits the
use and disclosure of genetic information by covered
health plans for underwriting purposes
– Two exceptions:
• Health insurers may request genetic information in the case that
coverage of a particular claim would only be appropriate if there
is a known genetic risk.
• When working in collaboration with external research entities,
health insurers may request (but not require) in writing that an
individual undergo a genetic test. The individual may do so
voluntarily, but refusal to participate will have no negative effect
on his or her premium or enrollment status. The collected
genetic information may be used for research purposes only
and not for underwriting decisions.

• Title II of GINA—Responsibility of the Equal
Employment Opportunity Commission (EEOC),
and final regulations effective January 10, 2011
(29 CFR Part 1635).
– Prohibits the use of genetic information in making
employment decisions, restricts employers and other
entities covered by Title II (employment agencies,
labor organizations, and joint labor-management
training and apprenticeship programs—referred to as
“covered entities”) from requesting, requiring, or
purchasing genetic information, and strictly limits the
disclosure of genetic information

• State genetic laws
– Statutory or regulatory provisions that safeguard genetic
information and prohibit discrimination in employment and
insurance benefits based on genetic information and mandatory
genetic testing for employment and insurance purposes.
– Degree of protection provided by states varies. Some state
provisions are less protective than GINA, and some more
protective. All entities that are subject to GINA must, at a
minimum, comply with applicable GINA requirements as well as
more protective state laws.
• The National Conference of State Legislatures (NCSL)
maintains information about current issues facing states,
including those surrounding genetic privacy laws. Current
state genetic privacy laws are summarized in a table on the
NCSL website.

• Precision Medicine Initiative 2016
– Goal to speed up patient-centered biomedical
discoveries using genetic information
– Set privacy protections in place and ways for
patients to participate but still retain control
over use of information

Adoption
• Adoption: Legal status in which the parental rights and
responsibilities of one set of parents are legally terminated
and a new parental relationship is established by law
• Parties to an adoption are
– Adopted individual (adoptee), biological (natural, birth) parents,
and adoptive parent(s)
– Rights of each must be considered in light of access to health
information
• Adoption records include public and nonpublic documents
(original sealed birth certificate, court documents relating to
the adoption process, and records of the adoption agency
and/or attorneys involved in the adoption)

Adoption Information
• Adoption records: Considered confidential by
most state laws
• However, most states require that adoptive
parents receive specific health information
about the adoptee
• “Medical necessity” generally satisfies “good
cause” requirement to release adoption
records containing medical information.

Release of Information on
Adoptive Person
• Biological parents: Relinquished their parental rights
– Refer requests to adoption agency
• Adoptive parents: May inspect minor adoptee’s
medical records after all identifying information
regarding biological parents has been redacted
• After age of majority, right belongs solely to the
adoptee (adult adoptees can access their own medical
records, with information about biological parents
removed)
• Minor adoptees tracing their biological parents should
be referred to the adoption agency

Disclosure of Active Records of
Currently Hospitalized or
Ambulatory Care Patients
• A currently hospitalized patient (inpatient) or a patient
currently being seen in a clinic setting (outpatient) or their
personal representative may access, inspect, obtain a copy
of, or disclose PHI from the patient’s record.
• Active record is a term used to denote the health records of
individuals who are currently hospitalized inpatients or
outpatients.
• If an active inpatient or outpatient wishes to access, copy, or
disclose his or her PHI, healthcare provider should follow the
same policies and procedures that are in place for allowing
the access, copying, and disclosure of PHI for patients not
currently hospitalized or being treated as an outpatient.

Deceased Patients
• Access or disclosure of patient information on
deceased patient usually determined by state law
– HIPAA: Individual has the same privacy rights in death as
they did in life but leaves it up to states in terms of who
qualifies as deceased person’s legal representative for
access, use, and disclosure purposes
• Legal executor or administrator of the estate has first
rights to access deceased’s PHI or records
– In absence of executor rely on UHCDA in identifying next-
of-kin priority
– Other states require that these individuals become the
deceased’s official personal representative through
appointment by a probate court or court order

Deceased Patients (continued)
• HITECH changes to HIPAA Privacy Rule
related to deceased patients provide for
additional flexibility in the disclosure of PHI by
– (1) Removing the PHI status from health records
50 years following the patient’s death and
– (2) Permitting CEs to disclose decedent records
to family members and others involved in the
patient’s care or payment of care unless doing so
would be inconsistent with any known preference
of the patient

Deceased Patients (continued)
• Final Rule murky on how to determine if
records should be released
• Up to CE to have "reasonable assurance"
that the person requesting the record has a
legitimate right to access it
• Best practice: Suggest healthcare providers
require requesters to show proof of
relationship to the decedent or present court-
authorized documentation showing authority
to access the deceased individual’s PHI

Disclosure of Information for
Autopsy
• Autopsies performed to determine cause of death
– Objectionable to some religions and cultures
• Consent to autopsy required except where autopsy is needed
to determine cause of death for public policy purposes
• Privacy Rule allows release of PHI without authorization to a
medical examiner or coroner for purpose of identifying
deceased person, determining cause of death, and other
authorized purposes
– If the death of the individual is not a medical examiner or
coroner’s case, the surviving spouse or descendents of the
deceased may authorize the autopsy.
– Healthcare organization should require that an authorization
form be completed and retained in the health record for
evidentiary purposes.

Open Records, Public Records
or Freedom of Information Laws
• Also called “sunshine laws”
• At both federal and state levels
• Federal: Freedom of Information Act (FOIA)
• State Public Records Act
• Provide for scrutiny of records created by
public employees. Why?

Employee Health or
Occupational Safety and Health
Records
• Employee health records or occupational safety
and health records kept on employees as part of
employment contain any and all information
related to items such as medical tests, drug tests,
examinations, physical abilities, immunizations,
screenings required by law, biohazardous
exposure, and physical limitations
• Federal and state regulations governing health
records
• Americans with Disabilities Act
• SAMHSA
• OSHA

Employee Health or
Records (continued)
• Employees have a right to access results of drug
testing as well as their employee health record
under applicable state laws and federal
Occupational Safety and Health Administration
(OSHA) regulations (29 CFR 1910.20)
– Regulations ensure employee (or designated
representative) is given access to his or her own
health and exposure records within 15 days of a
request
– Other state regulations may be stricter and preempt
the OSHA rule

Employee Health or
Records (continued)
• Employees should be told in advance what
health records are maintained on them and
notified of any release of such records
• Occupational health providers who are CEs
must abide by HIPAA rules and obtain patient
authorization (or make reasonable efforts to
do so) before disclosing health information
from an employee health record.

Antiterrorism Initiatives
• Patriot Act of 2001 enacted to deter and punish
terrorist acts in US and around the world and to
enhance law enforcement investigations.
– Gives director of FBI or designee right to apply for a
production order through the court system to produce
tangible items such as documents and records
– Provides sanctions for any unauthorized disclosures
of the information obtained by others not involved in
investigation
– A healthcare provider who in good faith provided
information requested under order would not be held
liable for releasing the information

Antiterrorism Initiatives
(continued)
• Homeland Security Act of 2002—Designed
to prevent terrorist attacks in the US while
reducing vulnerability to terrorism,
minimizing its damages, and assisting in
recovery from attacks in US
– Gives secretary of Homeland Security
authority to access information that would
include PHI without the authorization of the
patient or personal representative

Syndromic Surveillance
• Systematic gathering and analysis of prediagnostic
health data to rapidly detect clusters of symptoms and
health complaints that might indicate an infectious-
disease outbreak or other public health threat
• Federal and state public health reporting
– Provide public health officials with necessary information to
help detect bioterrorism threats and sudden outbreaks of
diseases
– Use Electronic Surveillance System for the Early
– Notification of Community Based Epidemics (ESSENCE)

Consumer Reporting Agencies
• Companies that regularly assemble or
evaluate consumer information for the
purpose of producing reports
– Credit information: Equifax, Experian,
TransUnion
– Health information: Medical Information
Bureau (MIB)

Consumer Reporting Agencies
(continued)
• Fair and Accurate Credit Transactions Act of 2003
(FACTA)
– Protects consumers against misuse of health information,
amended Fair Credit Reporting Act (FCRA) (15 USC
1681), related to obtaining and using medical (health)
information in connection with credit eligibility
determination
– Prohibits creditor from obtaining and using medical
information to decide consumer’s credit eligibility
• Creditor can obtain and use financial information related to
medical debts, expenses, or income, consumer (a patient) must
authorize for consumer reporting agency to share medical
information with employers for employment or insurance
purposes

Other Access, Requests,
Disclosure Situations
• Laboratory test results: Clinical Laboratory
Improvements Amendments (CLIA)
– Laboratories only to disclose test results or
reports to an “authorized person,” who ordered
test, unless state law states otherwise. Individual
who is the subject of information is not authorized
to immediately and directly receive his or her
laboratory test results unless defined by state law
– Access to the individual’s clinical laboratory
information will occur through the provider who
ordered the test(s)

Other Access, Requests,
Disclosure Situations
(continued)
• Insurance companies and government agencies
payment requests
– HIPAA Privacy Rule, requests for payment purposes,
including utilization review and medical necessity review,
do not require authorization if the information is for the
payment of a specific episode of care (45 CFR 164.506)
– Other information requests require patient authorization
• Medical emergencies
– Obligation is to treat the patient and provide whatever
information is necessary. This usually entails disclosing
patient information without authorization

Public Figures/Celebrities
• Special procedures must be implemented to
protect patient confidentiality
• HIPAA: Directory; general information released
only with authorization
• Omission of name from record, code name or alias
• Computer access and paper record access
restricted on need-to-know basis
• Designated spokesperson to address media
questions
• Staff training and nondisclosure statements

Social Security Administration
and State Disability
Determination Services
• Federal and state governments rehabilitation and disability
(physical and mental) services administered by Social
Security Administration (SSA) and state disability
determination services (SDDS)
• To defray costs and expedite the review process, SSA and
SDDS implemented Electronic Records Express (ERE)
initiative; offers providers secure electronic options for
submitting records related to disability claims
• Claimant voluntarily authorizes the sending of all medical,
school, and other records and information related to his or her
case to the SSA and the state agency authorized to process
the case by signing HIPAA compliant disclosure form SSA-
827

Health Information Handlers:
Payment Integrity Review
Contractors and Health
Information Exchanges
• HIH organization handles information on behalf of a provider
(e.g. ROI vendor, HIE, and EHR vendor)
– Maybe covered entities, business associates, or business
associate subcontractors that have agreements with providers to
access, use, and/or disclose PHI
• Medicare Fee-for-Service programs are not required to
provide authorization for disclosure of PHI (e.g. RAC, MAC,
ZPIC, etc.)
• Providers may respond to review contractors online through
new mechanism
– Electronic Submission of Medical Documentation (esMD)
enables review contractors to send their requests for medical
documentation electronically, thus eliminating the paper request

Managing the Release of
Information Process
• Legal health record vs. designated record
set
• What to do with information from other
sites?
• Whose responsible for disclosing
information?

Types of Request
• Verification of requester
– Validity of authorization
• Mail request
• Telephone request
• Electronic requests: Fax, Internet
• Walk-in request
• On-site request
• Fax request, request to send information
electronically

Determining if Disclosure is
Appropriate
• Is request HIPAA or state compliant?
• What content should be released?
• What department should disclose
information?

Subpoena or Court Order
• Subpoena used to compel one’s appearance at a
certain time and place to testify or produce
documents or other tangible items (subpoena
duces tecum—“bring with”) during discovery
process or at trial
– Issued by a court, grand jury, lawyer representing a
party in a civil or criminal lawsuit, or by a government
agency
• Court order issued by a judge that compels a
certain action, such as testimony or the production
of documents such as health records

ROI Reimbursement & Fee
Structure
• ROI function of doing business
• Federal regulations address cost for ROI
– HIPAA permits reasonable charges for labor, postage,
etc. (see figures 15.3, 15.4)
– Other federal program set fees: CMS, QIO, OSHA,
etc.
• State regulations on costs for ROI
– See figure 15.5
– See state medical record copying charges at
http://www.lamblawoffice.com/medical-records-
copying-charges.html

Accounting of Disclosure and
Tracking Releases
• Privacy Rule requires the tracking and
accounting of disclosures of PHI, as
discussed in chapter 11.
– Requirement currently includes all disclosures
made in writing, electronically, by telephone,
and orally, but does have some exceptions.

Right to Request Restrictions
• HITECH enables an individual to restrict
an organization’s ability to disclose
information to health plans for payment or
operations purposes if the service
provided was paid for completely out of
the individual’s pocket.

Some Reasons for Refusing to
Disclose Information
• Identity of person presenting the authorization is in question
• Authorization appears to have been completed without the
patient’s knowledge or after the patient signed the form
• Doubt person requesting information is the person named in
the authorization
• Person who signed the authorization is not of legal age
• Question as to the competency of person who signed
authorization
• What are some others?

Hi103 week 6 chpt 15

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Similar to Hi103 week 6 chpt 15

Similar to Hi103 week 6 chpt 15 (20)

More from BealCollegeOnline

More from BealCollegeOnline (20)

Recently uploaded

Recently uploaded (20)

Hi103 week 6 chpt 15

Editor's Notes