Patients have a number of rights under the HIPAA Privacy Rule. These rights cover how and when protected health information can be used; the right of access to medical records; and the right to amend PHI. The various HIPAA patient rights are discussed below.
What Areas of the HIPAA Privacy Rule Form the Basis of HIPAA Patient Rights?
Several provisions of the HIPAA Privacy Rule form the basis of HIPAA Patient Rights.
These provisions include:
- The provisions prohibiting the use or disclosure of PHI
- The right of access provisions
- The provisions allowing for amendment of PHI
HIPAA Patient Rights: Prohibitions on Use or Disclosure of PHI
HIPAA protects patients by generally prohibiting the sale of PHI; the use and disclosure of genetic information for underwriting purposes; and the use or disclosure of psychotherapy notes.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
What is a Sale of PHI?
HIPAA patient rights include the right to not have one’s PHI sold for profit. Generally, covered entities and business associates may not engage in the sale of an individual’s protected health information (PHI) without the individual’s prior written authorization to do so.
A sale of PHI takes place when a covered entity or business associate directly or indirectly receives remuneration, from or on behalf of the recipient of the PHI, in exchange for the PHI.
Remuneration can consist of both financial remuneration (i.e., money, cash, checks) as well as non-financial remuneration.
Patient PHI may not be sold without the patient first providing prior written authorization to a sale.
What is Underwriting?
Underwriting is the process of determining eligibility for, or determination of, benefits under a health plan. Underwriting also includes the computation of an individual’s premium or contribution amounts under a health plan; the determination of whether to apply a preexisting exclusion under a policy; or other activities relating to the creation, renewal, or replacement of a contract of health insurance.
Under the Privacy Rule, health plans are prohibited from using and disclosing PHI that is genetic information for underwriting purposes.
Under HIPAA, genetic information is:
- Information about an individual’s genetic tests;
- Information about the genetic tests of family members of the individual;
- Information about the manifestation of a disease or disorder in family members of the individual; or
- Information about any request for, or receipt of, genetic services, by the individual or any family member of the individual.
What are Psychotherapy Notes?
Under the Privacy Rule, psychotherapy notes are defined as notes recorded by a healthcare provider who is a mental health professional. Psychotherapy notes document or analyze the contents of a conversation during a private counseling session or a group, joint, or family counseling session. These notes are separate from the rest of the patient’s medical record.
Psychotherapy notes contain particularly sensitive information, as they are the therapist’s own personal notes. Therefore, the Privacy Rule generally requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a healthcare provider other than the originator of the notes.
HIPAA Patient Rights: The Right of Access
The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive copies, upon request, of the information in their medical and other health records maintained by their healthcare providers and health plans. This right is known as the HIPAA Right of Access.
What Records are Patients Entitled to Access?
The Privacy Rule generally requires HIPAA covered entities to provide individuals, upon request, with access to the PHI about them in one or more “designated record sets” maintained by or for the covered entity.
A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:
- Medical records and billing records about individuals maintained by or for a covered healthcare provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
“Records” in a designated record set include the following types of information (among others):
- Medical records;
- Billing and payment records;
- Insurance information;
- Clinical laboratory test results;
- Medical images (such as X-rays);
- Wellness and disease management program files; and
- Clinical case notes.
What is the Scope of the HIPAA Right of Access?
The HIPAA Right of Access includes the right to inspect or obtain a copy, or both, of the PHI in a designated record set. Patients also have the right to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. The HIPAA Right of Access applies to this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of what format the information is obtained in; when it was created; or where it originated.
HIPAA Patient Rights: The Right to Amend PHI
Generally, a patient has the right to amend PHI or a record about the individual in a designated record set, for as long as the PHI is in a designated record set. Note that this is generally the same information an individual is entitled to access, under the Right of Access.
A covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. While the covered entity may require patients to make requests for amendment in writing, and to provide a reason to support a requested amendment, the covered entity must inform patients of these requirements in advance.
If a patient makes a request to amend PHI, the covered entity must grant the request unless a specific HIPAA Privacy Rule provision allows for denial of the request. The covered entity must inform the patient of its decision to either grant or deny the request within 60 days after the covered entity has received the request.
If the covered entity grants the request, the covered entity must then make the appropriate amendment to the PHI or record that is the subject of the amendment request by, at a minimum:
- Identifying the records in the data set that are affected by the records; and
- Appending or otherwise providing a link to the location of the amendment
In addition, if the covered entity agrees to make the amendment, the covered entity must timely inform the patient that the amendment is accepted.
Finally, the covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by the individual as having received protected health information about the individual and needing the amendment.