StudyDaddy Information Systems Remote Access Security Policy Organization: XYZ Health Care Provider:XYZ Health Care is a provider of health services to senior citizens. It performs its mission with a virtual force of Registered Nur

Remote Access Security Policy Organization: XYZ Health Care Provider:XYZ Health Care is a provider of health services to senior citizens. It performs its mission with a virtual force of Registered Nur

  The HIPAA Privacy Rule’s Right Of Access and Health Information Technology        1           T HE  HIPAA  P RIVACY  R ULE ’S  R IGHT OF  A CCESS AND  H EALTH  I NFORMATION  T ECHNOLOGY          B ACKGROUND  AND   INTRODUCTION     Since its inception, the HIPAA Privacy Rule’s right of an individual to access protected health information (PHI) about him or her held by a c overed entity has operated in a primarily paper- based environment. While it has been common for covered entities to create, maintain, and exchange PHI in paper form, an increasing numb er of covered entities are beginning to utilize new forms of health information technology (hea lth IT), which often involve the transition of PHI from paper to electronic form. Many hea lth care providers, for example, are adopting comprehensive electronic health records (EHRs) to enhance the quality and efficiency of care they deliver. Health IT also may create mech anisms by which individuals can electronically request access to their PHI and by which covered entities can respond by providing or denying access electronically.

An individual’s right to access his or her PHI is a critical aspect of the Privacy Rule, the application of which naturally extends to an electronic environment. The Privacy Rule establishes, with limited exceptions, an enforceable means by which individuals have a right to review or obtain copies of their PHI, to the extent it is maintained in the designated record set(s) of a covered entity. The Privacy Rule’s specific, yet flexible, standards also address individuals’ requests for access and timely action by the covered entity, including the provision of access, denial of access, and documentation. See 45 C.F.R. § 164.524.

Health IT has the potential to facilitate the Privacy Rule’s right of access from both an individual’s and a covered entity’ s perspective. Because the right of access operates regardless of the format of the PHI, its application in an electronic environment is similar to that in a paper-based environment. Several provisions, how ever, such as those related to requests for access, timely action, verification, form or format of access, and denial of access, may apply slightly differently and, thus, require additi onal consideration. The discussion that follows addresses an individual’s right to request access electronically, a covered entity’s electronic provision or denial of access and other specific applications of the Privacy Rule that will assist covered entities in tailoring their compliance appropriately.

  The HIPAA Privacy Rule’s Right Of Access and Health Information Technology        2           The guidance also is meant to serve as a steppi ng stone for covered entities that are considering how an individual’s access rights may be fulfilled within an electronic health information exchange environment. To that end, the gui dance demonstrates how the Privacy Rule’s access standard provides a strong foundation from wh ich covered entities can develop policies and procedures which also meet several of the objectives enumerated in the Individual Access Principle identified within The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information .   R EQUESTS FOR  A CCESS    The Privacy Rule allows covered entities to requi re that individuals make requests for access in writing, provided they inform individuals of such a requirement. See 45 C.F.R. § 164.524(b)(1). In addition, the Privacy Rule h as always considered electronic documents to qualify as written documents. Thus, the Privacy Rule supports covered entities’ offering individuals the option of using electronic means (e.g., e-mail, web portal) to make requests for access.

  T IMELY   A CTION   The Privacy Rule requires covered entities to res pond to requests for access in a timely manner. Except as otherwise specified, the Privacy Rule requires the individual be notified of the decision within 30 days of the covered entity’s receipt of the request. See 45 C.F.R. § 164.524(b)(2)(i). While the Privacy Rule establishes the 30 days as an outside limit, it does not preclude covered entities from responding sooner. Indeed, a covered entity may have the capacity through the use of some electronic sy stems to provide automated access to an individual’s PHI or respond to requests with imme diate access, twenty-four hours a day. Not all electronic systems, however, may allow for the provision of immediate access, and the covered entity’s response time-frame will normally depend, in part, on its system capacity.

As in a paper-based system, other factors also will impact a covered entity’s response time in an electronic environment. For example, the Privacy Rule’s 30 day parameter was originally conceptualized to allow covered entities sufficient time to accommodate normal business functions (e.g., interpretation of test results), as well as those unusual circumstances that might delay a response (e.g., reporting suspected child abuse). Similar allowances may be necessary in an electronic health information environment as well. As a practical matter, individuals might exp ect, when making a request of a technologically sophisticated covered entity, that their requests could be responded to instantaneously or well before the current required time-frame. This might be the case, for example, when access is provided through a direct view or portal into a health care provider’s EHR. Providing more timely access than the Privacy Rule requires may be a means by which covered entities distinguish themselves within the market.   The HIPAA Privacy Rule’s Right Of Access and Health Information Technology        3           PROVISION   W HO  M AY  EXERCISE THE  RIGHT OF  ACCESS ?   OF   A CCESS Individuals and Personal Representatives . While the Privacy Rule’s right of access belongs primarily to the individual who is the subject of the PHI, the Privacy Rule also generally requires that persons who are legally authorized to act on behalf of the individual regarding health care matters be granted the same right of access. See 45 C.F.R. § 164.502(g)(1). The Privacy Rule defers to state law to determine when a person has the legal authority to act on behalf of an individual with regard to health care matters. Health care powers of attorney and parental rights, for example, are two legal bases by which state law may be determinative of a person’s authority to act on behalf of an individual.

The Privacy Rule’s personal representative requi rement ensures that certain people will have access to an individual’s PHI when the indivi dual is incapacitated or otherwise unable to exercise the right of access on his or her own behalf. The Privacy Rule would require that covered entities grant personal representatives w ith the right of access on behalf of an individual in an electronic environment, just as they do today with regard to paper-based information. Covered entities will want to make sure, however, that they have the capacity to identify, authenticate, and properly respond to requests from these individuals, whether electronically or otherwise, as the Privacy Rule requires.

Verification. The Privacy Rule requires covered en tities to develop and implement reasonable policies and procedures to verify the identity of any person who requests PHI, as well as the authority of the person to have access to the info rmation, if the identity or authority of the person is not already known. See 45 C.F.R. § 164.514(h)(1). These verification requirements apply to individuals who request access to their PHI that is maintained in a designated record set. The Privacy Rule refrains from defining specific or technical verification requirements and largely defers to the covered entity’s professional judgment and industry standards to determine what is reasonable and appropriate under the circumstances.

Verification may be obtained either orally, or in writing (which may be satisfied electronically), so long as the requisite documentation, statem ents or representations are obtained where required by a specific Privacy Rule disclosure provision, and that the appropriate steps are ultimately taken to verify the identity and aut hority of individuals or personal representatives who are otherwise unknown. Therefore, covered entities that receive and/or respond to access requests electronically should revisit thei r verification and documentation policies and procedures to ensure that they are reasonable in light of the electronic environment within which they are operating.

  The HIPAA Privacy Rule’s Right Of Access and Health Information Technology        4           CONTENT  ‐ DESIGNATED  RECORD  SETS   An individual’s right of access generally applies to the information that exists within a covered entity’s designated record set(s), including: (1 ) a health care provider’s medical and billing records, (2) a health plan’s enrollment, paym ent, claims adjudication, and case or medical management record systems, and (3) any informa tion used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the covered entity. See 45 C.F.R. § 164.501 (definition of “designated record set”).

Covered entities that use electronic records (e.g., EHRs or electronic claims systems) will want to remain cognizant that the right of access appli es regardless of the information’s format. The term “designated record set,” therefore, cannot be limited to information contained in an electronic record, but also will include any non-duplicative, electronic or paper-based information that meets the term’s definition. While overlap may initially exist between electronic and paper-based record sets, cove red entities will likely find their access-related obligations to be less time and labor intensive th e more PHI they convert to being electronic. Further, a covered entity that utilizes a business associate to maintain or otherwise operate its electronic records will want to ensure the business associate is obligated to share non- duplicative information pursuant to electronic acces s requests. The same would be true if a health information organization (HIO), as a business associate, maintains an electronic repository of some or all of a covered entity’s PHI.

FORM  OR   FORMAT  OF   A CCESS   PROVIDED   The Privacy Rule requires covered entities to provi de access to the PHI in the form or format requested by the individual, if it is readily producib le in such form or format. If the PHI is not readily producible in the form or format requested, access must be provided in a readable hard copy form, or in the alternative, some other form or format as agreed to by the covered entity and the individual. The covered entity also may provide the individual with a summary of the PHI or may provide an explanation of the PHI which has been provided, so long as the individual agrees to the alternative form and associated fees. See 45 C.F.R. § 164.524(c)(2).

To the extent individuals request that access to their PHI be provided in an electronic form or format, covered entities’ utilization of electronic records will likely increase the amount of PHI that is “readily producible” in electronic form, thereby benefiting both the requesting individual, as well as the covered entity: Electronic access may provide individuals with more timely access to more information in a more convenient manner. For example:

• Electronic copies of PHI may be downloaded to USB thumb-drives or copied to compact discs relatively quickly and may provide individuals with a more convenient means of transporting and maintaining the information.   The HIPAA Privacy Rule’s Right Of Access and Health Information Technology        5           • EHRs may enable covered entities to offe r individuals an immediate and ongoing view into the covered entity’s designated record set(s), either through a personal health record (PHR) or otherwise, while limiting the time, expense, and labor that may be required otherwise in order to provide access to the individual.

Electronic access also may be a means by which covered entities can limit the time, resources and other expenses required to provide the individual with access.

• Electronic copies of PHI that are downloaded to USB thumb-drives or copied to compact discs may require less labor and overhead than access to paper records would require.

• Covered entities may find that providing individuals with electronic access to PHI could save them time and resources by limiting, if not eliminating, the need to provide hard copies of the information or some other, more expensive, form or format. • Providing such “readily producible” electronic access may have the secondary effect of enhancing their communication with individuals, which may in turn, lead to improved quality of care and strengthened consumer satisfaction.

The right of access also affords covered entities the option of making alternative agreements with individuals as to the form or format of access provided. If, for example, a covered entity’s default administrative safeguards policies and procedures limit the provision of electronic access to stand-alone devices and secure, web-b ased portals, and an individual requests access via electronic mail (e-mail), the Privacy Rule would permit alternative agreements which satisfy both parties, so long as reasonable safeguards are otherwise in place.

To the extent that individuals request access to their PHI in hard-copy form, the covered entity must provide such access, even if the inform ation is stored in an electronic record.   D C GROUNDS FOR  DENIAL     ENIAL  OF   A CESS     The Privacy Rule contemplates circumstan ces under which covered entities may deny an individual access to PHI and distinguishes those grounds for denial which are reviewable from those which are not.

Unreviewable grounds for denial are : situations involving (i) psychotherapy notes, information compiled for use in legal pro ceedings, and certain information held by clinical laboratories; (ii) certain requests which are made by inmates of correctional institutions; (iii) information created or obt ained during research that includes treatment if certain conditions are met; (iv) deni als permitted by the Privacy Act; and (v)   The HIPAA Privacy Rule’s Right Of Access and Health Information Technology        6           information obtained from non-health care providers pursuant to promises of confidentiality. See 45 C.F.R. § 164.524(a)(2). Reviewable grounds for denial are : (i) disclosures which would cause endangerment of the individual or another person; (ii) situa tions where the PHI refers to another and disclosure is likely to cause substantial ha rm; and (iii) requests made by a personal representative where disclosure is likely to cause substantial harm. See 45 C.F.R. § 164.524(a)(3). IMPLEMENTATION OF  DENIAL   The Privacy Rule further requires that denials of access be timely, written, provided to individuals in plain language, with a description of the basis for denial, and if applicable, contain statements of the individual’s rights to have the decision reviewed and how to request such a review. In addition, the notice of denial must inform the individual of how complaints may be filed with the covered entity or the Secretary of HHS. If access to some of the PHI is denied, the covered entity must, to the extent possible, give the individual access to any other PHI requested, after excluding the PHI to which the covered entity has a ground to deny access. See 45 C.F.R. § 164.524(d)(1).

A covered entity may satisfy the Privacy Rule’s writing requirement for denials electronically, though its denial still must be based on the groun ds identified by the Privacy Rule, and must comply with each of the Privacy Rule’s proce dural requirements. In cases where the covered entity is able to receive and process a request for access by the individual electronically and provide access in an electronic format, the denial of the request, in whole or in part, may also be done electronically. As emphasized above, th e form of the denial does not change the covered entity's obligations regarding the basis fo r the denial or the content of the notification to the individual. However, where the covered entity provides individuals with electronic access to some or all of their health informa tion, through a PHR or similar means, and the access is available to the individual at any time and without a request, it becomes more difficult to determine whether a denial of access has o ccurred and when notice to the individual is required. For example, the requirements in th e Privacy Rule are flexible enough to permit a covered entity to notify the individual in advan ce of the types of PHI to which it intends to deny access and for which the Privacy Rule does not provide a right of review. See 45 C.F.R. § 164.524(a)(2). Such advance notification would not be appropriate, however, for other types of PHI to which a covered entity may deny access because the denial must be based on the specific exercise of professional judgment by a licensed health care professional and are subject to the individual's right to request a review of the denial by another licensed health care professional. In these cases, the individual must be aware of the fact that he or she has been denied access to certain information for which th e individual has a right to request a review. See 45 C.F.R. § 164.524(a)(3). The covered entity 's policies and procedures for the provision of electronic access must appropriately provide fo r these individualized grounds for denial of access.   The HIPAA Privacy Rule’s Right Of Access and Health Information Technology        7             FREQUENTLY  A SKED   Q UESTIONS   Q1: In an electronic health information exchange environment, what is a designated record set for purposes of an individual’s right of access under the HIPAA Privacy Rule?

A1: To the extent covered entities maintain their own electronic records systems, their choice to link those systems to a netw ork for electronic health information exchange purposes would not necessarily change the status of information maintained within their desi gnated record sets. That is, information that meets the definition of a designated record set remain s part of the designated record set even if that information is linked to a networ k. See 45 C.F.R. § 164.501 (definition of “designated record set”). Covered entities should be aware, however, that whatever information they import into their electr onic records via a network may become an integrated part of their designated reco rd set(s). Network participation alone, however, would not make all other info rmation about the individual that is accessible through the network part of a covered entity’s designated record set. Thus, the ability to link to information through a network does not obligate a covered entity to provide access to the designated record set of another entity participating in the network.

Q2: How would a covered entity or health information organization (HIO), acting on its behalf, know if someone were a personal representative for the purpose of granting access under the HIPAA Privacy Rule?

A2: The Privacy Rule’s verification standard requires that covered entities develop and implement reasonable policies and procedures to verify the identity and authority of such persons, if otherwise unknown to them, before granting them access to protected health information (PHI). See 45 C.F.R. § 164.514(h). Once verified, the personal representative can then be given the appropriate credentials for authentication and access through an electronic system. The Privacy Rule allows covered entities to rely on their professional judgment, as well as industry standards, in designing reasonable verification and authentication processes.

The Privacy Rule permits a covered entity to assign this function to a HIO, acting as its business associate, so long as the re levant standards are complied with. For example, a covered entity could use the HIO to assign the appropriate credentials and authenticate personal representatives, a nd any others, seeking access to PHI.   The HIPAA Privacy Rule’s Right Of Access and Health Information Technology        8             Q3: How may judgments be made electronically about denial of access under the HIPAA Privacy Rule?

A3: The Privacy Rule differentiates between two types of denial, reviewable and unreviewable. See 45 C.F.R. § 164.524(a)(2), (3). As to the unreviewable grounds for denial, there are essentially two deci sions a covered entity will need to make with respect to electronic access: 1) whether it may deny access based on one or more of the grounds identified by the Privacy Rule; and 2) how to implement such decisions categorically in the electronic environment. A covered entity may decide, for example, to categorically deny access to certain types of information to which no access right exists, such as psychotherapy notes. The Privacy Rule would permit denial without review, and a case-by-case judgment would not be necessary. Similarly, the covered entity may make such a system-wide decision with respect to othe r types of protected health information where the Privacy Rule permits an unreviewable denial of access.

In contrast, reviewable grounds for denial of access require decisions be made on a case-by-case basis through the professional judgment of licensed health care providers. Professional judgment also woul d be required if individuals exercise their right to appeal a denial of access made on reviewable grounds. As computer logic cannot be a substitute for professiona l judgment in these cases, these types of activities cannot be carried out categorically or in an automated way. Neither could these decisions be delegated to a health information organization (HIO), unless a licensed health care professional at the HIO were assigned the task of making the access determinations.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!