(D) Individual
patient right to access protected health information
(1) Individual rights: Individuals
, or their personal representative as defined by HIPAA
regulations, have a right to have access,
to
inspect and/or obtain a copy of their medical record (PHI)
about the individual in a designated record set, for as
long as the PHI is maintained in the designated record set, through a
written request. This does not mean that the covered components must provide
original records or permit unsupervised access to a record containing health
information. An individual does not have the right to access, inspect or obtain
a copy of their medical records in the following instances:
(a) Where the request is for access to
psychotherapy notes that are maintained separately from the medical
record.
(b) Where the access
pertains to information compiled in reasonable anticipation of, or for use in a
civil, criminal or administrative action or proceeding.
While present and under care at a university of Toledo
UToledo covered component and with assistance by a
clinical caregiver, a patient or their authorized representatives may view
their medical record.
Patients may request to access or obtain copies of their
medical record by providing HIM with a signed HIPAA authorization to release
form obtained from HIM. HIM will coordinate with the revenue cycle department
with respect to requests concerning billing information records. HIM will
verify the identity of the individual making the request using any or all of
the following:
(a) Comparison of
signature on the authorization to release form with the signature on
file.
(b) Comparison of address on
request form with address on file where copies of the medical record are to be
sent by mail.
(c) A government
issued picture ID such as a driver's license or state-issued ID card may be
used as verification.
(d) When an
executor of an estate or durable power of attorney request is made, the
appropriate legal documents must be submitted as verification.
(e) Request for deceased patient accounts
without an executor/ executrix must obtain a state of Ohio document certifying
legal authority over the estate.
(2) Denial of request for access
:
The university
UToledo and its covered components under certain
limited circumstances may deny an individual's request for access to all or a
portion of the PHI requested. In some of these circumstances, an individual has
a right to have the denial reviewed by a licensed healthcare professional
designated by the covered entity who did not participated in the original
decision to deny.
(a) A denial of access is
not subject to review in the following instances:
(i) The request is for psychotherapy notes,
or information copied in reasonable anticipation of, or for use in, a legal
proceeding.
(ii) An inmate requests
a copy of the PHI held by a covered entity that is a correctional institution,
or healthcare provider acting under the direction of the institution, and
providing the copy would jeopardize the health, safety, security, custody, or
rehabilitation of the
inmate
individual or other inmates, or the safety of
correctional officers
any officer, employees, or other persons at the
institution or responsible for the transporting of the inmate. However, in
these cases, an inmate retains the right to inspect the PHI.
(iii) Concerning a temporary suspension of
access to information created or obtained in connection with the individual's
participation in a research study that includes treatment if the individual has
agreed to be denied access and is informed that access will be reinstated at
the completion of the study.
(a) Where the
request is for PHI that was originally obtained from someone other than a
healthcare provider under a promise of confidentiality and thus providing the
access would
reasonably likely reveal the source
of information.
(b) Where the PHI
is contained in records that are subject to the Federal Privacy Act and a
denial would fulfill the requirements of such law.
(b) Denial of access is subject to
review where a licensed healthcare provider in the exercise of professional
judgment has decided that:
(i) The request is
reasonably likely to endanger the life or physical safety of the individual or
another person. The ground for denial does not extend to concerns about
psychological or emotional harm (e.g., concerns that the individual will not be
able to understand the information or may be upset by it).
(ii) The request includes information which
makes reference to other person(s) other than a healthcare provider and is
likely to cause substantial harm to that person if access is granted.
(iii) The request was made by the
individual's personal representative and such release would harm the patient or
another person.
(3) Review of denials: Individuals may
request a review of a decision to deny access to protected health information.
Only denials made in exercise of professional judgment by a healthcare provider
as outlined in paragraph (D)(2)(b) of this rule are subject to review.
Licensed healthcare professionals who were not directly
involved in the initial decision to deny may conduct the review. The chief
medical officer and/or chief of staff will serve as review officers. The review
officers will promptly evaluate requests for reviews using the standards set
forth in paragraph (D)(2)(b) of this rule, including a
determination if the request may be granted in whole or in part. A
written notice will be provided to the individual about the final decision of
the reviewing officers and other action(s) to be taken if any. The decision of
the reviewing officers is final and not subject to appeal.
(4) Notification: Individuals will be
notified about the status of their requests within thirty days from the date of
receipt of the request. The notification will inform the individual whether all
or part of the request has been granted or denied and what actions if any,
needs to be taken by the individual.
Where the hybrid and affiliated covered entity is unable to
respond to a request for access within thirty days after receipt, the
individual will be notified in writing stating the reason for the delay. The
notification will include an estimated date of response which will not exceed
sixty days from the date of receipt of the initial request for access.
Where the request for access is denied, a written notification
will include the basis for denial, a statement of the individual's right for
review if applicable and process for exercising those rights. The statement
will also include information on how to file a complaint with the hybrid and
affiliated covered entity including the title and phone number of the officer
authorized to receive such complaints at the entity and the secretary of health
and human services.
Where the information requested is not maintained by the hybrid
and affiliated covered entity but the entity has knowledge of where the
information is located, the individual will be directed to such entity
accordingly.
(5) Form of
access: If a request for access is granted, the entity will provide the
individual with access in the form or the format requested if the information
is readily producible in such form or format. If the information is not
producible in the format or form requested, a readable hard copy or other
format as agreed will be provided.
(6) Fees: copy fees for records include the
cost of labor, supplies and postage if the copies are to be mailed. Fee
calculations cannot include costs for certain types of labor, such as search
and retrieval, or other costs not permitted by HIPAA even if authorized by
state law. Covered entities and business associates must be aware that
reasonable fees for this service are defined solely by HIPAA and
state-authorized fees may not be considered reasonable. Patient may inspect
their record at no charge.
(7) Copy
charges apply for records that are requested for non-patient care reasons,
which is defined as anything other than treatment, payment or
operations.
(8) Documentation: the
hybrid and affiliated covered entity will maintain documentation sufficient to
meet its burden of proof regarding designated record sets that are subject to
access by individuals and the titles of the persons or offices responsible for
receiving and processing requests for access by
individuals.
