1. No category

Peg Schmidt, RHIA CHPS and Amy Derlink,
RHIA, CHA
April 10, 2015
1
Step One – Gather the facts
 Who is the requestor?
 Why are they requesting (purpose)?
 What type of PHI are they asking for? (record
type)
Step Two – Which law(s) apply?
 Look at the type of record requested and
determine which law(s) apply
 Can be multiple
2
Step Three – Resources
 Copies of laws
 Bookmark WI statutes page
http://www.legis.state.wi.us/rsb/stats.html
 HIPAA COW Pre-emption grid
Step Four
 Assume the requestor will require an
authorization unless legal exception found
◦ Based on record type, purpose, requestor

Pre-emption – follow greatest protection
3
1
Child Protective Services requesting ED records
and tells you that they are investigating
suspected child abuse. Identifies the child’s
record by name.
Step One – who /why / type of record?
 CPS
 Child abuse investigation
 ED – Patient Health Care Record
4
Step Two – which laws apply?
 ED record = Patient Health Care Record =
§146.82
 HIPAA Privacy Rule also applies
Step Three – resources
 Locate the §146.82 list of exceptions
 Locate the section in Privacy Rule re child
abuse §164.512 (b) (1) (ii)
 Pre –emption grid
5
§146.82 (2) (a) 11
11. To a county department, as defined under s. 48.02 (2g), a
sheriff or police department or a district attorney for
purposes of investigation of threatened or suspected child
abuse or neglect or suspected unborn child abuse or for
purposes of prosecution of alleged child abuse or neglect, if
the person conducting the investigation or prosecution
identifies the subject of the record by name. The health care
provider may release information by initiating contact with a
county department, sheriff or police department or district
attorney without receiving a request for release of the
information. A person to whom a report or record is disclosed
under this subdivision may not further disclose it, except to
the persons, for the purposes and under the conditions
specified in s. 48.981 (7).
6
2
HIPAA §164.512(b)(1)(ii)
(b) Standard: uses and disclosures for public
health activities--(1) Permitted disclosures. A
covered entity may disclose protected health
information for the public health activities
and purposes described in this paragraph to:
(ii) A public health authority or other
appropriate government authority authorized
by law to receive reports of child abuse or
neglect;
7



Both state law and HIPAA would allow the
disclosure without authorization
Pre-emption directs that we follow state law
Disclosure to CPS allowable without
authorization as long as the subject of the
record is identified by name
8
Subpoenas
 Generally subpoena alone not allowable to
disclose
◦ Subpoena signed by a judge = court order
◦ Attorney issued / look for an
authorization
◦ Out-of-state generally not valid
 Consider requestor and purpose – does it
meet an exception to allow disclosure?
9
3


Department of Safety and Professional
Services
Grand Jury Subpoena
May fit §146.82 (2) (a) 5
5. In response to a written request by any
federal or state governmental agency to
perform a legally authorized function, …

10
Court Orders
 Not all court orders are valid
 Determine federal versus state
 Federal court order could be valid in WI
even if out-of-state issued
 WI issued court order generally valid
 Out-of-state “state” court orders generally
not valid
11
Omnibus Rule
On January 25, 2014 the DHHS published the Omnibus Final Rule which
modified HIPAA regulations in accordance with HITECH.
12
4
45 CFR 164.524 Access of individuals to
PHI


CE must act on a request for access no later than
30 days after receipt of the request as follows.
If the CE grants the request, in whole or in part, it
must:
◦ inform the individual of the acceptance of the
request
◦ provide the access requested in the form or
format requested IF it readily producible in such
form or format.
◦ If not, in a readable hard copy form as agreed
to by CE and individual.
13
45 CFR 164.524 Access of individuals
to PHI

If the CE denies the request, in whole or in
part, it must provide the individual with a
written denial and
◦ CE to extent possible give the individual access
to any other PHI requested after excluding the
PHI to which the CE has a ground to deny
access
◦ CE must provide a timely, written denial to the
individual in plain language and contain:
 Basis for denial
 Description of how individual may complain to CE
and to whom
14
45 CFR 164.524 Access of individuals to
PHI

What must the patient provide?
◦ A hand written or typed request authorizing the
disclosure and the name and address to where
information is released
◦ Does not have to be HIPAA compliant or on
hospital authorization
◦ Unless sensitive or federally protected
information is contained in the record
15
5
Result of 164.524 and the individual


An increase of over 20% of individuals
exercising their right of access to a third
party
An increase in number of records
pages/image of PHI
16
History of Fee Provisions
17
HIPAA HITECH OMNIBUS – copy fees

2003- HIPAA permits a CE to impose reasonable,
cost-based fees including the labor and supply costs
for responding to requests made by an individual
(patient or legal representative) for copies of
protected health information (PHI). CEs are not
permitted to charge for retrieving or handling the
request to the individual.

Fees for copying and postage under state law are
presumed reasonable but no search or retrieval fee
under state law is permitted.
18
6
HITECH Act 164.524 (c)(4) Fees

If the individual requests a copy of the PHI or
agrees to a summary of such information, the CE
may impose a reasonable, cost-based fee,
provided that the fee includes only the cost of:
i.
Labor for copying the PHI requested by the
individual, whether in paper or electronic form;
ii. Supplies for creating the paper copy or electronic
media if the individual requests that the electronic
copy be provided
iii. Postage, when the individual has requested the
copy, or the summary be mailed; and
iv. (iv) Preparing an explanation or summary of the
PHI, if agreed to by the individual
19
HIPAA HITECH OMNIBUS – copy fees
HITECH Act - Patient Access to Electronic Health Record (EHR)
Under the HITECH Act, when a CE maintains an EHR with respect to PHI of an individual
• The right to obtain a copy of EHR in electronic
format
• The individual has the right to direct the CE to
transmit such copy directly to an entity or person
designated by the individual, provided that any such
choice is clear, conspicuous and specific
• Any fee that the CE may impose for providing such
information shall not be greater than the entity’s
labor costs in responding to the request.
• The CE disclosing the PHI is required to make the
“minimum necessary” determination for the amount
of information required for the purpose of the
disclosure.
20
HIPAA HITECH OMNIBUS – copy fees
21
7
HIPAA HITECH OMNIBUS – copy fees
22
HIPAA HITECH OMNIBUS – copy fees
How did you calculate that labor cost?
What did you do for the hybrid records?
What were the charges?
How many were patient directed requests?
23
HIPAA HITECH OMNIBUS – copy fees
 Please note that 45 C.F.R. § 164.524(c)(4)
does not require that covered entities use a
specific method to calculate what constitutes a
“reasonable, cost-based fee,” such as
multiplying hourly rate of pay for the worker
performing the task by the time that worker
spent making a copy.
 HIPAA regulations do not prohibit averaging
labor and supply costs across all records
requests rather calculating labor time spent for
each record request on an individualized basis.
24
8
HIPAA HITECH OMNIBUS – copy fees
Omnibus did not provide an equation – so what to consider?
25
HIPAA HITECH OMNIBUS – copy fees
•
•
•
•
•
•
•
•
[Wis. Stats. §146.83 (3f) (b)] has a mandatory fee for requests and
these fees must be charged to the third party as long as the third
party requests the record.
Paper copies: $1.02/pg for pages 1-25; $0.70/pg for pages 26-50;
$0.51/pg for pages 51-100; and $0.30/pg for pages 101 +
Microfiche or microfilm copies: $1.52 per page.
Print of an X-ray: $10.15 per image.
A single $8.12 charge for certification of copies, if the requester is
not the patient or a person authorized by the patient.
A single retrieval fee of $20.30 for all copies requested, if the
requester is not the patient or a person authorized by the patient.
Actual shipping costs and any applicable taxes.
If a patient requests their medical records be sent to a third party
via a patient directive (request letter), then the CE must charge
patient rates under the Omnibus rule.
26
HIPAA HITECH OMNIBUS – copy fees
• In states that have a mandatory fee structure,
like WI, CEs must only charge the patient the
lesser rate.
• IOD charges for records delivered through mail on
paper or CD
$0.39/per pg (1-100)
$0.31/per pg (101-200)  Wisconsin state tier
$0.12/ per pg (201+)
*Max charge of $400.00
27
9
HIPAA HITECH OMNIBUS – copy fees
•
Keep in mind your tiered rate scale and apply those page ranges
as set forth in the state
28
HIPAA HITECH OMNIBUS – copy fees
What were we faced with in ROI as a result of
Omnibus Rule?
29
Omnibus – copy fee complaints
30
10
What are we seeing in ROI?
31
HIPAA HITECH OMNIBUS – copy fees
•
•
•
Train ROI Staff
Need a separate directive by the Patient or personal
representative
HHS has distinguished a patient’s or personal
representative’s directive to a covered entity to transmit a
copy of protected health information (PHI) to a designated
individual different than an authorization.
– Patient Directive —is covered by 45 C.F.R.
§164.524(c)(3)(ii)
– Patient authorization is addressed by 45 C.F.R.
§164.508(c).
32
HIPAA HITECH OMNIBUS – copy fees
A directive to transmit a copy of PHI to a designated
individual is “distinct from an authorization form,” such
that a CE is permitted to release information to a third
party pursuant to such a directive without an
accompanying patient authorization, since the request
for information is from the patient himself/herself and not
from a third party.
See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules Under the Health Information Technology for Economic
and Clinical Health Act and the Genetic Nondiscrimination Act; Other
Modifications to the HIPAA Rules (“Omnibus Final Rule”), 78 FR 5566, 5635
(January 25, 2013).
33
11
164.524 (c)(4) Fees
45 C.F.R. § 164.524(c)(4) Fees: only applies to requests by
individuals, rather than requests by third parties.
◦ The “individual” is a defined term under HIPAA referring to
“the person who is the subject of protected health
information.” 45 C.F.R. § 160.103.
◦ The fees will also apply to requests by those who qualify as
“personal representatives” under 45 C.F.R. § 164.502(g),
which will not apply to an attorney requestor unless such
attorney “has authority to act on behalf of an individual who is
an adult or an emancipated minor in making decisions related
to health care,” 45 C.F.R. § 164.502(g)(1)(2), which is
generally not the case.
 POA, Executor of Estate, etc.
34
HIPAA HITECH OMNIBUS – copy fees
• Scenario: Your facility receives a request from a law firm
with a patient authorization attached. The law firm quotes
the HITECH rule and that they would like a copy of the
electronic record sent to them on a CD at labor costs to
produce the record.
35
HIPAA HITECH OMNIBUS – copy fees
• Response: “ your firm submitted to the CE an executed
authorization from the individual, authorizing the release
of records and your firm requesting a copy of the
individual’s medical records be sent to your law firm.”
• Response: “In accordance with the Omnibus Final Rule, our
facility does not recognize your records request as covered
by 45 C.F.R. §164.524(c)(3)(ii), since HHS guidance is clear
that a directive under 45 C.F.R. §164.524(c)(3)(ii) is
distinct from an authorization. Had you law firm instead
submitted a separate directive compliant with 45 C.F.R.
§164.524(c)(3)(ii), our facility would have processed the
request at patient rates.”
36
12
HIPAA HITECH OMNIBUS – copy fees
• Response: Because the request originates from you (a third
party) rather than the individual, the request will be
subject to the fee schedule established under State law at
……. Based on this law, we estimate a charge for this copy
of _____. Please note that, even with an electronic copy,
our facility charges this amount in accordance with State
law to cover the extensive release of information process in
which a professional reviews each page of the requested
records to ensure that only appropriate information is
provided.
37
HIPAA HITECH OMNIBUS – copy fees
• Response: You indicate that your request falls under the
fee limitations at 42 U.S.C. § 17935(e) of the HITECH Act
and 45 C.F.R. § 164.524(c) of HIPAA. These sections only
pertain to requests by individuals, not requests by third
parties.
– For example, § 164.524(c)(4) states that “[i]f the individual
requests a copy of the PHI,” then the request is subject to certain
fee limitations. On its face, the regulation does not address
requests by persons other than the individual. And while §
164.524(c)(3)(ii) provides that an individual may direct the CE to
transmit a copy of the record to a third party, the subsection
similarly begins with “an individual’s request.” In the preamble
commentary to HIPAA’s 2013 regulatory amendments, HHS makes
plain that § 164.524 only applies when the request was clearly
made by the individual and not a third party:
38
HIPAA HITECH OMNIBUS – copy fees
•
Response: Section 164.524(c)(3) of the Privacy Rule currently
requires the CE to provide the access requested by the
individual in a timely manner, which includes arranging with the
individual for a convenient time and place to inspect or obtain a
copy of the PHI, or mailing the copy of PHI at the individual’s
request. The Department had previously interpreted this
provision as requiring a CE to mail the copy of PHI to an
alternative address requested by the individual, provided the
request was clearly made by the individual and not a third
party. Section 13405(e)(1) of the HITECH Act provides that if the
individual chooses, he or she has a right to direct the CE to
transmit an electronic copy of PHI in an EHR directly to an entity
or person designated by the individual, provided that such
choice is clear, conspicuous, and specific.
39
13
HIPAA HITECH OMNIBUS – copy fees
• Response: Based on section 13405(e)(1) of the HITECH Act
and our authority under section 264(c) of HIPAA, we
proposed to expand § 164.524(c)(3) to expressly provide
that, if requested by an individual, a CE must transmit the
copy of PHI directly to another person designated by the
individual. This proposed amendment is consistent with
the Department’s prior interpretation on this issue and
would apply without regard to whether the PHI is in
electronic or paper form.
40
• Response: Your request, on its face, is clearly from your
law firm rather than from the patient. It is on firm
letterhead, indicates that it is coming from your firm, and is
signed by you. While the request includes a statement that
is signed by the patient, this does not transform the
request into a patient request. To conclude otherwise
would mean that any third party requestor could avoid the
requirements to provide a HIPAA-compliant authorization
(which include substantial content requirements to ensure
the individual’s rights are safeguarded), and could instead
merely add a sentence and the individual’s signature to the
third-party’s request.
41


HITECH/Omnibus rates
only apply to requests
from the Individual or
his/her Personal
Representative
Who is a Personal Representative under
HIPAA?
42
14
A person authorized (under State or other applicable law, e.g., tribal or military law) to
act on behalf of the individual in making health care related decisions is the individual’s
“personal representative.”
• 45 CFR 164.502(g) requires covered entities to treat an individual’s personal
representative as the individual with respect to uses and disclosures of the
individual’s protected health information, as well as the individual’s rights under the
Rule.
Who are personal representatives?
• Health care POA, Court appointed legal guardian, General POA or durable POA
that includes the power to make health care decisions
• A parent, guardian, or other person acting in loco parentis with legal authority
to make health care decisions on behalf of the minor child
• An Executor or administrator of the estate of a deceased patient
Next of kin or other family member (if relevant law provides authority)
43
HIPAA HITECH OMNIBUS – copy fees
•
•
•
HIPAA defines an “individual” as “the person who is the subject
of protected health information.”5
HIPAA further provides that, generally, a covered entity (or its
business associate) must “treat a personal representative as the
individual for purposes of [the HIPAA administrative
simplification regulations].”6
An attorney will only qualify as a personal representative if,
under applicable law, the attorney has authority to act on behalf
of an individual in making decisions related to health care. 7
5 - 45 C.F.R. § 160.103 (definition of “individual”).
6 - 45 C.F.R. § 164.502(g)(1).
7 - 45 C.F.R. § 164.502(g)(2), (3), and (4).
44
HIPAA HITECH OMNIBUS – copy fees
• Be cautious and Read the request letters!
• Look out for:
– Attorney Requests on their letterhead signed by the
patient
– Handwritten patient letters to their attorney
– Handwritten or typed patient letter with attorney
authorization attached
– All = patient directive = actual cost and labor
45
15
46
16