TWO MIDNIGHT RULE FIGHT
Law suits continue with HHS under its Two-Midnight Rule, that has resulted in reimbursement cuts for hospitals. Fifty more hospitals have filed or joined in law suits that call the HHS’s rule, its enforcement, and the financial estimates used in the rule as arbitrary and capricious.
MY RIGHT TO MY DATA
Federal and state laws, including HIPAA, not only are intended to provide privacy safe guards for patient data, but also often include provisions that give patients rights to access their PHI. OCR released an FAQ document and a facts sheet intended to bring attention to patient rights to access their healthcare information. It will be interesting to see how hospitals and insurers react to the OCR initiative to allow patients to look at their own information and help insure its accuracy and truthfulness.
FAQ’s and other guidance with regard to patient PHI access rights add details. In addition to state law requirements, HIPAA specifically requires covered entities to provide individuals upon their request with access to PHI about them in one or more “designated record sets”. Patient rights include inspection, copying, or both, as well as the right to direct a covered entity to transmit a copy to another person or entity.
Designated records sets include:
- Medical records and billing records about individuals;
- Enrollment, payment, claims adjudication and case or medical record management systems maintain by or for a health plan;
- Other records that are used by a covered entity to make decisions about individuals. This includes records that are used to make decisions about any individuals whether or not the records have been used to make a decision about the particular individual requesting access;
- Records include any item collection or grouping of information that includes PHI and has been maintained, collected, used, or disseminated by a covered entity.
The only information excluded is:
- Quality assessment and improvement records, patient safety activity records, business planning, etc. Another example would a hospital’s peer review files.
- Psychotherapy notes, etc.
- Information compiled with a reasonable expectation of use in litigation
Note that the individual also has the right to access PHI about themselves in a designated record set maintained by a business associate on behalf of a covered entity. This means, that if you have business associates (BA) serving you, which have PHI about your patient set, an access request to you must also be transmitted to your business associate, and such information from the BA must be included in your response. Note that this information includes the right to access genomic information from a critical lab.
Usually, there must be a response to a PHI access request within thirty days after receipt of a request.
Finally, avoid unreasonable measures. You may not require a person requesting their PHI to appear personally at your office to sign forms to request their information be mailed to them. Nor may you require use of a web portal. Nor may you require that they be mailed if an individual is willing to pick them up. You may also not require the requester to state why they want the information. As the HIPAA Rule makes clear, the PHI is the patients and not the medical providers.
IU HEALTH LAFAYETTE DATA BREACH
Apparently, a USB flash drive containing health information for more than 29,000 patients was lost at Indiana University Health, in Lafayette, Indiana. Reportedly, the patient information did not include SSNs or credit card data. IU Health indicates that they have not yet received any indication of fraudulent use of any patient data. As is usual in these cases, the USB flash drive was not encrypted.
We continue to suggest that all portable devices which can hold PHI be encrypted whether on a flash drive, thumb drive, laptop, tablet, phone, or any similar device.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or email@example.com.