The Health Insurance Portability and Accountability Act (HIPAA) contains administrative simplification provisions that are designed to encourage health care providers and health plans to process health claims and payments (and to perform other administrative functions) electronically, using standard transactions and uniform code sets. The administrative simplification provisions also include privacy and security safeguards for protected health information (PHI) held by health care providers, insured or self-insured health plans or billing clearinghouses (collectively referred to as covered entities).
A. Right to Amend PHI
The HIPAA privacy regulations grant an individual the right to inspect and to obtain a copy of the individual’s PHI. Only very limited categories of PHI are expected (e.g., psychotherapy notes). The HIPAA privacy regulations also grant individuals the right to request amendment of PHI.
A covered entity may deny a request for amendment only if the PHI:
1. Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
2. Is not subject to the individual’s right to inspect and to obtain a copy; or
3. Is accurate and complete.
If the covered entity denies the request for amendment, it must provide a denial that is written in plain language, states the basis for the denial, and informs the individual of the right to submit a written statement that the individual disagrees with the denial. In addition, the denial must state that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity include the request for amendment and the denial with any future disclosures of the PHI in question.
Finally, the denial must include a description of how the individual may complain to the covered entity or to the Secretary of Health and Human Services, including the name or title and the telephone number of the person or office designated by the covered entity to receive complaints.
If the individual files a statement of disagreement, the covered entity may file a written rebuttal. The covered entity must append or otherwise link to the PHI the request for amendment, any denial of the request, any statement of disagreement, and any rebuttal statement.
On the other hand, if a covered entity grants a respect for amendment of PHI, the covered entity must inform the individual that the amendment has been made, and have the individual identify any other covered entities with which the amendment needs to be shared. The covered entity must also make reasonable efforts to inform, and to provide the amendment to, persons identified by the individual as having received PHI and needing the amendment, and persons that the covered entity knows have the PHI and that may have relied on such information to the detriment of the individual.
Patients and health plan participants who take advantage of the right to inspect and to copy PHI may also be inclined to take advantage of the right to request amendment, especially if the PHI includes subjective characterizations or references to suspected but unconfirmed substance abuse, mental disorders, violence, or similar statements that may cause offense or be perceived as casting the patient or plan participant in a poor light.
B. Right to an Accounting of Disclosures
Under the HIPAA privacy regulations, an individual also has the right to receive an accounting of the covered entity’s disclosures of PHI.
The individual does not have a right to receive an accounting of disclosures:
1. For treatment, payment, or health care operations;
2. To the individual;
3. For a facility directory or to persons involved in the individual’s care;
4. That occurred prior to the compliance date for the covered entity;
5. For certain national security, intelligence, and law enforcement purposes; or
6. Made pursuant to an authorization signed by the individual.
The accounting must include:
1. The date of the disclosure;
2. The name of the entity or person who received the PHI and, if known, the address of such entity or person;
3. A brief description of the PHI disclosed; and
4. A brief statement of the purpose of the disclosure or, in lieu of such statement, copy of the individual’s authorization or a written request for disclosure.
This requirement will be new to many health care providers and health plans. Compliance may require changes to software or hardware to permit the covered entity to track disclosures, to discriminate between those that must be included in an accounting and those that do not, and to capture the information that must be included in the accounting, such as the description of the PHI disclosed and the purpose of the disclosure.
Many of the individual rights provisions of the HIPAA administrative simplifications requirements not only grant rights to individuals, but also impose significant compliance burdens on health care providers and health plans. Patients and health plan participants are also likely to be more aware of the rights created by HIPAA, because they must be described in each covered entity’s Notice of Privacy Practices. Further, covered entities will need to have policies and procedures in place to ensure that they will be able to do what the individual rights provisions require, in the time allowed.
In addition, although HIPAA administrative simplification does not address the content of patients’ and plan participants’ records, covered entities should consider whether to adjust their policies as to what is appropriately included in their records to minimize possible problems when patients and plan participants inspect them.