REFLECTIVE JOURNAL

Chapter 15: Access, Use,
and Disclosure of Health Information

Fundamentals of for Health Informatics and Information Management, Third Edition

Review of Terms—Access, Use, and Disclosure
HIPAA definitions
Access: Right of an individual to inspect and obtain a copy of his or her own health information that is contained in a designated record set
Use: Sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains such information
Disclosure: Release, transfer, provision of, access to or divulging in any other manner of information outside the entity holding the information

2

Release of Information
Release of information differs from disclosure
Refers to providing access to PHI to an individual or entity authorized to receive or review it

Ownership and Control of Health Record and Health Information
Who owns the health/medical record?
Primary data source vs. secondary data
What right does the patient have to their primary and secondary data?

Access to Patient Health Information
Federal regulations: HIPAA
Individual has certain rights to access, use, and disclose his or her protected health information (PHI)
Authorization and accounting of disclosure requirements—See HITECH
ONC offers guidance for patients to opt in or opt out of sharing information with HIEs
Most state regulations provide patients right to access their health information and protect patient confidentiality

5

Who Can Access Health
Information?
Competent adult
Age of majority
Individual’s authorized personal representative
Individual who holds persons
Durable power of attorney (DPOA) or
Durable power of attorney for healthcare decisions (DPOA-HCD)

Who Can Access Health
Information?
Competent adult
Uniform Health-Care Decision Act
Surrogate or next of kin
Decision making priority
Spouse
Adult child
Parent
Adult sibling
Adult nonrelative familiar with patient
Court appointed individual

Who Can Access Health Information?
Incompetent adult
Age of majority but is incapacitated
Court must legally deem person incompetent and appoint legal guardian who may be spouse, parent, sibling, agent, attorney, or surrogate.
Rights of competent adult or legal guardian of incompetent adult
To request, receive, examine, copy and authorize disclosure/release of PHI

Who Can Access Health
Information?
Minors
Individuals under the age of 18 who are not legally emancipated (declared an adult) by the court require parental authorization
Minor is considered legally incompetent and unable to make decisions regarding treatment or handling of health information unless, per state law, a minor can consent to treatment for abortions, mental health, substance abuse treatment, or venereal disease treatment. In those cases, they can authorize access, use, and disclosure of their own healthcare information.

Who Can Access Health Information?
Minors
Parental authorization typically required as recognized by law
Married biological parents
Separated or divorced biological parent(s)
Adoptive parents
Foster parents
Grandparents
Legal guardians
Relative with guardianship while parent is overseas or in service
State law defines parent who can sign

Who Can Access Health Information?
Parental authorization not required
Emancipated minor: Under the age of majority and self-supporting with parents who have surrendered their rights of custody, care, and support
Minor who is married or previously married
Minor in the military
Minor who is a parent of a child
Minor who reaches age of majority while under treatment
Minor treated for drug or alcohol dependency, mental health, STDs or HIV/AIDS, contraception and abortion per state laws

Who Can Access Health Information?
Rights of a noncustodial parent or others
Parent who does not have legal custody of the child
Legally endowed with parental rights which allow access unless stated otherwise by state law
Scenario: Father seeks medical records of his child. It is learned that the father has visitation rights with the child, but is the non-custodial parent. Should the requested records be given to him?

Who Can Access Health Information?
Best practice regardless of person’s age or competence
Minors: In case of noncustodial parent, seek authorization whenever possible
Emancipated minor: Request copy of court order and/or other proof that minor is emancipated
Incompetent adult: Require legal documentation of the incompetent adult’s legal position and the reason the adult is unable to sign the authorization along with documentation of the personal representative’s authority to access or authorize disclosure of the incompetent adult’s PHI

Who Can Access Health
Information?
Employer, employee and other workforce members
By nature of job or work relationship access may occur
Employers
Employees
Physicians
Students
Attorneys
Vendors
Need specific rules as to who in workforce may access, who has legitimate right
See HIPAA and state regulations

Types of Sensitive Health
Information
Behavioral (mental) health information
Substance (alcohol and drug) abuse records
HIV/AIDS records
Genetic information
Adoption information

Specific authorization required

Behavioral Health Records
General rule: Mental health information is to be kept confidential
What state law says: (insert state law)
Provides protections
Provides exceptions

Behavioral Health Records (continued)
Requests by patients
Historically, denied (believed injurious to their mental health)
Today, facility policies may still provide for asking the physician first
Some states specifically grant right of access to patient, which is consistent with HIPAA Privacy Rule

Insert state law where applicable
17

Behavioral Health Records (continued)
Requests by others
Right of access is generally per state statute (insert law)
Factors to consider:
Authorization form shall specify that release of behavioral health information is authorized
Identity of mental health patients are often protected by state statute. Why? How has HIPAA changed this?
State statute must comply with HIPAA

Behavioral Health Records (continued)
Duty to warn
Required under certain circumstances
State laws may permit or even compel psychologists and psychiatrists to use their discretion to warn intended victims of potential harm without the patient’s authorization.
Tarasoff vs. the Regents of the University of California

Substance Abuse Records
Governed by federal law
Agency charged with oversight Substance Abuse and Mental Health Services Administration (SAMHSA )
Drug Abuse Prevention, Treatment and Rehabilitation Act of 1972
Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970
Protect confidentiality of patients seeking substance abuse treatment

Substance Abuse Records (continued)
Federal laws apply to:
Any “federally assisted” drug and alcohol programs (broadly defined)
“Programs” providing diagnosis, treatment or referral for drug and alcohol abuse (also broadly defined)
Entity dedicated to these services
Unit of a general medical facility dedicated to these services
Medical personnel with primary function to provide these services

Substance Abuse Records (continued)
Federal law
Protects the identity of substance abuse patients (not just their clinical information)
Form shall specify release of substance abuse information is authorized; must contain certain items to be valid
If minor can consent to treatment per state law, minor authorizes release of the records
Limited exceptions to authorization requirement: medical emergency, scientific research, audits, program evaluation, court order, suspected child abuse
If federal and state law conflict, the most restrictive (most protective of patient confidentiality) wins
Efforts to update regulations in progress

HIV/AIDS
Competing interests
Patient with a need for heightened sensitivity
Healthcare providers who need to protect selves while also providing care
Government, which needs access for research and to monitor its spread
Third parties who may be exposed to the disease

HIV/AIDS (continued)
General rule: HIV/AIDS information is to be kept confidential
Example of an HIV/AIDS state law that
Provides protections
Then provides exceptions
Wrongful disclosure leads to civil penalties
Example: Ohio law protects
ID of individual receiving HIV test
Results of HIV test in form that IDs individual
ID of individual diagnosed with AIDS or AIDS related condition (ARC)

Insert state law
24

HIV/AIDS (continued)
HIV (+) healthcare providers. To disclose or not to disclose?
CDC guidelines:
If known before treatment: Yes, if invasive, exposure-prone procedure
If learned after treatment: Case by case basis
HIV acquired through blood transfusion. To disclose or not disclose the donor?
Courts are split
No: Otherwise, will deter needed donations due to donors’ fear of inquiry into private lives
Yes: Patient interest in discovering donor outweighs donor’s privacy rights
Specific HIV policies and procedures are key to proper protection and disclosure (keeping in mind both state law and HIPAA)

Genetic Information
Possible because of Human Genome Project led by National Human Genome Research Institute
Powerful potential use of genetic information requires need to protect information

Genetic Information (continued)
Potential problems with misuse of genetic information
Insurers to deny, limit, or cancel health insurance
Raise premiums
Employers may discriminate against individual in workplace

Genetic Information (continued)
Genetic Information Nondiscrimination Act (GINA) of 2008
Prohibits discrimination by health insurers and employers based on genetic information
Title I effective, December 7, 2009, focuses on genetic nondiscrimination in health insurance and states that health plans may not use genetic information to make eligibility, coverage, underwriting, or premium-setting decisions

Genetic Information (continued)
Title I of GINA modifies the HIPAA Privacy Rule
Genetic information is health information and prohibits the use and disclosure of genetic information by covered health plans for underwriting purposes
Two exceptions:
Health insurers may request genetic information in the case that coverage of a particular claim would only be appropriate if there is a known genetic risk.
When working in collaboration with external research entities, health insurers may request (but not require) in writing that an individual undergo a genetic test. The individual may do so voluntarily, but refusal to participate will have no negative effect on his or her premium or enrollment status. The collected genetic information may be used for research purposes only and not for underwriting decisions.

Genetic Information (continued)
Title II of GINA—Responsibility of the Equal Employment Opportunity Commission (EEOC), and final regulations effective January 10, 2011 (29 CFR Part 1635).
Prohibits the use of genetic information in making employment decisions, restricts employers and other entities covered by Title II (employment agencies, labor organizations, and joint labor-management training and apprenticeship programs—referred to as “covered entities”) from requesting, requiring, or purchasing genetic information, and strictly limits the disclosure of genetic information

Genetic Information (continued)
State genetic laws
Statutory or regulatory provisions that safeguard genetic information and prohibit discrimination in employment and insurance benefits based on genetic information and mandatory genetic testing for employment and insurance purposes.
Degree of protection provided by states varies. Some state provisions are less protective than GINA, and some more protective. All entities that are subject to GINA must, at a minimum, comply with applicable GINA requirements as well as more protective state laws.
The National Conference of State Legislatures (NCSL) maintains information about current issues facing states, including those surrounding genetic privacy laws. Current state genetic privacy laws are summarized in a table on the NCSL website.

Genetic Information (continued)
Precision Medicine Initiative 2016
Goal to speed up patient-centered biomedical discoveries using genetic information
Set privacy protections in place and ways for patients to participate but still retain control over use of information

Adoption
Adoption: Legal status in which the parental rights and responsibilities of one set of parents are legally terminated and a new parental relationship is established by law
Parties to an adoption are
Adopted individual (adoptee), biological (natural, birth) parents, and adoptive parent(s)
Rights of each must be considered in light of access to health information
Adoption records include public and nonpublic documents (original sealed birth certificate, court documents relating to the adoption process, and records of the adoption agency and/or attorneys involved in the adoption)

Adoption Information
Adoption records: Considered confidential by most state laws
However, most states require that adoptive parents receive specific health information about the adoptee
“Medical necessity” generally satisfies “good cause” requirement to release adoption records containing medical information.

Release of Information on
Adoptive Person
Biological parents: Relinquished their parental rights
Refer requests to adoption agency
Adoptive parents: May inspect minor adoptee’s medical records after all identifying information regarding biological parents has been redacted
After age of majority, right belongs solely to the adoptee (adult adoptees can access their own medical records, with information about biological parents removed)
Minor adoptees tracing their biological parents should be referred to the adoption agency

Disclosure of Active Records of Currently Hospitalized or Ambulatory Care Patients

A currently hospitalized patient (inpatient) or a patient currently being seen in a clinic setting (outpatient) or their personal representative may access, inspect, obtain a copy of, or disclose PHI from the patient’s record.
Active record is a term used to denote the health records of individuals who are currently hospitalized inpatients or outpatients.
If an active inpatient or outpatient wishes to access, copy, or disclose his or her PHI, healthcare provider should follow the same policies and procedures that are in place for allowing the access, copying, and disclosure of PHI for patients not currently hospitalized or being treated as an outpatient.

Deceased Patients

Access or disclosure of patient information on deceased patient usually determined by state law
HIPAA: Individual has the same privacy rights in death as they did in life but leaves it up to states in terms of who qualifies as deceased person’s legal representative for access, use, and disclosure purposes
Legal executor or administrator of the estate has first rights to access deceased’s PHI or records
In absence of executor rely on UHCDA in identifying next-of-kin priority
Other states require that these individuals become the deceased’s official personal representative through appointment by a probate court or court order

Deceased Patients (continued)
HITECH changes to HIPAA Privacy Rule related to deceased patients provide for additional flexibility in the disclosure of PHI by
(1) Removing the PHI status from health records 50 years following the patient’s death and
(2) Permitting CEs to disclose decedent records to family members and others involved in the patient’s care or payment of care unless doing so would be inconsistent with any known preference of the patient

38

Deceased Patients (continued)
Final Rule murky on how to determine if records should be released
Up to CE to have “reasonable assurance” that the person requesting the record has a legitimate right to access it
Best practice: Suggest healthcare providers require requesters to show proof of relationship to the decedent or present court-authorized documentation showing authority to access the deceased individual’s PHI

Disclosure of Information for Autopsy

Autopsies performed to determine cause of death
Objectionable to some religions and cultures
Consent to autopsy required except where autopsy is needed to determine cause of death for public policy purposes
Privacy Rule allows release of PHI without authorization to a medical examiner or coroner for purpose of identifying deceased person, determining cause of death, and other authorized purposes
If the death of the individual is not a medical examiner or coroner’s case, the surviving spouse or descendents of the deceased may authorize the autopsy.
Healthcare organization should require that an authorization form be completed and retained in the health record for evidentiary purposes.

40

Open Records, Public Records or Freedom of Information s
Also called “sunshine laws”
At both federal and state levels
Federal: Freedom of Information Act (FOIA)
State Public Records Act
Provide for scrutiny of records created by public employees. Why?

Employee Health or Occupational Safety and Health Records

Employee health records or occupational safety and health records kept on employees as part of employment contain any and all information related to items such as medical tests, drug tests, examinations, physical abilities, immunizations, screenings required by law, biohazardous exposure, and physical limitations
Federal and state regulations governing health records
Americans with Disabilities Act
SAMHSA
OSHA

Employee Health or Occupational Safety and Health Records (continued)
Employees have a right to access results of drug testing as well as their employee health record under applicable state laws and federal Occupational Safety and Health Administration (OSHA) regulations (29 CFR 1910.20)
Regulations ensure employee (or designated representative) is given access to his or her own health and exposure records within 15 days of a request
Other state regulations may be stricter and preempt the OSHA rule

Employee Health or Occupational Safety and Health Records (continued)
Employees should be told in advance what health records are maintained on them and notified of any release of such records
Occupational health providers who are CEs must abide by HIPAA rules and obtain patient authorization (or make reasonable efforts to do so) before disclosing health information from an employee health record.

Antiterrorism Initiatives
Patriot Act of 2001 enacted to deter and punish terrorist acts in US and around the world and to enhance law enforcement investigations.
Gives director of FBI or designee right to apply for a production order through the court system to produce tangible items such as documents and records
Provides sanctions for any unauthorized disclosures of the information obtained by others not involved in investigation
A healthcare provider who in good faith provided information requested under order would not be held liable for releasing the information

Antiterrorism Initiatives (continued)
Homeland Security Act of 2002—Designed to prevent terrorist attacks in the US while reducing vulnerability to terrorism, minimizing its damages, and assisting in recovery from attacks in US
Gives secretary of Homeland Security authority to access information that would include PHI without the authorization of the patient or personal representative

Syndromic Surveillance
Systematic gathering and analysis of prediagnostic health data to rapidly detect clusters of symptoms and health complaints that might indicate an infectious-disease outbreak or other public health threat
Federal and state public health reporting
Provide public health officials with necessary information to help detect bioterrorism threats and sudden outbreaks of diseases
Use Electronic Surveillance System for the Early
Notification of Community Based Epidemics (ESSENCE)

Consumer Reporting Agencies
Companies that regularly assemble or evaluate consumer information for the purpose of producing reports
Credit information: Equifax, Experian, TransUnion
Health information: Medical Information Bureau (MIB)

48

Consumer Reporting Agencies (continued)
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
Protects consumers against misuse of health information, amended Fair Credit Reporting Act (FCRA) (15 USC 1681), related to obtaining and using medical (health) information in connection with credit eligibility determination
Prohibits creditor from obtaining and using medical information to decide consumer’s credit eligibility
Creditor can obtain and use financial information related to medical debts, expenses, or income, consumer (a patient) must authorize for consumer reporting agency to share medical information with employers for employment or insurance purposes

Other Access, Requests, Disclosure Situations
Laboratory test results: Clinical Laboratory Improvements Amendments (CLIA)
Laboratories only to disclose test results or reports to an “authorized person,” who ordered test, unless state law states otherwise. Individual who is the subject of information is not authorized to immediately and directly receive his or her laboratory test results unless defined by state law
Access to the individual’s clinical laboratory information will occur through the provider who ordered the test(s)

Other Access, Requests, Disclosure Situations (continued)
Insurance companies and government agencies payment requests
HIPAA Privacy Rule, requests for payment purposes, including utilization review and medical necessity review, do not require authorization if the information is for the payment of a specific episode of care (45 CFR 164.506)
Other information requests require patient authorization
Medical emergencies
Obligation is to treat the patient and provide whatever information is necessary. This usually entails disclosing patient information without authorization

Public Figures/Celebrities
Special procedures must be implemented to protect patient confidentiality
HIPAA: Directory; general information released only with authorization
Omission of name from record, code name or alias
Computer access and paper record access restricted on need-to-know basis
Designated spokesperson to address media questions
Staff training and nondisclosure statements

Social Security Administration and State Disability Determination Services
Federal and state governments rehabilitation and disability (physical and mental) services administered by Social Security Administration (SSA) and state disability determination services (SDDS)
To defray costs and expedite the review process, SSA and SDDS implemented Electronic Records Express (ERE) initiative; offers providers secure electronic options for submitting records related to disability claims
Claimant voluntarily authorizes the sending of all medical, school, and other records and information related to his or her case to the SSA and the state agency authorized to process the case by signing HIPAA compliant disclosure form SSA-827

Health Information Handlers: Payment Integrity Review Contractors and Health Information Exchanges
HIH organization handles information on behalf of a provider (e.g. ROI vendor, HIE, and EHR vendor)
Maybe covered entities, business associates, or business associate subcontractors that have agreements with providers to access, use, and/or disclose PHI
Medicare Fee-for-Service programs are not required to provide authorization for disclosure of PHI (e.g. RAC, MAC, ZPIC, etc.)
Providers may respond to review contractors online through new mechanism
Electronic Submission of Medical Documentation (esMD) enables review contractors to send their requests for medical documentation electronically, thus eliminating the paper request

Managing the Release of Information Process
Legal health record vs. designated record set
What to do with information from other sites?
Whose responsible for disclosing information?

Types of Request
Verification of requester
Validity of authorization
Mail request
Telephone request
Electronic requests: Fax, Internet
Walk-in request
On-site request
Fax request, request to send information electronically

Determining if Disclosure is Appropriate
Is request HIPAA or state compliant?
What content should be released?
What department should disclose information?

Subpoena or Court Order
Subpoena used to compel one’s appearance at a certain time and place to testify or produce documents or other tangible items (subpoena duces tecum—“bring with”) during discovery process or at trial
Issued by a court, grand jury, lawyer representing a party in a civil or criminal lawsuit, or by a government agency
Court order issued by a judge that compels a certain action, such as testimony or the production of documents such as health records

ROI Reimbursement & Fee Structure

ROI function of doing business
Federal regulations address cost for ROI
HIPAA permits reasonable charges for labor, postage, etc. (see figures 15.3, 15.4)
Other federal program set fees: CMS, QIO, OSHA, etc.
State regulations on costs for ROI
See figure 15.5
See state medical record copying charges at http://www.lamblawoffice.com/medical-records-copying-charges.html

Accounting of Disclosure and Tracking Releases

Privacy Rule requires the tracking and accounting of disclosures of PHI, as discussed in chapter 11.
Requirement currently includes all disclosures made in writing, electronically, by telephone, and orally, but does have some exceptions.

Continue to order Get a quote

Calculate the price of your order

Type of paper needed:

Pages:

550 words

Academic level:

We'll send you the first draft for approval by September 11, 2018 at 10:52 AM

Total price:

$26

The price is based on these factors:

Academic level

Number of pages

Urgency

Basic features

Free title page and bibliography
Unlimited revisions
Plagiarism-free guarantee
Money-back guarantee
24/7 support

On-demand options

Writer’s samples
Part-by-part delivery
Overnight delivery
Copies of used sources
Expert Proofreading

Paper format

275 words per page
12 pt Arial/Times New Roman
Double line spacing
Any citation style (APA, MLA, Chicago/Turabian, Harvard)

REFLECTIVE JOURNAL

Products

Recent Posts

Calculate the price of your order

Our guarantees

Money-back guarantee

Zero-plagiarism guarantee

Free-revision policy

Privacy policy

Fair-cooperation guarantee