Access to Designated Record Set: Difference between revisions
No edit summary |
Mhurlocker (talk | contribs) |
||
(14 intermediate revisions by one other user not shown) | |||
Line 14: | Line 14: | ||
<td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | <td style="border-bottom:2px solid #A3B1BF" width="3"> </td> | ||
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td> | <td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td> | ||
<td style="border- | <td style="border-bot9m:2px solid #A3B1BF" width="3"> </td> | ||
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" | <td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" | ||
width="20">[[Business Operations]]</td> | width="20">[[Business Operations]]</td> | ||
Line 30: | Line 30: | ||
Policy No.: '''6059'''<br /> | Policy No.: '''6059'''<br /> | ||
Effective Date: '''03/17/03'''<br /> | Effective Date: '''03/17/03'''<br /> | ||
Revised Date: ''' | Revised Date: '''10/28/22 Draft'''<br /> | ||
Reviewed Date:<br /> | Reviewed Date:<br /> | ||
<big>'''Access and Amendment of Designated Record Set Policy'''</big> | <big>'''Access and Amendment of Designated Record Set Policy'''</big> | ||
==Basis for Policy == | ==Basis for Policy == | ||
It is the policy | Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls. | ||
== | == Policy == | ||
UNMC shall provide | It is the policy of Nebraska Medicine/UNMC to comply with the procedures set forth below.<br /> | ||
== Definitions == | |||
Nebraska Medicine/UNMC shall provide Individuals access to inspect and obtain a copy of Protected Health Information (PHI) contained in the Designated Record Set (DRS) maintained by Nebraska Medicine/UNMC or its business associates, and to request amendment to such information, in accordance with the [https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)]. | |||
==Purpose== | |||
To establish guidelines for individual access to and request for amendment of Protected Health Information (PHI) contained in the Designated Record Set (DRS). | |||
==Procedures== | |||
===Records Designated as Designated Records Set=== | |||
Nebraska Medicine/UNMC designates the following records as its DRS: | |||
#'''Legal Medical Record'''. The Health Information Management Department (HIM) shall manage access to and amendment of the Legal Medical Record. Contents of the Legal Medical Record shall be approved by the Clinical Governance Committee. | |||
#'''Billing Records'''. The DRS billing record includes all of the data elements required on the [ CMS-1500 form] '''( form name and URL please)''' or [ Health Care Financing Administration claim form (HCFA)] '''(URL please)'''. The contents shall be approved by the Nebraska Medicine Chief Financial Officer for UNMC clinical operations using One Chart for patient care. | |||
#Any other record used in whole or in part by or for the covered entity to make decisions about Individuals. | |||
===Access to the Designated Record Set=== | |||
#Individuals have the right to inspect and obtain a copy of PHI about the Individual in their DRS for as long as the PHI is maintained in the DRS, subject to the limitations in Sections 13 and 14 below. | |||
#If the same record that is the subject of the request is maintained in more than one DRS or at more than one location, the department need only produce the record once in response to a request for access. | |||
#'''Initiating a Request'''. Individuals shall complete a [Patient Access Request form (not yet approved)] to inspect and/or obtain a copy of the DRS, and submit it to HIM. HIM is responsible for the processing of all such requests. If the Individual completes an '''[Authorization for Release of Information Form, CON MR 0074] please advise (URL)'''and the recipient is the Individual or a third party designated by the Individual, this will be treated as a request for access. | |||
#'''Review for Completeness'''. When a Patient Access Request or Authorization for Release of Information form is received, HIM shall review the form for completion. If any information is incomplete that is necessary for an access request ('''NOTE:''' some information on the Authorization for Release of Information is not necessary for a request for access), HIM will notify the Individual that they cannot process the incomplete request. HIM should document on the form the attempts to contact the Individual. | |||
#'''Timeframe for Response.''' | |||
#*If examination of the records is requested, Nebraska Medicine/UNMC shall make the records available for inspection within ten (10) days of the date Nebraska Medicine/UNMC received the request. | |||
#*If unusual circumstances have delayed handling the request, HIM may notify the Individual in writing that an extension (not to exceed 21 days) from the original date Nebraska Medicine/UNMC received the complete request is necessary and shall provide the reasons the extension is necessary. The extension notice must state the date by which access or copies will be available. | |||
#'''If copies of the records are requested, Nebraska Medicine/UNMC must produce the requested copies within 30 days of the date Nebraska Medicine/UNMC received the request. No extension of this date is permitted without the Individual’s consent.''' | |||
#*If PHI is maintained electronically in one or more DRS for such Individual and the Individual requests an electronic copy of their information, Nebraska Medicine/UNMC must provide such information to the Individual in the form and format requested by the Individual, if it is readily producible. If Nebraska Medicine/UNMC cannot readily produce it as requested by the Individual, then such information must be produced in a form and format as mutually agreed by the Individual and HIM/UNMC. If HIM/UNMC and the Individual cannot agree on an electronic form and format, then HIM/UNMC must provide a hard copy option to fulfill the access request. | |||
#*If PHI is maintained electronically in one or more Designated Record Sets for such Individual and the Individual requests an electronic copy of their information, Nebraska Medicine/UNMC must provide such information to the Individual in the form and format requested by the Individual, if it is readily producible. If Nebraska Medicine/UNMC cannot readily produce it as requested by the Individual, then such information must be produced in a form and format as mutually agreed by the individual and Nebraska Medicine/UNMC. If Nebraska Medicine/UNMC and the Individual cannot agree on an electronic form and format, then Nebraska Medicine/UNMC must provide a hard copy option to fulfill the access request. | |||
#*If the Individual directs Nebraska Medicine/UNMC to transmit an electronic copy to a third party, Nebraska Medicine/UNMC will comply with such request, provided that the Individual's directions are clear, conspicuous and specific, and the direction is in writing. If the Individual's directions are not clear, conspicuous and specific, Nebraska Medicine/UNMC will attempt to contact the individual to clarify their request. Nebraska Medicine/UNMC may provide the Individual with a summary (abstract) of the PHI requested, ''in lieu'' of providing access to PHI or may provide an explanation of the PHI to which access has been provided, if the Individual agrees to the summary or explanation in advance, including any fees imposed for such summary or explanation (see Fees below, in Section 7). | |||
#'''Fees'''. If an Individual requests a copy of the PHI, Nebraska Medicine/UNMC may impose cost-based fees, not to exceed $0.50 (50 cents) per page. The basis for calculating such fee must be documented and may include staff time to create and copy the electronic file, such as compiling, extracting, scanning and writing the information to portable media. The cost-based fee may also include the cost of the agreed-upon electronic media, such as a USB drive, or creating a paper copy. If a summary or explanation is requested in advance by the Individual and the Individual has agreed to the fee for such request, Nebraska Medicine/UNMC may charge a pre-determined fee for preparation of such summary or explanation. Reference the fee schedule attached to Nebraska Medicine HIM department policy, Responding to Requests for Clinical Information: External Requestors, ROI 050. | |||
#'''Production of Records'''. If access to the requested information is granted in whole or in part, HIM will arrange for a convenient time and place for the Individual to inspect the records or obtain a copy. | |||
#*Inspection will generally be during normal business hours of Nebraska Medicine/UNMC, unless special circumstances are present. Consult the [mailto:privacy@nebraskamed.com Privacy Officer] if the Individual requests to inspect the records or obtain a copy before or after normal business hours. | |||
#At the Individual’s request, HIM will mail a copy of the records in the format requested to the Individual at the address designated on the request form. If requested by the Individual, HIM will email a copy of the records to the Individual. ''If the Individual requests the records be sent by unsecured email, HIM will confirm that the Individual understands the information could be intercepted before complying with the request.'' | |||
#If the Individual requests in advance an explanation or summary of the information and agrees to pay the fee for preparing the summary, HIM shall prepare the summary and provide it to the Individual. | |||
#The Individual will be notified when the records are available for inspection or that a copy is available for pick-up or mailing/e-mailing. The total cost to the Individual for producing and mailing/e-mailing a copy should be included. Payment for copying/mailing/e-mailing the requested records will be collected prior to the time the records are released. Individuals generally have access to their own medical information during and after treatment via the One Chart | PATIENT portal. The One Chart | PATIENT portal is a secure online application that allows Individuals to view portions of their medical and billing record. Individuals may give others proxy access to their portal account. Parents may obtain limited proxy access to the records of their children. Reference Nebraska Medicine’s One Chart | Patient (Electronic Health Record Portal) policy, IM45, for current information on eligibility for patient and proxy access. | |||
#'''Denials of Access'''. HIM should review the request to determine if one or more of the following grounds for denying access exists as to all or part of the requested records. Access may be denied, in coordination with HIM and the Privacy Office, for reasons listed under Sections 13 and 14 below. The Individual must be provided with a written denial, including the basis for denial; a statement of their review rights under n below if applicable; and a description of how the Individual may file a complaint to Nebraska Medicine/UNMC, along with name, title, and telephone number, or to the Secretary Health and Human Services '''(see [ Denial of Access to Medical Record/Billing Record]) . If Nebraska Medicine/UNMC does not maintain the PHI that is the subject of the Individual's request for access and knows where the requested information is maintained, Nebraska Medicine/UNMC will inform the Individual where to direct the request for access. | |||
#'''Unreviewable Grounds for Denial of Access'''. HIM, in coordination with the Privacy Office, may deny the Individual the right to access their DRS for reasons listed below without providing the Individual with an opportunity for review. | |||
#*The information requested is not maintained by Nebraska Medicine/UNMC. If HIM knows where such information is maintained, the location should be noted in our response to the Individual; | |||
#*The information requested is subject to the Privacy Act, 5 U.S.C. § 552(a); | |||
#*The request is for access to [https://wiki.unmc.edu/index.php/Access_to_Designated_Record_Set#Psychotherapy_Notes Psychotherapy notes] (also see UNMC Policy No. 6066, [[Psychotherapy Notes]]); | |||
#*The requested information was compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding; | |||
#*The information requested is maintained by a clinical laboratory subject to the [https://www.govinfo.gov/app/details/USCODE-2020-title42/USCODE-2020-title42-chap6A-subchapII-partF-subpart2-sec263a Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. § 263a], and access by the Individual is prohibited by law; | |||
#*The information requested are records of a research laboratory exempt from the [https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-493 Clinical Laboratory Improvements Amendments of 1988, 42 C.F.R. § 493]; | |||
#*The request is for information regarding ongoing research where treatment is being rendered as part of such research, provided that the Individual has agreed to the denial of access when consenting to participate in the research and the health care provider providing treatment has informed the Individual that the right of access will be reinstated upon completion of the research; | |||
#*The information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information; or | |||
#*The request is from an inmate of a correctional facility and treatment was provided to the inmate under the direction of the correctional facility. The correctional facility must notify Nebraska Medicine/UNMC that obtaining a copy would jeopardize the health, safety, security, custody or rehabilitation of the Individual. Nebraska Medicine/UNMC may provide copies to the correctional facility to arrange for inspection by the inmate. | |||
#'''Reviewable Grounds for Denial of Access'''. Departments, in coordination with HIM and the Privacy Office, may also deny the Individual access to the DRS for the following reasons, but must provide the Individual with an opportunity for secondary review: | |||
#*An attending physician has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the Individual or another person; | |||
#*The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or | |||
#*The request for access is made by the Individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the Individual or another person. | |||
#'''Review of Denial'''. Upon request, the Individual has the right to have denials listed under section 14 above reviewed by another licensed health care professional who did not participate in the original denial. The Nebraska Medicine Chief Medical Officer is the designated reviewing official. If the Chief Medical Officer is not available, the Nebraska Medicine Clinical Governance Committee chair shall review the request. Requests shall be reviewed as soon as possible, but no later than thirty (30) days from submission of the request. HIM must promptly provide written notice to the Individual of the determination of the designated reviewing official, which is final. If access to any information is denied, Nebraska Medicine/UNMC will, to the extent possible, provide access to any remaining information after the information to which access was denied has been removed or redacted. | |||
===Amendment of Designated Record=== | |||
Individuals have the right to request amendment of PHI about them which is maintained by Nebraska Medicine/UNMC or its business associates in the DRS. Nebraska Medicine/UNMC shall receive and process such requests according to the following procedures: | |||
#Individuals may submit a written Request for [Correction/Amendment of Medical/Billing Information form] '''(URL please)''' to HIM, providing rationale for the requested amendment. | |||
#*HIM will review the form for completion. If any information is incomplete, HIM will notify the Individual that Nebraska Medicine/UNMC cannot process the incomplete request. HIM will document on the Request form the attempts to contact the Individual. | |||
#*HIM shall contact the author of clinical PHI to approve/deny the requested amendment. If the author is a medical student, resident or allied health professional with a supervising physician, the supervising physician shall approve/deny the requested amendment. If the request involves billing or payment information, Patient Financial Services should be consulted. | |||
#'''Approval'''. If the amendment is accepted in whole or in part, HIM must identify the records containing the information. Such records will be amended by lining through the information and appending the amendment, or by providing a link to the location of the amendment. The original information should never be erased or removed from the record. | |||
#'''Notifying Third Parties'''. | |||
#*Nebraska Medicine/UNMC will make reasonable attempts to notify those persons/entities who are identified by the Individual of the amendment. | |||
#*Nebraska Medicine/UNMC will identify other persons/entities (including business associates of Nebraska Medicine/UNMC) that Nebraska Medicine/UNMC knows to be in possession of the information and who may have relied on the information or could foreseeably rely on the information to the detriment of the Individual. Nebraska Medicine/UNMC will obtain the Individual’s permission to notify parties identified by Nebraska Medicine/UNMC as described above and will make reasonable attempts to notify those third parties of the amendment. | |||
#'''Denial'''. Requests for amendment may be denied if one of the following grounds for denial exists: | |||
#*The information or record was not created by Nebraska Medicine/UNMC. '''Note:''' Continue to process the request if the Individual provides credible information that the creator of the information or record is not available to act on a request for amendment. | |||
#*The disputed information or record is not part of a designated record set. | |||
#*The disputed information is not subject to access by the Individual. (Refer to the section on [ Requests for Access] above.) | |||
#*The information is accurate and complete as written. '''Note:''' If the requested amendment relates to clinical information, Nebraska Medicine/UNMC must consult with the licensed health care professional who created the information or an appropriate alternate if such person is not available to determine whether the information is accurate and complete. | |||
#'''Notifying the Individual of the Denial'''. If one of the above grounds exists, Nebraska Medicine/UNMC will notify the Individual that Nebraska Medicine/UNMC has denied the request for amendment, using the [ Notice of Approved/Denied Request for Amendment form. The notice should inform the Individual of their rights regarding the denied request for amendment. | |||
#'''Rights of Individual if the Request is Denied'''. Nebraska Medicine/UNMC must permit the Individual to submit a written statement of disagreement to Nebraska Medicine/UNMC. The statement of disagreement must be in writing and limited to one page. | |||
#*If a statement of disagreement is submitted, all future disclosures of the disputed information must include the following: Request for Amendment; Denial Notice; Statement of Disagreement; and Nebraska Medicine/UNMC’s Rebuttal (if any). | |||
#*If a statement of disagreement is not submitted, the Individual has the right to request that Nebraska Medicine/UNMC attach the Request for Amendment and Denial Notice to any future disclosures of the disputed information. Attach such Request only upon request of the Individual. | |||
#'''Rebuttal by Nebraska Medicine/UNMC'''. Nebraska Medicine/UNMC will generally not issue a rebuttal statement unless special circumstances warrant. The author of the information should be consulted if HIM believes that a particular statement of disagreement submitted by an Individual warrants a rebuttal by Nebraska Medicine/UNMC. | |||
#'''Timeframe for Response'''. HIM shall respond back to the requestor in writing within 60 days of the date Nebraska Medicine/UNMC received the amendment request. If HIM determines that Nebraska Medicine/UNMC is unable to respond to the request within sixty (60) days, HIM must notify the Individual in writing that one 30-day extension is necessary to respond to the request and shall provide the reasons the extension is necessary. The extension notice must state the date by which action on the request will be taken. | |||
#'''Recordkeeping'''. The request for amendment, denial of the request, and statement of disagreement/rebuttal statement (if any) must be placed (append or otherwise linked in the electronic record) in the DRS and provided to the Individual as a part of a request for access. | |||
==Definitions== | |||
===Affiliated Covered Entity (ACE)=== | ===Affiliated Covered Entity (ACE)=== | ||
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. | Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. | ||
===Designated Record Set (DRS)=== | ===Designated Record Set (DRS)=== | ||
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by the ACE to make decisions about Individuals. | |||
===Individual=== | ===Individual=== | ||
The person who is the subject of the | The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14.) | ||
===Protected Health Information (PHI)=== | ===Protected Health Information (PHI)=== | ||
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that: | Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that: | ||
*is created or received by UNMC/ACE; and | *is created or received by UNMC/ACE; and | ||
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. | *relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. | ||
PHI includes genetic information, which includes information about: | PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age): | ||
*an Individual’s genetic tests; | *an Individual’s genetic tests; | ||
*the genetic tests of an Individual’s family members; or | *the genetic tests of an Individual’s family members; or | ||
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history). | *the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history). | ||
PHI excludes individually identifiable health information of a person who has been deceased for more than fifty (50) years. | PHI excludes: | ||
*individually identifiable health information of a person who has been deceased for more than fifty (50) years. | |||
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and | |||
*employment records held by UNMC in its role as employer. | |||
===Psychotherapy Notes=== | ===Psychotherapy Notes=== | ||
Notes recorded (in any medium) by a | Notes recorded (in any medium) by a mental health provider including psychiatrists, psychologists and other mental health professionals documenting or analyzing the contents of a conversation during a private counseling session or group, joint or family counseling session. Psychotherapy notes are kept separate from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. Psychotherapy notes are not progress notes and are created at the discretion of the mental health care provider. (HIPAA: 45 CFR §164.501) | ||
==Additional Information== | ==Additional Information== | ||
*Contact [mailto:privacy@nebraskamed.com Privacy Officer] | *Contact [mailto:privacy@nebraskamed.com Privacy Officer] | ||
*Contact [https://support.security.unmc.edu Office of Information Security] or 402-559-2545 | |||
*[https://nebraska.edu/-/media/unca/docs/offices-and-policies/policies/executive-memorandum/hipaa-compliance-policy.pdf Executive Memorandum No. 27, HIPAA Compliance Policy] | |||
*UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information] | |||
*UNMC Policy No. 6051, [https://wiki.unmc.edu/index.php/Computer_Use/Electronic_Information Computer Use/Electronic Information] | |||
*UNMC Policy No. 6057, [https://wiki.unmc.edu/index.php/Use_and_Disclosure_of_Protected_Health_Information Use and Disclosure of Protected Health Information] | |||
*UNMC Policy No. 6066, [[Psychotherapy Notes]] | |||
*Procedure for UNMC Policies No. 6051 and 6057, [https://info.unmc.edu/its-security/policies/procedures/electronic-comm-phi.html Electronic Communication of Protected Health Information] | |||
*Nebraska Medicine Consents and Permits policy, MS14. | |||
*Nebraska Medicine’s One Chart | Patient (Electronic Health Record Portal) policy, IM45 | |||
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html Health Insurance Portability and Accountability Act of 1996 (HIPAA)] | |||
*[https://www.justice.gov/opcl/overview-privacy-act-1974-2020-edition Privacy Act, 5 U.S.C. § 552(a)] | |||
*[https://www.govinfo.gov/app/details/USCODE-2020-title42/USCODE-2020-title42-chap6A-subchapII-partF-subpart2-sec263a Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. § 263a] | |||
*[https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-493 Clinical Laboratory Improvements Amendments of 1988, 42 C.F.R. § 493] | |||
*[ CMS-1500 form] '''( form name and URL please)''' | |||
*[ Health Care Financing Administration claim form (HCFA)] '''(URL please)''' | |||
*[Patient Access Request form] (not yet approved) | |||
*[Authorization for Release of Information Form, CON MR 0074] | |||
*[ Denial of Access to Medical Record/Billing Record] | |||
*[ Correction/Amendment of Medical/Billing Information form] '''(URL please)''' it would help if this was a separate URL from the denial of access to medical record when it was saved on your web site | |||
*[ Notice of Approved/Denied Request for Amendment form ] '''(URL please)''' it would help if this was a separate URL from the denial of access to medical record when it was saved on your web site | |||
This page maintained and updated by [mailto:dpanowic@unmc.edu dkp]. | This page maintained and updated by [mailto:dpanowic@unmc.edu dkp]. |
Revision as of 13:29, August 15, 2023
Human Resources | Safety/Security | Research Compliance | Compliance | Privacy/Information Security | Business Operations | Intellectual Property | Faculty |
Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes
Policy No.: 6059
Effective Date: 03/17/03
Revised Date: 10/28/22 Draft
Reviewed Date:
Access and Amendment of Designated Record Set Policy
Basis for Policy
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.
Policy
It is the policy of Nebraska Medicine/UNMC to comply with the procedures set forth below.
Nebraska Medicine/UNMC shall provide Individuals access to inspect and obtain a copy of Protected Health Information (PHI) contained in the Designated Record Set (DRS) maintained by Nebraska Medicine/UNMC or its business associates, and to request amendment to such information, in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Purpose
To establish guidelines for individual access to and request for amendment of Protected Health Information (PHI) contained in the Designated Record Set (DRS).
Procedures
Records Designated as Designated Records Set
Nebraska Medicine/UNMC designates the following records as its DRS:
- Legal Medical Record. The Health Information Management Department (HIM) shall manage access to and amendment of the Legal Medical Record. Contents of the Legal Medical Record shall be approved by the Clinical Governance Committee.
- Billing Records. The DRS billing record includes all of the data elements required on the [ CMS-1500 form] ( form name and URL please) or [ Health Care Financing Administration claim form (HCFA)] (URL please). The contents shall be approved by the Nebraska Medicine Chief Financial Officer for UNMC clinical operations using One Chart for patient care.
- Any other record used in whole or in part by or for the covered entity to make decisions about Individuals.
Access to the Designated Record Set
- Individuals have the right to inspect and obtain a copy of PHI about the Individual in their DRS for as long as the PHI is maintained in the DRS, subject to the limitations in Sections 13 and 14 below.
- If the same record that is the subject of the request is maintained in more than one DRS or at more than one location, the department need only produce the record once in response to a request for access.
- Initiating a Request. Individuals shall complete a [Patient Access Request form (not yet approved)] to inspect and/or obtain a copy of the DRS, and submit it to HIM. HIM is responsible for the processing of all such requests. If the Individual completes an [Authorization for Release of Information Form, CON MR 0074] please advise (URL)and the recipient is the Individual or a third party designated by the Individual, this will be treated as a request for access.
- Review for Completeness. When a Patient Access Request or Authorization for Release of Information form is received, HIM shall review the form for completion. If any information is incomplete that is necessary for an access request (NOTE: some information on the Authorization for Release of Information is not necessary for a request for access), HIM will notify the Individual that they cannot process the incomplete request. HIM should document on the form the attempts to contact the Individual.
- Timeframe for Response.
- If examination of the records is requested, Nebraska Medicine/UNMC shall make the records available for inspection within ten (10) days of the date Nebraska Medicine/UNMC received the request.
- If unusual circumstances have delayed handling the request, HIM may notify the Individual in writing that an extension (not to exceed 21 days) from the original date Nebraska Medicine/UNMC received the complete request is necessary and shall provide the reasons the extension is necessary. The extension notice must state the date by which access or copies will be available.
- If copies of the records are requested, Nebraska Medicine/UNMC must produce the requested copies within 30 days of the date Nebraska Medicine/UNMC received the request. No extension of this date is permitted without the Individual’s consent.
- If PHI is maintained electronically in one or more DRS for such Individual and the Individual requests an electronic copy of their information, Nebraska Medicine/UNMC must provide such information to the Individual in the form and format requested by the Individual, if it is readily producible. If Nebraska Medicine/UNMC cannot readily produce it as requested by the Individual, then such information must be produced in a form and format as mutually agreed by the Individual and HIM/UNMC. If HIM/UNMC and the Individual cannot agree on an electronic form and format, then HIM/UNMC must provide a hard copy option to fulfill the access request.
- If PHI is maintained electronically in one or more Designated Record Sets for such Individual and the Individual requests an electronic copy of their information, Nebraska Medicine/UNMC must provide such information to the Individual in the form and format requested by the Individual, if it is readily producible. If Nebraska Medicine/UNMC cannot readily produce it as requested by the Individual, then such information must be produced in a form and format as mutually agreed by the individual and Nebraska Medicine/UNMC. If Nebraska Medicine/UNMC and the Individual cannot agree on an electronic form and format, then Nebraska Medicine/UNMC must provide a hard copy option to fulfill the access request.
- If the Individual directs Nebraska Medicine/UNMC to transmit an electronic copy to a third party, Nebraska Medicine/UNMC will comply with such request, provided that the Individual's directions are clear, conspicuous and specific, and the direction is in writing. If the Individual's directions are not clear, conspicuous and specific, Nebraska Medicine/UNMC will attempt to contact the individual to clarify their request. Nebraska Medicine/UNMC may provide the Individual with a summary (abstract) of the PHI requested, in lieu of providing access to PHI or may provide an explanation of the PHI to which access has been provided, if the Individual agrees to the summary or explanation in advance, including any fees imposed for such summary or explanation (see Fees below, in Section 7).
- Fees. If an Individual requests a copy of the PHI, Nebraska Medicine/UNMC may impose cost-based fees, not to exceed $0.50 (50 cents) per page. The basis for calculating such fee must be documented and may include staff time to create and copy the electronic file, such as compiling, extracting, scanning and writing the information to portable media. The cost-based fee may also include the cost of the agreed-upon electronic media, such as a USB drive, or creating a paper copy. If a summary or explanation is requested in advance by the Individual and the Individual has agreed to the fee for such request, Nebraska Medicine/UNMC may charge a pre-determined fee for preparation of such summary or explanation. Reference the fee schedule attached to Nebraska Medicine HIM department policy, Responding to Requests for Clinical Information: External Requestors, ROI 050.
- Production of Records. If access to the requested information is granted in whole or in part, HIM will arrange for a convenient time and place for the Individual to inspect the records or obtain a copy.
- Inspection will generally be during normal business hours of Nebraska Medicine/UNMC, unless special circumstances are present. Consult the Privacy Officer if the Individual requests to inspect the records or obtain a copy before or after normal business hours.
- At the Individual’s request, HIM will mail a copy of the records in the format requested to the Individual at the address designated on the request form. If requested by the Individual, HIM will email a copy of the records to the Individual. If the Individual requests the records be sent by unsecured email, HIM will confirm that the Individual understands the information could be intercepted before complying with the request.
- If the Individual requests in advance an explanation or summary of the information and agrees to pay the fee for preparing the summary, HIM shall prepare the summary and provide it to the Individual.
- The Individual will be notified when the records are available for inspection or that a copy is available for pick-up or mailing/e-mailing. The total cost to the Individual for producing and mailing/e-mailing a copy should be included. Payment for copying/mailing/e-mailing the requested records will be collected prior to the time the records are released. Individuals generally have access to their own medical information during and after treatment via the One Chart | PATIENT portal. The One Chart | PATIENT portal is a secure online application that allows Individuals to view portions of their medical and billing record. Individuals may give others proxy access to their portal account. Parents may obtain limited proxy access to the records of their children. Reference Nebraska Medicine’s One Chart | Patient (Electronic Health Record Portal) policy, IM45, for current information on eligibility for patient and proxy access.
- Denials of Access. HIM should review the request to determine if one or more of the following grounds for denying access exists as to all or part of the requested records. Access may be denied, in coordination with HIM and the Privacy Office, for reasons listed under Sections 13 and 14 below. The Individual must be provided with a written denial, including the basis for denial; a statement of their review rights under n below if applicable; and a description of how the Individual may file a complaint to Nebraska Medicine/UNMC, along with name, title, and telephone number, or to the Secretary Health and Human Services (see [ Denial of Access to Medical Record/Billing Record]) . If Nebraska Medicine/UNMC does not maintain the PHI that is the subject of the Individual's request for access and knows where the requested information is maintained, Nebraska Medicine/UNMC will inform the Individual where to direct the request for access.
- Unreviewable Grounds for Denial of Access. HIM, in coordination with the Privacy Office, may deny the Individual the right to access their DRS for reasons listed below without providing the Individual with an opportunity for review.
- The information requested is not maintained by Nebraska Medicine/UNMC. If HIM knows where such information is maintained, the location should be noted in our response to the Individual;
- The information requested is subject to the Privacy Act, 5 U.S.C. § 552(a);
- The request is for access to Psychotherapy notes (also see UNMC Policy No. 6066, Psychotherapy Notes);
- The requested information was compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding;
- The information requested is maintained by a clinical laboratory subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. § 263a, and access by the Individual is prohibited by law;
- The information requested are records of a research laboratory exempt from the Clinical Laboratory Improvements Amendments of 1988, 42 C.F.R. § 493;
- The request is for information regarding ongoing research where treatment is being rendered as part of such research, provided that the Individual has agreed to the denial of access when consenting to participate in the research and the health care provider providing treatment has informed the Individual that the right of access will be reinstated upon completion of the research;
- The information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information; or
- The request is from an inmate of a correctional facility and treatment was provided to the inmate under the direction of the correctional facility. The correctional facility must notify Nebraska Medicine/UNMC that obtaining a copy would jeopardize the health, safety, security, custody or rehabilitation of the Individual. Nebraska Medicine/UNMC may provide copies to the correctional facility to arrange for inspection by the inmate.
- Reviewable Grounds for Denial of Access. Departments, in coordination with HIM and the Privacy Office, may also deny the Individual access to the DRS for the following reasons, but must provide the Individual with an opportunity for secondary review:
- An attending physician has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the Individual or another person;
- The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or
- The request for access is made by the Individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the Individual or another person.
- Review of Denial. Upon request, the Individual has the right to have denials listed under section 14 above reviewed by another licensed health care professional who did not participate in the original denial. The Nebraska Medicine Chief Medical Officer is the designated reviewing official. If the Chief Medical Officer is not available, the Nebraska Medicine Clinical Governance Committee chair shall review the request. Requests shall be reviewed as soon as possible, but no later than thirty (30) days from submission of the request. HIM must promptly provide written notice to the Individual of the determination of the designated reviewing official, which is final. If access to any information is denied, Nebraska Medicine/UNMC will, to the extent possible, provide access to any remaining information after the information to which access was denied has been removed or redacted.
Amendment of Designated Record
Individuals have the right to request amendment of PHI about them which is maintained by Nebraska Medicine/UNMC or its business associates in the DRS. Nebraska Medicine/UNMC shall receive and process such requests according to the following procedures:
- Individuals may submit a written Request for [Correction/Amendment of Medical/Billing Information form] (URL please) to HIM, providing rationale for the requested amendment.
- HIM will review the form for completion. If any information is incomplete, HIM will notify the Individual that Nebraska Medicine/UNMC cannot process the incomplete request. HIM will document on the Request form the attempts to contact the Individual.
- HIM shall contact the author of clinical PHI to approve/deny the requested amendment. If the author is a medical student, resident or allied health professional with a supervising physician, the supervising physician shall approve/deny the requested amendment. If the request involves billing or payment information, Patient Financial Services should be consulted.
- Approval. If the amendment is accepted in whole or in part, HIM must identify the records containing the information. Such records will be amended by lining through the information and appending the amendment, or by providing a link to the location of the amendment. The original information should never be erased or removed from the record.
- Notifying Third Parties.
- Nebraska Medicine/UNMC will make reasonable attempts to notify those persons/entities who are identified by the Individual of the amendment.
- Nebraska Medicine/UNMC will identify other persons/entities (including business associates of Nebraska Medicine/UNMC) that Nebraska Medicine/UNMC knows to be in possession of the information and who may have relied on the information or could foreseeably rely on the information to the detriment of the Individual. Nebraska Medicine/UNMC will obtain the Individual’s permission to notify parties identified by Nebraska Medicine/UNMC as described above and will make reasonable attempts to notify those third parties of the amendment.
- Denial. Requests for amendment may be denied if one of the following grounds for denial exists:
- The information or record was not created by Nebraska Medicine/UNMC. Note: Continue to process the request if the Individual provides credible information that the creator of the information or record is not available to act on a request for amendment.
- The disputed information or record is not part of a designated record set.
- The disputed information is not subject to access by the Individual. (Refer to the section on [ Requests for Access] above.)
- The information is accurate and complete as written. Note: If the requested amendment relates to clinical information, Nebraska Medicine/UNMC must consult with the licensed health care professional who created the information or an appropriate alternate if such person is not available to determine whether the information is accurate and complete.
- Notifying the Individual of the Denial. If one of the above grounds exists, Nebraska Medicine/UNMC will notify the Individual that Nebraska Medicine/UNMC has denied the request for amendment, using the [ Notice of Approved/Denied Request for Amendment form. The notice should inform the Individual of their rights regarding the denied request for amendment.
- Rights of Individual if the Request is Denied. Nebraska Medicine/UNMC must permit the Individual to submit a written statement of disagreement to Nebraska Medicine/UNMC. The statement of disagreement must be in writing and limited to one page.
- If a statement of disagreement is submitted, all future disclosures of the disputed information must include the following: Request for Amendment; Denial Notice; Statement of Disagreement; and Nebraska Medicine/UNMC’s Rebuttal (if any).
- If a statement of disagreement is not submitted, the Individual has the right to request that Nebraska Medicine/UNMC attach the Request for Amendment and Denial Notice to any future disclosures of the disputed information. Attach such Request only upon request of the Individual.
- Rebuttal by Nebraska Medicine/UNMC. Nebraska Medicine/UNMC will generally not issue a rebuttal statement unless special circumstances warrant. The author of the information should be consulted if HIM believes that a particular statement of disagreement submitted by an Individual warrants a rebuttal by Nebraska Medicine/UNMC.
- Timeframe for Response. HIM shall respond back to the requestor in writing within 60 days of the date Nebraska Medicine/UNMC received the amendment request. If HIM determines that Nebraska Medicine/UNMC is unable to respond to the request within sixty (60) days, HIM must notify the Individual in writing that one 30-day extension is necessary to respond to the request and shall provide the reasons the extension is necessary. The extension notice must state the date by which action on the request will be taken.
- Recordkeeping. The request for amendment, denial of the request, and statement of disagreement/rebuttal statement (if any) must be placed (append or otherwise linked in the electronic record) in the DRS and provided to the Individual as a part of a request for access.
Definitions
Affiliated Covered Entity (ACE)
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
Designated Record Set (DRS)
Includes medical records and billing records about Individuals maintained by or for UNMC/ACE and any other record used by the ACE to make decisions about Individuals.
Individual
The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)
Protected Health Information (PHI)
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
- is created or received by UNMC/ACE; and
- relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
- an Individual’s genetic tests;
- the genetic tests of an Individual’s family members; or
- the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).
PHI excludes:
- individually identifiable health information of a person who has been deceased for more than fifty (50) years.
- education records covered by the Family Educational Rights and Privacy Act (FERPA); and
- employment records held by UNMC in its role as employer.
Psychotherapy Notes
Notes recorded (in any medium) by a mental health provider including psychiatrists, psychologists and other mental health professionals documenting or analyzing the contents of a conversation during a private counseling session or group, joint or family counseling session. Psychotherapy notes are kept separate from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. Psychotherapy notes are not progress notes and are created at the discretion of the mental health care provider. (HIPAA: 45 CFR §164.501)
Additional Information
- Contact Privacy Officer
- Contact Office of Information Security or 402-559-2545
- Executive Memorandum No. 27, HIPAA Compliance Policy
- UNMC Policy No. 6045, Privacy, Confidentiality and Security of Patient and Proprietary Information
- UNMC Policy No. 6051, Computer Use/Electronic Information
- UNMC Policy No. 6057, Use and Disclosure of Protected Health Information
- UNMC Policy No. 6066, Psychotherapy Notes
- Procedure for UNMC Policies No. 6051 and 6057, Electronic Communication of Protected Health Information
- Nebraska Medicine Consents and Permits policy, MS14.
- Nebraska Medicine’s One Chart | Patient (Electronic Health Record Portal) policy, IM45
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Privacy Act, 5 U.S.C. § 552(a)
- Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. § 263a
- Clinical Laboratory Improvements Amendments of 1988, 42 C.F.R. § 493
- [ CMS-1500 form] ( form name and URL please)
- [ Health Care Financing Administration claim form (HCFA)] (URL please)
- [Patient Access Request form] (not yet approved)
- [Authorization for Release of Information Form, CON MR 0074]
- [ Denial of Access to Medical Record/Billing Record]
- [ Correction/Amendment of Medical/Billing Information form] (URL please) it would help if this was a separate URL from the denial of access to medical record when it was saved on your web site
- [ Notice of Approved/Denied Request for Amendment form ] (URL please) it would help if this was a separate URL from the denial of access to medical record when it was saved on your web site
This page maintained and updated by dkp.