12-11 HIPAA: Individual Rights
About CMU's "Individual rights under HIPAA policy"
This policy creates a structure to help CMU employees comply with and help clients exercise their rights under the Health Insurance Portability and Accountability Act of 1996.
NOTE ABOUT PDF VERSION: The PDF is the official text of the policy. If there are any incongruities between the text of the HTML version and the text within the PDF file, the PDF will be considered accurate and overriding.
- Effective date of this revision: October 30, 2018
- Contact for more information: Office of HIPAA Compliance 989-774-2829, hipaa@cmich.edu
BACKGROUND
The HIPAA Privacy Rules give to individuals certain rights concerning their protected health information (PHI) that CMU (or its business associates) maintains. Individuals have the right to (1) inspect and copy their PHI, (2) request correction of their PHI, (3) receive an accounting of certain uses and disclosures of their PHI, (4) request confidential communication of their PHI, (5) request additional protection for their PHI, and (6) receive a notice of how their health information may be used and shared.
PURPOSE
CMU has adopted this policy to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the privacy regulations, as well as to fulfill our duty to protect the confidentiality and integrity of confidential protected health information as required by law, professional ethics, and accreditation requirements. This policy has been drafted to ensure a structure for CMU’s compliance with applicable elements of the law and to guide CMU staff in assisting clients to exercise their rights.
DEFINITIONS
Record: Any item, collection, or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for CMU’s Hybrid entity units (as identified in Policy 12-2).
Designated Record Set: A group of records maintained by or for CMU that is: (a) the medical records and billing records about individuals maintained by or for a CMU covered health-care provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for the health plan options offered through the CMU Flexible Benefits Plan; or (c) used, in whole or in part, by or for CMU’s health care components to make decisions about individuals.
The defined designated record sets for CMU’s covered entities may be found in HIPAA Policy: Use and Disclosure #12-6.
POLICY
CMU’s policy is to allow individuals to exercise their individual rights under the HIPAA Privacy Rules. For patients of health care services obtained through CMU, CMU will obtain information necessary for a response from its own records and those of any business associates who may also have responsive records. For those covered under a CMU self-insured health plan, CMU will obtain information from its own records; but when the PHI is held by an insurer, third party administrator, or third party provider, CMU will instruct the individual to make the request directly to the insurer, third party administrator, or third party provider.
PROCEDURE
1.0 Individual’s Request to Inspect and Copy.
1.1 An individual has the right to inspect, review, and receive a copy of their health information that CMU maintains about the individual in a Designated Record Set. The CMU covered entities will respond to an individual request for access to his or her Designated Record Set in accordance with the Privacy Rule requirements (see 45 C.F.R. 164.524). The Central Michigan University Flexible Health Plan will similarly respond to such requests for the information that it maintains, but for health plan claims information will refer individuals to the appropriate insurers or third party administrators. If an individual reports that a third party administrator has not properly handled the request, the HIPAA Privacy Officer will be notified and will investigate the report under the Complaint procedures in Policy 12-4.
1.2 CMU may deny access to records when permitted under the Privacy Rule (for example, when in the professional judgment of a health care provider such disclosure would be harmful to the individual or to someone named in the record). When denying a request for access, in whole or in part, CMU will follow all procedures outlined in the Privacy Rules including timely notice to the individual and permitting a review of the determination where appropriate.
1.3 To the extent that a request seeks access to psychotherapy notes, the Privacy Rules specify that psychotherapy notes need not be provided to the individual, and that grounds for denial are not reviewable. Requests for access to psychotherapy notes require consultation with the treating mental health provider and the HIPAA Privacy Officer.
1.4 The CMU unit receiving the request must act on a request for access within thirty (30) days of receipt; but for information that is not maintained or accessible on site, the unit may take up to sixty (60) days to respond. When response is not possible before the normal deadline, the unit may extend the deadline by no more than thirty (30) days with timely written explanation to the individual prior to the original deadline explaining the reasons for the delay and the date by which the unit will take required actions. CMU may have only one extension of time.
1.5 CMU may impose a reasonable fee for providing copies or summaries of PHI. If imposed, the fee will only include: (1) the cost of copying, including the cost of supplies for and labor of copying; (2) postage, when the individual has requested that the copy, or the summary or explanation, be mailed; and (3) expenses incurred in preparing an explanation or summary of the PHI, if the individual agrees. CMU will document all information required by the Privacy Rules and retain the documentation relating to the request and CMU’s response for a period of six years.
2.0 Individual’s Request for Amendment.
2.1 An individual has the right to request an amendment of their PHI that CMU maintains. The CMU covered entities will respond to an individual’s request to amend records maintained in the Designated Record Set in accordance with the Privacy Rule requirements (see 45 C.F.R. 164.526), but if a record originated with another entity will refer the individual to that other entity. The Central Michigan University Flexible Health Plan will similarly respond to such requests for the information that it maintains, but for health plan claims information will refer individuals to the appropriate insurers or third party administrators. If an individual reports that an insurer or third party administrator has not properly handled the request, the HIPAA Privacy Officer will be notified and will investigate the report under the Complaint procedures in Policy Number 12-4.
2.2 CMU health care providers involved in the individual’s care may need to be consulted in order to evaluate whether a request for an amendment will be granted. CMU may deny a request to amend records when permitted under the Privacy Rule (for example, if CMU believes that the record is accurate or the record was created by another health care provider). When denying a request, in whole or in part, CMU will follow the requirements of the Privacy Rule, including providing timely notice and allowing the individual to submit a statement of disagreement.
2.3 CMU must either comply with or deny the individual’s request for an amendment no later than sixty (60) days after receipt of the request. If CMU is unable to act on the amendment request within sixty (60) days after the receipt of the request, CMU may seek to extend the time for its decision no more than thirty (30) days if CMU, within the original 60 day time limit, provides the individual with a written statement of the reasons for the delay and the date by which CMU will make its decision. CMU may have only one extension of time.
2.4 If the request for an amendment is accepted, in whole or in part, CMU will comply with the Privacy Rules, including making reasonable efforts to inform others identified by the individual or other persons known to CMU that have relied upon or may in the future rely on the information being amended.
2.5 In the event CMU is informed by another health care provider, health plan, or business associate of an amendment, CMU must amend the PHI in its Designated Record Set that is the subject of that amendment.
2.6 CMU will retain the documentation relating to the request and CMU’s response as required by the Privacy Regulations for a period of six (6) years.
3.0 Individual’s Request for an Accounting of Disclosures of PHI.
3.1 An individual has the right to request an accounting of disclosures of their PHI. CMU’s policy is to respond to such requests as required by the Privacy Rules. The CMU covered entities will respond to an individual’s request for an accounting of disclosures of PHI in accordance with the Privacy Rule requirements (see 45 C.F.R. 164.528). The Central Michigan University Flexible Health Plan will similarly respond to such requests for the information that it maintains, but for information about disclosures relating to claims administration data will refer individuals to the appropriate insurers or third party administrators.
3.2 An individual may request an accounting of disclosures for a period of time of up to six years from the date of the request, but the CMU unit receiving the request is generally not required to include in the accounting any disclosures for treatment, payment or health care operations. CMU must temporarily suspend an individual’s right to receive an accounting of disclosures, in accordance with the Privacy Rules, to a health oversight agency or law enforcement official for the time specified by such agency or official, if such agency or official provides CMU with a written statement that such an accounting to the individual would be reasonably likely to impede the agency’s activities and specifying the time for which such a suspension is required.
3.3 CMU must act on the individual’s request for an accounting no later than sixty (60) days after receipt of such a request. When response is not possible before the normal deadline, the unit may extend the deadline by no more than thirty (30) days with timely written explanation to the individual prior to the original deadline explaining the reasons for the delay and the date by which the unit will take required actions. CMU may have only one extension of time.
3.4 CMU must provide the first accounting to an individual in any twelve (12)-month period without charge. If CMU receives any subsequent request from the individual within the same 12-month period, CMU may impose a reasonable, cost-based fee, but must give the individual advance notice of the fee and the opportunity to withdraw or modify the request in order to avoid or reduce the fee.
3.5 CMU will document all information required by the Privacy Rules and retain the documentation relating to the request and CMU’s response for a period of six (6) years.
4.0 Individual’s Request for Confidential Communications.
4.1 An individual has the right to request communications of PHI by alternative means or at alternative locations. The CMU covered entities will accommodate all written requests that are reasonable as required under the Privacy Rule (see 45 C.F.R. 164.522(b)). The Central Michigan University Flexible Health Plan will similarly respond to such requests, but may require that the individual’s request also contain a statement that disclosure of all or part of the information could endanger the individual.
4.2 The CMU unit receiving the request for confidential communications will only agree to accommodate the request with respect to communications sent by the unit. The CMU unit will require the individual to make separate requests to other CMU units that may also communicate with the individual. The CMU unit will also instruct the individual that CMU’s agreement does not bind any other health care provider, insurer or third-party administrator and that the individual must make separate requests to all such entities that may communicate with him or her.
5.0 Individual’s Request for Restrictions on Uses and Disclosures of PHI.
5.1 An individual has the right to request that CMU restrict its uses or disclosures of their PHI beyond the restrictions imposed by the Privacy Rules.
5.2 The Privacy Rules do not require CMU to agree to any requested restrictions (see 45 C.F.R. 164.522(a)). CMU will generally not agree to a request to restrict a use or disclosure, as such requests may interfere with its ability to provide care, to supervise its clinical staff, to obtain payment for services, to administrate its health plans, or otherwise place an undue administrative burden on CMU’s operations. A request for additional restrictions must be approved by the Privacy Officer of the unit receiving the request.
5.3 If CMU agrees to a particular restriction, CMU may not use or disclose PHI contrary to such restriction and CMU will document the restriction. Requests that an insurer, third party administrator or third party provider agree to a restriction must be made by the individual directly to the insurer, third party administrator or third party provider.
5.4 CMU, however, may use the restricted PHI, or may disclose such information to a health care provider to provide emergency treatment to the individual if the individual who requested the restriction is in need of emergency treatment and the restricted PHI is needed to provide the emergency treatment. CMU must request that said health care provider not further use or disclose the information.
5.5 CMU may rescind the restriction by providing notice in advance, but the rescission will only apply to PHI created or received after the notification unless the individual agrees to the termination or requests the termination. CMU must document all rescissions or terminations of such restrictions.
6.0 Individual’s Right to Receive Notice of How Their Health Information May Be Used or Disclosed
6.1 Any individual has the right to receive a copy of the covered entity’s Notice of Privacy Practice (Notice) on request and shall make its Notice electronically available on any website it maintains for customer service or benefits.
6.2 The CMU healthcare providers must provide the Notice no later than the first service encounter by personal delivery for patient visits, by automatic and contemporaneous electronic response for electronic service delivery, and by prompt mailing for telephonic service delivery. The Notice shall be posted at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice; and in emergency treatment situations, the provider must furnish its Notice as soon as practicable after the emergency abates.
6.3 The CMU health plan must deliver its Notice to each of its members at enrollment, and send a reminder to every enrollee at least once every three years that the Notice is available, and upon request. The health plan satisfies its obligation by furnishing the Notice to the “named insured”, that is the subscriber for coverage that also applies to persons covered under the individual subscriber’s coverage.
6.4 The CMU healthcare provider with a direct treatment relationship with individuals must make good faith effort to obtain written acknowledgement from the patients of receipt of the Notice. The reason for failure to obtain the patient’s written acknowledgement must be documented. The provider is relieved of the need to request acknowledgement in an emergency situation.
Central Michigan University reserves the right to make exceptions to, modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines relative to this subject.