The determining factor in determining whether the information is considered part of the statutory health record is not where it is located or what format it takes, but how it is used and whether it can reasonably be expected to be routinely disclosed when a request for a complete medical record is received. When an individual requests access to PHI in a particular form or format, the question arises for the entity concerned as to whether the entity is able to easily make the copy in that format – which is a question of capacity, not “will”. Therefore, if a captured entity is able to easily create the requested format, the captured entity is not permitted to deny the person access to that format because the entity would prefer that the person receive a different format or use other common processes for accessing the entity`s records. The HIPAA Privacy Policy allows a relevant entity to charge a reasonable, cost-based fee to individuals (or their personal representatives) for obtaining (or transmitting to third parties) a copy of the individual`s PHI. Not only are the fees reasonable, but they can only include certain labor, delivery and postage costs that may be incurred to provide the copy in the form and manner requested or agreed upon by the person. The following methods can be used to calculate these fees as shown below. The legal health record is used to determine what information constitutes an organization`s official business record for evidentiary purposes. The statutory health record is a subset of the entire patient database. The elements that make up an organization`s legal health record vary depending on how the organization defines it. As technology evolves, other characteristics must be assessed and considered in legal health records and established records policies. Documents that are not yet complete or are in the intermediate/pending state should be considered. Functions such as clinical decision support triggers and annotations must also be considered. Appendix C .
lists the features and functionalities that should be evaluated when creating the Act policy on records and legal integrity defined by the organization. Source systems: The systems in which data was originally created. Note: Documentation of results may be provided in the patient`s medical record. Other legal privileges may apply to these documents. The following definitions may be useful to organizations when creating the legal health record and defining record group policies. All key terms identified by the organization must also be included in the organization`s final policy. In limited cases where, due to the nature of the analysis and the timing of the individual`s request, 30 calendar days is not sufficient to complete an analysis report to which the person has requested access, the laboratory may, within the 30-day period, inform the person in writing of the need and the precise reason for the delay in granting access to the result of the completed analysis and the date: at that time, the lab will complete its action upon request in accordance with Section 164.524(b)(2)(iii) of the HIPAA Privacy Policy. The confidentiality rule allows only one renewal on an access request and the renewal cannot exceed 30 calendar days. In the rare cases where 60 calendar days is not sufficient for the individual to have access to the completed test report requested by the individual, the laboratory may comply with the access request at the end of the 60-day period by granting the individual access to PHI existing at that time (e.g., testing requirements, Input data used to generate reports, other completed test reports) in the specified record. The provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protect the privacy and security of individuals` identifiable health information and establish a set of individual rights regarding health information, have consistently recognized the importance of giving individuals the ability to access and obtain a copy of their health information.
With few exceptions, the HIPAA Privacy Rule provides individuals with a legal and enforceable right to access, upon request, copies of information contained in their medical and other medical records maintained by their healthcare providers and health plans. Yes. If an individual requests access to their PII and the relevant entity intends to charge the individual the limited fee allowed under the HIPAA Privacy Policy to provide a copy of their PHI, the relevant entity must inform the individual in advance of the approximate fees that may be charged for the copy. An individual has the right to receive a copy of their PHI in the form, format and manner requested, if it is easy to obtain in that way or as otherwise agreed upon by the individual. Since the fees that a relevant legal entity may charge vary depending on the form, format and type of access requested or agreed upon by the individual, the relevant companies must inform the person at the time of negotiation or agreement on those details of any associated fees that may affect the form, the format and manner in which the person requests or consents to a copy of their PHI. Failure to give notice is an inappropriate measure that may constitute an obstacle to the right of access. Therefore, this requirement is necessary for the right of access to operate in accordance with the HIPAA Privacy Policy. In addition, affected businesses should post on their websites an approximate fee schedule for periodic types of access requests or otherwise make them available to individuals. In addition, if requested by an individual, covered businesses must provide a breakdown of the labour, supplies and postage costs, if any, which constitute the total costs.