Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 10 - Access of Individuals to protected health information

 

Title: Access to Protected Health Information Policy: PRV-10.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.524(a)
Standard: Access to Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the patient’s rights regarding access to their own medical record or Protected Health Information.

Policy

OSU recognizes the individual’s right of access to inspect and obtain a copy of PHI about the individual contained within the designated record set, for as long as the PHI is maintained in the designated record set, except for:  §164.524(a)(1)

  1. Psychotherapy notes §164.524(a)(1)(i)
  2. HIV/Aids notes upon doctor’s permission.
  3. Information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding; and. §164.524(a)(1)(ii)
    1. Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law; or  §164.524(a)(1)(iii)(A)
    2. Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2)  §164.524(a)(1)(iii)(B)

OSU may deny an individual access without providing the individual an opportunity for review, in the following circumstances.  §164.524(a)(2)

  1. The PHI is excepted as stated above. §164.524(a)(2)(i)
  2. OSU acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to obtain a copy of protected health information, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.  §164.524(a)(2)(ii)
  3. An individual's access to protected health information created or obtained by OSU in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and OSU has informed the individual that the right of access will be reinstated upon completion of the research.  §164.524(a)(2)(iii)
  4. An individual's access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law. §164.524(a)(2)(iv)
  5. An individual's access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. §164.524(a)(2)(v)

OSU may deny access in the following circumstances, provided that the individual is given a right to have such denials reviewed, in the following circumstances: §164.524(a)(3)

  1. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;  §164.524(a)(3)(i)
  2. The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or  §164.524(a)(3)(ii)
  3. The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.  §164.524(a)(3)(iii)

If access is denied on grounds that allow the opportunity for review, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by OSU to act as a reviewing official and who did not participate in the original decision to deny.  OSU must provide or deny access in accordance with the determination of the reviewing official.  §164.524(a)(4)

Procedure
  1. All patients have the right to access their own medical record information.  Access must be requested in writing, and presented to authorized personnel of medical records.  The appropriate form may be found here.  The form may also be mailed to the address on the form.
  2. All staff preparing records to be copied or accessed by a patient or a patient representative whom is authorized, shall check to see if any restrictions on use and disclosure are in place. (PRV-09.01 Right of an Individual to Request Restriction of Uses and Disclosures)
  3. The medical records personnel or OSU Agent shall then follow this policy as stated above.
  4. Staff and Agents of OSU and their family members who are also patients must follow PRV-10.06 Employee’s Own Access to Protected Health Information policy to gain access to their own or family member’s medical record.
  5. Clinical Faculty and other non-faculty clinician’s shall follow PRV-10.07 Clinical Faculty Own Access to Protected Health Information policy.
Reference

PRV-09.01 Right of an Individual to Request Restriction of Uses and Disclosures
PRV-10.06 Employee’s Own Access to Protected Health Information
PRV-10.07 Clinical Faculty Own Access to Protected Health Information


top of page top

 

Title:Disclosures for Law Enforcement Purposes Policy: PRV-10.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(f)
Standard:Disclosures for Law Enforcement Purposes Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure requests to access PHI is processed in a timely manner.

Policy
  1. OSU must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set. OSU may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement.. §164.524(b)(1)
  2. OSU must act on a request for access no later than 30 days after receipt of the request as follows. §164.524(b)(2)
    • If granted, in whole or in part, OSU must inform the individual of the acceptance of the request and provide the access requested in accordance with PRV-10.01;  §164.524(b)(2)(i)(A)
    • If denied, either in whole or in part, OSU must provide the individual with a written denial in accordance with PRV-10.04 §164.524(b)(2)(i)(B)
  3. If the request for access is for PHI that is not maintained or accessible to OSU, OSU must take action no later than 60 days from the receipt of such a request.  §164.524(b)(2)(ii) 
  4. If OSU is unable to take an action within the time required, as applicable, OSU may extend the time for such actions by no more than 30 days by provided that:  §164.524(b)(2)(iii)
    • OSU, within the specified time limits, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which OSU will complete its action on the request; and  §164.524(b)(iii)(A)
    • OSU may only have one such extension of time for action on a request for access.  §164.524(b)(iii)(B)
Procedure
  1. OSU shall notify an individual in the Notice of Privacy Practices that the individual can request access to their medical records via written notification.
  2. Upon an individual’s written request to access their own protected health information, the 30 day time limit starts from the day the OSU Agent physically receives the written request.
  3. The OSU agent shall document in the individuals medical record of such request and document the date received.
  4. If the request needs approval from a Physician or other approval to release, the OSU Agent shall seek to obtain such approval without delay.
  5. If approval has not been given by 20 days, the OSU agent shall send notification via First Class Mail informing the individual of the 30 day extension which would start 10 days from the date of the written notification.
  6. If at any time during this process OSU must deny access for approved reasons which OSU has the right to deny, the OSU agent shall notify the individual of the denial in writing per PRV-10.04 Denial of Access.

top of page top

 

Title: Provision of Access Policy: PRV-10.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.524(c)
Standard: Access of Individuals to Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To educate employees how access by patients who request access to their PHI, will be given.

Policy

If OSU provides an individual with access, in whole or in part, to protected health information, OSU must comply with the following requirements:  §164.524(c)

  1. OSU must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the protected health information about them in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, OSU need only produce the protected health information once in response to a request for access.  §164.524(c)(1)    
  2. OSU must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by OSU and the individual.. §164.524(c)(2)(i)
  3. Notwithstanding paragraph (2) of this policy, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, OSU must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by OSU and the individual.  §164.524(c)(2)(ii)
  4. OSU may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if:  §164.524(c)(2)(iii)
    • The individual agrees in advance to such a summary or explanation; and  §164.524(c)(2)(iii)(A)
    • The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation.  §164.524(c)(2)(iii)(B)
  5. OSU must provide the access as requested by the individual in a timely manner as required by PRV-10.02 Requests for Access & Timely Provision, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of the protected health information at the individual's request. OSU may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access.§164.524(c)(3)(i)
  6. If an individual's request for access directs OSU to transmit the copy of protected health information directly to another person designated by the individual, OSU must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.  §164.524(c)(3)(ii)
  7. If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, OSU may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:   §164.524(c)(4)
    • Labor for copying the protected health information requested by the individual, whether in paper or electronic form;  §164.524(c)(4)(i)
    • Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media;  §164.524(c)(4)(ii)
    • Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and  §164.524(c)(4)(iii)
    • Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(iii) of this section.  §164.524(c)(4)(iv)
Procedure
  1. If OSU provides access to an individual to their protected health information, OSU shall provide no less than what is contained or would be contained in a designated record set.
  2. If the individual requests the protected health information in paper form, OSU shall provide the requested records in paper form, and charge the individual a fee based on paragraph 7 of this policy.
  3. If the individual requests the protected health information in electronic form, and if OSU has the requested material in electronic form, OSU shall provide such information in an electronic form.
  4. If the individual requests the protected health information in an electronic form, but the information is in both electronic and paper form, OSU shall take every reasonable step to get the paper documents to the individual in an electronic form.
  5. Any other scenario, the OSU agent shall use their best judgment based on the requirements of this policy.
  6. If the individual requests a copy be sent to someone other than the requesting individual, OSU shall send the protected health information to that other individual provided that OSU has:
    1. A Full name or company name;
    2. Complete address; or
    3. Email address; or
    4. Other method of communication to get the requested records to such individual; and
    5. The individual has paid all associated costs for sending the information, if any.
Reference

45 CFR §164.524(c)
HITECH 13405(e)


top of page top

 

Title: Denial of Access Policy: PRV-10.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.524(d)
Standard: Access of Individuals to Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the process for when or if access shall be denied.

Policy

If OSU denies access, in whole or in part, to protected health information, the covered entity must comply with the following requirements.  §164.524(d)

  • OSU must, to the extent possible, give the individual access to any other protected health information requested, after excluding the protected health information as to which OSU has a ground to deny access..  §164.524(d)(1)
  • OSU must provide a timely, written denial to the individual, in accordance with PRV-10.02. The denial must be in plain language and contain:  §164.524(d)(2)
  • The basis for the denial; §164.524(d)(2)(i)
  • If applicable, a statement of the individual’s review rights, including a description of how the individual may exercise such review rights; and  §164.524(d)(2)(ii)
  • A description of how the individual may complain to OSU pursuant to the complaint procedures in § 164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in § 164.530(a)(1)(ii). §164.524(d)(2)(iii)    
  • More information be found in OSU HIPAA Policy: PRV-10.02 Request for Access and Timely Action

If OSU does not maintain the protected health information that is the subject of the individual's request for access, and OSU knows where the requested information is maintained, OSU must inform the individual where to direct the request for access.  §164.524(d)(3)

If the individual has requested a review of a denial under Policy PRV-10.01, OSU must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. OSU must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in PRV-10.01. OSU must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination.  §164.524(d)(4)

Procedure
  1. If OSU denies in whole or in part any request for access to protected health information, OSU shall follow the policy above.
  2. All denials shall include the methods to complain or find out more information.
  3. All complaints and general inquiries shall be directed to:
    HIPAA Compliance Officer
    717 South Houston, Suite 506
    Tulsa, OK  74127
    Chs.privacy@okstate.edu
    918-586-4545
  1. Or:
    The Secretary for the Department of Health & Human Services complaint form

top of page top

 

Title: Documentation Policy: PRV-10.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.524(e)
Standard: Access of Individuals to Protected Health Information Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To define the documentation process for designated record sets and the requirements of §164.524 (Access of individuals to PHI) as defined by §164.530(j) (Documentation of Changes to Policy).

Policy

OSU must document the following and retain the documentation as required by 45 CFR §164.530(j): §164.524(e)

  • The designated record sets that are subject to access by individuals; and  §164.524(e)(1)
  • The titles of the persons or offices for receiving and processing requests for access by individuals. §164.524(e)(2)
Procedure
  1. All clinical departments and Clinic Financial Services that use Electronic Medical Records, and have paper records receive requests, and as a result, nearly anyone with access to such records is capable of processing these requests for access by individuals.  Nurses, Office Staff, and Medical Records personnel are generally the ones to process such requests.
  2. All OSU Agents who process such requests shall document on the individuals medical record of any access or denial as provided in this section of policies related to access of individuals to protected health information.

top of page top

 

Title: Employee Use/Disclosure of own/family PHI Policy: PRV-10.06
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.506
Standard: Use/Disclosure Responsibility: Health Care Components
Effective Date: 11/15/2012
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To clarify an OSU employee’s use and/or disclosure of their own and/or a family member’s PHI, and to prevent self-treatment by medical staff.

Policy

Any OSU employee who is or was a patient, and/or has family member(s) or friend(s) that are or were a patient of any OSU clinic should excuse themselves from involvement in the care of themselves family member(s) or friend(s) to avoid any literal or perceived conflicts of interest and/or self-treatment

Definitions

Family / Family members includes but is not limited to: mother, father, sister, brother, children, spouse, self, grandparents, grandchildren, and if married, immediate in-laws.

Procedure
  1. Any employee of OSU who are/were a patient or has family or friends that is/was a patient of OSU should excuse themselves from their care and/or the care of family member(s) or friend(s) as to avoid a conflict of interest and to prevent self-treatment.
    1. Under this procedure, it is realized that in smaller clinics, the above might be difficult to adhere to.  In those cases, the employee should contact the HIPAA Compliance Officer for advice and guidance.
  2. The employee may be and should be actively involved in their care as a patient or in the care of family members or friends. However, the employee should not act as an employee while involved in the care of family members, friends or themselves.  This would include acting as an employee of OSU during normal business hours and being involved in the care of family members, friends or themselves.
  3. The employee will be treated like any other patient or family member/friend of a patient.
  4. The employee is prohibited from accessing patient restricted areas within the clinic that the employee may normally have access to while on duty. The employee is prohibited from accessing any computer systems that contain PHI, and should go through the normal course of obtaining PHI as any patient of OSU would. 
  5. The employee may obtain access/copies to their own record or family member/friend with whom authorization has been given by the patient and the employee has followed policy PRV-10.01 (Access to PHI).
  6. The employee is prohibited from accessing their own patient record or the record of any family member(s) or friend(s) at any time while on duty for any reason. 
  7. During any physician visit by self, or where the employee accompanies family members or friends, employee should be off duty and clocked out.
  8. Any employee who does not excuse themselves from care/involvement may face sanctions as defined in the Sanctions Policy.
    1. In smaller clinics where excusal may not be possible, the employee must insure that proper documentation is obtained through the HIPAA Compliance Officer and/or the employee’s superior.
  9. Any employee who accesses other employee’s record(s) or accesses their family/friend’s records and is not directly involved in the care of the patient will be subject to sanctions. (PRV-13.05 Sanctions Policy)
  10. If a fellow employee is aware of a situation that violates this policy and does not report it to the HIPAA Compliance Officer and/or their immediate supervisor, that employee will also be subject to sanctions. (PRV-13.05 Sanctions Policy)
Reference
  1. PRV-10.01 Access to PHI Policy
  2. PRV-13.05 Sanctions
  3. American Medical Association Code of Ethics Opinion 8.19 – Self-Treatment or Treatment of Immediate Family Members

top of page top

 

 

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube