Under HIPAA, clients have a right to look at their files with the exceptions listed below. Have the client complete the DSS Request for Individual’s Access to Protected Health Information. Provide access unless the PHI concerns:
- Psychotherapy notes: Per HIPAA, “Psychotherapy notes means recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical records. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.”
- PHI is from forensic laboratory testing such as in a criminal investigation or for scientific experimentation purposes. Exceptions from this restriction would be routine laboratory reports such as cholesterol screening and blood test that clients receive through their health care providers.
- Information is for use in a civil, criminal or administrative proceeding(s). This does not apply to client fair hearings.
- The records are from certain research projects in which the client has agreed to a restriction of access while participating in the project.
- The PHI was obtained from someone other than a health care provider under a promise of confidentiality and disclosing the information would reveal the source.
- Access is likely to endanger the life or physical safety of the individual or another person.
- The information makes reference to someone other than the individual and the access may cause serious harm.
- The individual has been or may be subjected to domestic violence, abuse, or neglect or endangerment through release of the information to a personal representative.
If staff provides the access, send a copy of the DSS Request for Individual’s Access to Their Protected Health Information to the FSD privacy officer.
- Staff determines that the PHI is covered by one or more of the above eight bullets that restrict access. Do NOT give the claimant the requested PHI. Immediately forward to the FSD privacy officer a copy of the information that the client is requesting and the DSS Request for Individual’s Access to Their Protected Health Information form. Advise the Privacy Officer if one or more of the reasons for denial apply and which one(s). Use an IOC, letter or memorandum to provide the Privacy Officer with any information or recommendations that may assist the officer in reviewing the request.
- Privacy Officer Decision: The privacy officer will determine whether to approve or deny the request. If the request is denied, the privacy officer will notify the claimant and staff of the decision.
If FSD denies access, in whole or in part, to PHI, the privacy officer may provide or instruct staff to provide:
- Other PHI information accessible to the individual after excluding the denied PHI.
- If the information requested is not maintained by DSS and staff knows where the requested information is kept, inform the individual where to direct his or her request.
- Appeal and Review of Denials: Claimants have a right to request a review if the denial is based on one of the following reasons:
- Access is likely to endanger the life or physical safety of the individual or another person.
- The information makes reference to someone other than the individual and the access may cause serious harm.
- The individual has been or may be subjected to domestic violence, abuse, or neglect or endangerment through release of the information to a personal representative.
The DSS Request for Individual’s Access to Protected Health Information form notifies the client of the denial and how to appeal the decision. An IM-87, Application for State Hearing is not used.
The Departmental Privacy Officer will then designate a licensed health care professional to review the denial. The designated licensed health care professional who did not participate in the original decision to deny access shall review the record and the request for access to the client’s record.
- If the reviewer determines that the initial denial was appropriate, the Privacy Officer notifies the client and staff that the review resulted in another denial of access. The notice includes the reasons for denial and describes the process the individual may use to make a complaint to the Secretary of the Department of Health and Human Services.
- If the denial was not appropriate, the licensed health care professional who acts as the reviewer shall refer the request to the Privacy Officer for action. The Privacy Officer may provide this PHI to the individual or direct staff to provide it.
- If access is denied to any portion of the PHI, access may still be granted to those portions of the PHI that are not restricted.
- Providing Information, Use of a Designated Record Set, and Summaries: When information is provided, it must be provided in a designated record set. A designated record set is all PHI contained in the client’s file. For example, copy the requested PHI that is maintained in the client’s medical file used by the Medical Review Team to determine Permanent and Total Disability. If the requested information is in more than one section (for example, the hospital discharge summary is in the MRT medical file and the hospital bill is with the income or budget section), this becomes the designated record set.
The privacy officer may provide a summary or explanation of the requested PHI if:
- The consumer agrees in advance to the summary or explanation in place of the record.
- The consumer agrees in advance to any fees imposed for the summary or explanation.
If the requested information is maintained electronically and the client requests an electronic or faxed copy, accommodate the request if possible and explain the risk to security of the information when transmitted as requested. If the information is downloaded to a computer disk, the consumer may be charged a reasonable amount for the disk and mailing. If the information is not available in the format requested, produce a hard copy document or other format agreed upon by the client.
Provide the access requested in a timely manner, and arrange for a time and place for the client to inspect the PHI or obtain copies, unless access by another method has been requested by the client and agreed to by staff.
If staff or the privacy officer is providing access, certain time frames exist. The individual must be allowed to inspect or obtain a copy of his or her PHI no later than 30 days after staff gets the request (60 days if the information is not maintained or accessible to FSD on-site). The deadline may be extended up to 30 days if the individual gets a written statement of the reasons for the delay and the date staff or the privacy officer will fulfill the request.
- Release of PHI of a Deceased Client: The PHI of a deceased consumer may only be released to the personal representative or executor of the estate.