1.030 Patient Access to Health Information

Op10.04-5 Patient Access to Health Info


It is the policy of the Missouri State University (University) and its University Health Care Components (HCC) to protect the privacy of individually identifiable Protected Health Information ("PHI") in compliance with federal and state laws governing the use and disclosure of PHI. The HCC recognizes the rights of patients to access PHI pertaining to them in a designated record set as set forth in 45 CFR Section 164.524. The HCC further recognizes that access to protected PHI may be limited or restricted as defined in this policy, in the Notice of Privacy Practices ("NPP") and as allowed by law. In cases where the patient has been civilly adjudicated incapacitated or is a minor, the parent (if a minor), or the legal guardian or personal representative may request access. There may be additional exceptions as allowed by law.


The University’s HCC

  1. Contents
    1. Definitions
    2. Request for Access to PHI
    3. Denial of Access
    4. Appeal and Review of Denial
    5. Release of PHI of a Deceased Patient
    6. Provision of Access and Fees
  2. Definitions
    1. Abstract (Summary): A brief summary on HCC letterhead of the essential information as requested on a proper authorization
    2. Patient: Any individual who has received or is receiving services from a HCC .
    3. Designated record set: A group of any records under the control of a covered entity from which PHI is retrieved by the name of the individual or by identifying number.
    4. Direct Access: An in-person review of the medical record, and/or obtaining a copy of the record.
    5. Licensed Health Care Professional: As defined in Section 630.005, RSMO; 9 CSR 30-4.010; and 9 CSR 45-2.010(2)(U). Such professionals may be a licensed physician, nurse, therapist, counselor, speech pathologist, nurse practitioner, audiologist, athletic trainer, physical therapist, physician assistant, social worker, pharmacist, and other licensed health care specialist.
    6. Personal Representative: Person with a court order appointing them as guardian or with a valid Power of Attorney signed by the patient specifying the authority to review and make decisions regarding medical, psychiatric, therapy treatment or habilitation counseling concerns.
    7. PHI: Protected Health Information: individually identifiable PHI, defined as any information, including demographic information, collected from an individual that:
      1. Is created or received by a health care provider, health prescription plan, employer, or health care and pharmacy clearinghouse; and
      2. Related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and
        1. Identifies the individual, or
        2. With respect to which, there is reasonable basis to believe that the information can be used to identify the individual.
    8. Psychotherapy Notes: Notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Such notes exclude medication prescriptions and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
    9. Official Signature: Legal Name, credential, and job title or position description.
    10. Disclosure of PHI Summary: An accounting of disclosures of PHI (in paper or electronic format) containing: date of disclosure; name and address of the organization or person who received the PHI; a brief description of the information disclosed; purpose for which the PHI was disclosed.
  3. Request for Access to Protected PHI
    1. A patient who has or is receiving services from a HCC, parent of a minor, and personal representative or legal guardian as relevant to their representation, must request in writing for access to inspect, or receive copies of, PHI except in those instances covered by federal regulations and outlined in the NPP acknowledged at admission, and must further specify the exact information requested for access. This does not mean that a HCC provider cannot give a patient, a copy of their test results, preventive measures, care instructions, or information to assist the patient’s understanding of their diagnosis, during the delivery of health care without a written release.
    2. The "Access Request Form for Protected Health Information" shall be provided to facilitate the request. HCC personnel may assist in initiating the process requesting access to PHI.
    3. All requests by patients and their legal representatives for PHI must be forwarded to the Unit Privacy Officer or designee for action.
    4. If it is acceptable after discussion with the patient, the HCC may provide a summary of the PHI to the patient. If the summary is acceptable, the HCC shall determine the appropriate staff to provide that explanation to the patient. The patient’s agreement to a summary shall be documented in writing in the record as a check in the appropriate box in the "Access Request Form for Protected Health Information" form. The patient’s agreement to any costs associated with the summary shall be documented in the record. The form shall be filed in the patient’s medical record.
    5. This request shall be processed in a timely consistent manner according to established time frames but not more than thirty (30) days after receipt of the request. If the record cannot be accessed within the thirty (30) days, the time frame may be extended once for no more than an additional thirty (30) days with notification in writing to the individual outlining reasons for the delay and the date the request will be concluded.
    6. Requests for Access to PHI may be denied without a right to review as follows:
      1. If the information conforms to one of the following categories:
      2. psychotherapy notes; HIV testing information; information compiled for use in a civil, criminal or administrative action or proceeding; or information that would be prohibited from use or disclosure under the Certified Laboratory Information Act (CLIA) laws and regulations;
      3. If the patient is participating in research related treatment and has agreed to the denial of access to records for the duration of the study;
      4. If access is otherwise precluded by law;
      5. If the information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
      6. If the facility has been provided a copy of a court order from a court of competent jurisdiction, which limits the release, or use of PHI.
    7. Requests for Access to PHI may be denied provided the individual is given a right to have the denial reviewed as follows:
      1. A licensed health care professional based on an assessment of the particular circumstances, determines that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person.
      2. The HCC may deny the patient access to PHI if the information requested makes reference to someone other than the patient and a health care professional has determined that the access requested is reasonably likely to cause serious harm to that other person.
      3. The HCC may deny a request to receive a copy or inspect PHI by a personal representative of the patient if the facility has a reasonable belief that the patient has been or may be subjected to domestic violence, abuse, or neglect by such person; or treating such person as the personal representative could endanger the individual; and the facility, exercising professional judgment, decides that it is not in the best interest of the patient to treat that person as the patient’s personal representative.
  4. Denial of Access
    1. Upon denial of any request for access to PHI, in whole or in part, a written letter shall be sent to the patient, or other valid representative making the request for access, stating in plain language the basis for the denial.
    2. If the patient has a right to a review of the denial as outlined in subsection 3.g. above, the letter shall contain a statement of how to make an appeal of the denial including the name, title, address, and telephone number of the person to whom an appeal should be addressed.
    3. This letter shall also address the steps to file a complaint with the Secretary of HHS.
    4. If the HCC does not maintain the information requested, but it is known where the patient may obtain access, the facility or HCC must inform the patient where to direct the request for access. The patient is to have access to records from another HCC or health care facility that are maintained in the current facility’s record.
  5. Appeal and Review of Denial of Requests as Defined in Subsection 3.g.
    1. A patient, parent of a minor, or guardian of a patient has the right to appeal the decision to withhold portions or all of the record for safety or confidentiality reasons.
    2. The appeal shall be submitted in writing to the Supervisor/Director of the HCC, who will designate a licensed health care professional, or if the appeal is to the University’s Privacy Officer concerning any information maintained by a HCC, then to a designated licensed health care professional.
    3. The designated licensed health care professional who did not participate in the original decision to deny access shall review the record and the request for access to the patient’s record. (HCC form attached to this policy)
      1. The reviewer must determine if access meets an exception as described in Section 3.
      2. If the reviewer determines that the initial denial was appropriate, the patient must be notified in writing, using plain language, that the review resulted in another denial of access. The notice must include the reasons for denial and must describe the process to make a complaint to the Secretary of HHS.
      3. If the denial was not appropriate, the licensed health care professional who acts as the reviewer shall refer the request to the facility or University Privacy Officer or designee for action.
      4. If access is denied to any portion of the PHI, access must still be granted to those portions of the PHI that are not restricted.
      5. A HCC is bound by the decision of the reviewer.
  6. Provision of Access and Fees
    1. a. If a HCC provides a patient or legal representative with access, in whole or in part, to protected PHI, the facility must comply with the specifications as outlined in federal regulations to the extent of the facility’s capabilities and as identified in that facility’s Notice of Privacy Practices.
      1. Requested information must be provided in designated record sets.
      2. If the requested information is maintained in more than one designated record set or in more than one location, the HCC only needs to produce the information one time in response to the request.
      3. The HCC may provide a summary or explanation of the requested PHI if:
        1. The patient agrees in advance to the summary or explanation in place of the record.
        2. The patient agrees in advance to any fees imposed for the summary or explanation.
        3. These agreements shall be documented as set forth in subsection 3.d. above.
      4. If the requested information is maintained electronically and the patient requests a copy or faxed copy, the HCC should accommodate the request if possible and explain the risk to security of the information when transmitted as requested.
      5. If the information is downloaded to computer disk, the patient should be advised in advance of any charges for the disk and mailing the disk.
      6. If the information is not available in the format requested, the facility or HCC must produce a hard copy document or other format agreed upon by the patient and facility.
    2. The HCC shall provide the access requested in a timely manner and arrange for a mutually convenient time and place for the patient to inspect the PHI or obtain copies, unless access by another method has been requested by the patient and agreed to by the HCC as set forth in subsection 6.a.(4) above. Any requests for accommodations shall be sent or given in writing to the Unit Privacy Officer.
    3. The fee charged will be in compliance with the current Missouri State Statute (See Section 191.227, RSMO), the University’s Open Meetings and Records Policy, and federal law.
  7. Release of Protected PHI of a Deceased Patient
    1. The PHI of a deceased patient may only be released via a Probate Court order from the County Circuit Court where the deceased resided or from another Probate Court in the State of Missouri, or as otherwise determined legally appropriate by University legal counsel.
    2. Upon request to obtain information, the Unit Privacy Officer shall ask for a copy of the Probate Court Order or other necessary documentation.
  8. Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
  9. Sanctions. Any person found to have violated the requirements of this policy shall be subject to disciplinary action up to and including dismissal.

HISTORY: Effective March 21, 2003