QUESTION ON HIPAA.# ARE THERE REQUIREMENTS FOR COVERED ENTITIES TO HAVE WRITTEN PRIVACY POLICIES? IF SO, THAT HAS TO BE ADDRESSED IN THE POLICY?

#2 DOES HIPAA AFFECT THE PATIENT'S ACCESS TO HIS OR HER MEDICAL RECORDS? IF SO, DISCRIBE THE EFFECT AND THE PROCEDURE FOR OBTAINING ACCESS?

SraJMcGin,

Tueday, November 4, 2008 at 11:54am

Question 1: Are there requirements for covered entities to have written privacy policies? If so, what has to be addressed in the policy?

Answer: Yes, under HIPAA (Health Insurance Portability and Accountability Act) there are requirements for covered entities to have written privacy policies. The policy should outline how the entity will comply with HIPAA regulations and protect the privacy and security of patients' protected health information (PHI).

To address this requirement in the policy, the following key areas should be covered:

1. Purpose: Clearly state the purpose of the policy, emphasizing the commitment to protecting patient privacy.

2. Definitions: Define key terms related to PHI, including what constitutes PHI and the individuals or entities covered by the policy.

3. Scope: Specify the entities and individuals covered by the policy, including employees, contractors, and other parties who may handle PHI.

4. Use and Disclosure of PHI: Outline the permissible uses and disclosures of PHI, ensuring compliance with HIPAA regulations. This includes both routine and non-routine uses or disclosures.

5. Patient Rights: Describe the rights granted to patients under HIPAA, such as access to their own PHI, the right to request amendments, and the right to request restrictions on the use or disclosure of their PHI.

6. Minimum Necessary: Discuss the principle of minimum necessary, which requires covered entities to limit the use, disclosure, and requests for PHI to only what is necessary for a specific purpose.

7. Safeguards: Specify the security measures and administrative, technical, and physical safeguards implemented to protect PHI from unauthorized access, use, or disclosure.

8. Complaints and Reporting: Provide information on how patients can file complaints if their privacy rights have been violated, as well as contact details for the entity's privacy officer or designated contact person.

It's important for covered entities to regularly review and update their privacy policies to reflect changes in regulations or technology and ensure ongoing compliance.

Question 2: Does HIPAA affect the patient's access to his or her medical records? If so, describe the effect and the procedure for obtaining access.

Answer: Yes, HIPAA grants patients the right to access their own medical records. This right allows individuals to review and obtain copies of their protected health information (PHI) held by covered entities.

The effect of HIPAA on patient access to medical records includes:

1. Right of Access: HIPAA provides individuals with the right to access and obtain copies of their PHI held by covered entities, including medical records, test results, billing information, and other health-related documents.

2. Format and Timelines: Covered entities must provide access to PHI in the format requested by the individual, if it is readily producible in that format. The entities have 30 days to respond to a request for access, with the possibility of a 30-day extension in some cases.

3. Fees: Covered entities may charge a reasonable fee for providing copies of medical records. However, fees should be limited to the cost of labor, supplies, and postage involved in producing these copies.

The procedure for obtaining access to medical records under HIPAA typically involves the following steps:

1. Make a Request: The individual should make a written request to the covered entity that holds their medical records. The request should clearly state that it is made under HIPAA and specify the type of information requested.

2. Verification of Identity: The covered entity may require the individual to provide proof of identity or authorization before granting access. This is to ensure that only the patient or authorized individuals can access the records.

3. Processing the Request: The covered entity must review the request and provide access to the requested PHI within 30 days. If the entity needs additional time, they can request an extension as long as they notify the individual of the reason for the delay.

4. Fees and Formats: If applicable, the covered entity can charge a reasonable fee for providing copies of the records. They should also accommodate the individual's preferred format if it is readily producible.

If the covered entity denies access to the requested PHI, they must provide a written explanation of the denial and information on how to dispute the decision.

It's important to note that state laws may also come into play regarding access to medical records, so individuals should familiarize themselves with any additional requirements or regulations specific to their location.