AMENDMENT TO HIPAA PRIVACY POLICIES PATIENT ACCESS REQUESTS

The HIPAA Privacy Rules permit healthcare providers to disclose patient’s Protected Health Information (PHI) without the patient’s written authorization, including disclosures to other providers or third party payers for purposes of treatment, payment, or healthcare operations; to family members or others involved in the patient’s care or payment if certain conditions are met; or for certain government or public safety concerns if regulatory requirements are satisfied. (45 CFR 164.502, 164.506, 164.510 and 164.512).

Other disclosures of a patient’s PHI generally require the consent of the patient or patient’s personal representative (“Patient Access Request”) or written authorization (“Patient HIPAA Authorization”) (45 CFR 164.502). The rules for such written releases of information and the form to use differ depending on who is requesting the records and to whom the disclosure will be made.  Personal representatives must show proof that they have the authority under state law to act on the patient’s behalf, such as a durable power of attorney with healthcare rights, a healthcare proxy or healthcare surrogate, or court appointed guardian of a minor.

THE THREE MOST COMMON TYPES OF REQUESTS FOR DISCLOSURES:

1. Disclosures to the Patient or Patient’s Personal Representative or at the Direction of the Patient or Patient’s Representative: 

Under HIPAA and subject to limited exceptions, a patient or the patient’s personal representative generally has a right to obtain a copy of the patient’s PHI maintained in the patient’s designated record set (45 CFR 164.524(a)(1)).

The patient’s right to access information generally includes all information in their designated record set (45 CFR § 164.524). Healthcare providers must produce the records in the form or format requested (e.g., paper or electronic format) if readily producible (45 CFR 164.524(c)(2)). Once received the healthcare provider must respond within 30 days (45 CFR 164.524(b)(2)). Providers may charge the patients or personal representatives a reasonable cost-based fee for the records (45 CFR 164.524(c)(4); see updated HHS information and FAQs at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

2. Disclosures to Third Parties at the Direction of the Patient or Patient’s Representative:

The patient or personal representative may also request or authorize disclosures to third parties. Such requests initiated by the patient or personal representative are extensions of disclosures to the patient, and therefore the rules for disclosures to the patient apply.

If the patient or personal representative directs the provider to transmit a copy of protected health information directly to another person or entity designated by the patient or personal representative, the provider must transmit the copy as directed; failure to do so would violate the patient’s right of access and subject the provider to HIPAA penalties (45 CFR 164.524(c)(3)(ii)).

3 . Disclosures to Third Parties at the Direction of Someone Other Than the Patient or Patient’s Representative:

If the request for disclosure is initiated by someone other than the patient or the patient’s personal representative, then SaraPath’s “Patient HIPAA Authorization” form should be used to request the information.  Healthcare providers are prohibited from disclosing a patient’s PHI without HIPAA authorization from the patient, unless an exception applies (45 CFR 164.502(a) and 164.508(a)). SaraPath may accept a HIPAA authorization form from another party at its discretion, provided the form contains the required HIPAA elements and statement.

SUBMITTING REQUESTS FOR DISCLOSURE OF A PATIENT’S PHI TO SARAPATH:

Under HIPAA, healthcare providers may require requests for disclosure of a patient’s PHI be in writing. As such, SaraPath requires patients to submit their requests for copies of their PHI using SaraPath’s “Patient Access Request” form, or SaraPath’s “Patient HIPAA Authorization” form.  To help patients select the appropriate request form to submit, please see the additional information below. The forms can be obtained by contacting us at 941.362.8900 or toll free at 877.362.9144. To help expedite your request, we can email or fax the form to you, or you may come into our facility and complete the form on site at 2001 Webber Street, Sarasota, FL 34239.

Under HIPAA, the provider’s form or method for requesting access must not create a barrier to or unreasonably delay the individual from gaining access. For example, the provider may allow but may not require an individual:

• to physically come to the doctor’s office to request access and provide proof of identity
• use a web portal to request access or obtain the records; or
• mail the request to access the record.

Covered entities are expected to be able to mail or e-mail the requested records to the patient and may not require that the patient pick up the records in person. For more information concerning disclosing records to the patient or the personal representative, see the OCR Guide.

For the following two types of requests:

(1) Disclosures to the Patient or Patient’s Personal Representative at the Direction of the Patient or Patient’s Representative; or

 (2) Disclosures to Third Parties at the Direction of the Patient or Patient’s Representative:

Patients may submit their request for access or for copies of their PHI using SaraPath’s “Patient Access Request” form. While patients may submit their request using SaraPath’s “Patient HIPAA Authorization form”, use of the Patient Access Request form may be preferred for the above types of requests. The differences between patient access requests and patient HIPAA authorizations are summarized in the table below:
 

PATIENT HIPAA AUTHORIZATION	PATIENT RIGHT OF ACCESS
Permits, but does not require, a covered entity to disclose PHI.	Requires a covered entity to disclose PHI, except where an exception applies.
Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of his/her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.	Must be in writing, signed by the individual, and clearly identify the designated person and where to the send the PHI.
No timeliness requirement for disclosing the PHI Reasonable safeguards apply (e.g., PHI must be sent securely).	Covered entity must act on request no later than 30 days after the request is received.
Reasonable safeguards apply (e.g., PHI must be sent securely).	Reasonable safeguards apply, including a requirement to send securely; however, individual can request transmission by unsecure medium.
No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration.	Fees limited as provided in 45 CFR 164.524(c)(4). HHS modified its guidance in response to a court ruling January 2020 – for more information see:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

SaraPath’s Patient Access Request form includes a space for:

1. the patient’s identifying and contact information;
2. a specific description of the records requested (including the date range and type of records requested);
3. the format in which the records are requested;
4. the date of the request;
5. the individual or entity and address to which the records should be sent, if applicable;
6. notice of any charges for the record to be paid by the patient or the patient’s representative;
7. the patient’s or personal representative’s signature; and
8. in the case of the personal representative, a description of the personal representative’s authority.

For the following third type of request:

(3) Disclosures to Third Parties at the Direction of Someone Other Than the Patient or Patient’s Representative:

SaraPath’s “Patient HIPAA Authorization” form must be submitted for requests that are initiated by someone other than the patient or the patient’s personal representative (as recognized under state law). Unlike patient access requests initiated by the patient or the patient’s representative, HIPAA authorizations may not be combined with any other documents and must contain specified elements, including:

1. a description of the information to be disclosed;
2. the name or description of the person(s) or entity authorized to make the disclosure;
3. the name or description of the person(s) or entity to whom disclosure may be made;
4. the purpose of the disclosure;
5. an expiration date or event;
6. the patient or representative’s signature; and
7. in the case of the personal representative, the authority of the personal representative. (45 CFR 164.508(c)(1)).

In addition, the HIPAA authorization must contain certain required statements, including:

1. the individual’s right to revoke the authorization;
2. limits on the provider’s ability to condition treatment on the authorization; and
3. the potential for redisclosure and any subsequent loss of protection (45 CFR 164.508(c)(2)).

HIPAA authorizations originated by third parties are generally not subject to the same requirements as requests initiated by the patient, e.g., providers are not required to respond to such authorizations; are not required to respond within a set time; are not required to respond in the format requested; and may charge appropriate fees so long as such fees do not constitute the sale of protected health information