Mental Health/substance abuse providers and providers treating HIV/AIDS patients are held to a higher standard when it comes to protecting medical records, requiring additional levels of consent and analysis prior to productions. However, recent settlements published by the Office of Civil Rights of the Department of Health and Human Services (OCR) on September 15, 2020
HIPAA Authorizations
Updated OCR Guidance on Contacting Recovered COVID-19 Patients
The Office for Civil Rights within the Department of Health and Human Services (OCR) provided guidance in June that reassured covered entity health care providers and that it is generally OK to use or disclose protected health information (PHI) to contact individuals who have recovered from COVID-19 for case management and care coordination.
The OCR…
Tell Me Again: What Can Covered Entities (or their Business Associates) Charge for Medical Records Requests?
The answer to this question has changed yet again. I’ve blogged on this topic several times in the past (see here, here and here), and described the question as a wriggling worm. Plaintiff Ciox Health, LLC has finally managed to catch that worm and share its bounty among those looking to charge third-party…
The Cost for a Copy of Medical Records? It May Depend Who’s Asking
The Report to Congressional Committees of the U.S. Government Accountability Office (“GAO Report”), required under the 21st Century Cures Act, came out about a month earlier than required, but this early bird failed to catch what continues to be a wriggling worm – what can a covered entity charge for these copies?…
Not So Fast! HIPAA (Surprisingly) Doesn’t Apply to THAT!
Many employers who have had it drilled into them that HIPAA applies to protected health information (PHI) of employees are often surprised to learn that the applicability of HIPAA to employee health information (EHI) is actually quite narrow. HIPAA only applies to EHI related to the employer’s group health plans (such as medical, dental, employee…
Nine Tips for Avoiding HIPAA Breaches When Responding to Widespread Healthcare Emergencies
The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling…
“I Want My PHI”, Part 2 – OCR Audits Will Focus on Individual Access Rights
We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.
In an email sent to listserv participants…
I Want My PHI! HIPAA Access Rights, Authorizations and HHS Guidance
Daily struggles to protect personal data from hacking, phishing, theft and loss make it easy to forget that HIPAA is not just about privacy and security. It also requires covered entities (CEs) to make an individual’s protected health information (PHI) accessible to the individual in all but a few, very limited circumstances. Recent guidance published…