DOCSLIB.ORG

Privacy Networking Group

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Privacy Networking Group

HIPAA COW PRIVACY NETWORKING GROUP

INDIVIDUAL RIGHT TO REQUEST RESTRICTIONS ON HOW PROTECTED HEALTH INFORMATION IS USED/DISCLOSED FOR TREATMENT, PAYMENT, AND HEALTHCARE OPERATIONS

Disclaimer: HIPAA Collaborative of Wisconsin (“HIPAA COW”) holds the Copyright © to this Individual Right to Request Restrictions Policy (“Document”). HIPAA COW retains full copyright ownership, rights and protection in all material contained in this Document. You may use this Document for your own non-commercial purposes. It may be redistributed in its entirety only if (i) the copyright notice is not removed or modified, and (ii) this Document is provided to the recipient free of charge. If information is excerpted from this Document and incorporated into another work-product, attribution shall be given to HIPAA COW (e.g., reference HIPAA COW as a resource). This Document may not be sold for profit or used in commercial documents or applications. This Document is provided “as is” without any express or implied warranty. This Document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Document. Therefore, this Document may need to be modified in order to comply with Wisconsin/State law.

* * * * Policy: It is the policy of [PROVIDER/PLAN] to honor an individual’s right to request restrictions regarding the way his or her protected health information (PHI) is used and/or disclosed for the purposes of treatment, payment, and/or healthcare operations and for disclosures permitted under 45 CFR 164.510(b).

© Copyright HIPAA COW Page 1 of 9 NOTE: Although not required by law, some organizations may wish to implement a formal denial process to communicate when a restriction will not be granted. The final rule requires all covered entities to permit individuals to make the request but does not require a covered entity to agree to a restriction. A Sample Letter of Denial for Request for Restrictions is provided in Attachment C of this policy.

Attachments to Policy: . Attachment A: Sample Request for Restrictions . Attachment B: Sample Letter of Approval for Request for Restrictions . Attachment C: Sample Letter of Denial for Request for Restrictions

Procedure:

Basic Restriction Requirements: 1. The [PROVIDER/PLAN] will inform individuals of the right to request restrictions regarding the use and/or disclosure of their PHI for treatment, payment, and healthcare operations in its “Notice of Privacy Practices.” 2. The individual has the right to request restrictions. [PROVIDER/PLAN] may require a written request (See Attachment A for sample letter). 3. [PROVIDER/PLAN]’s Privacy Officer (or designee) will review the request and determine the appropriate action steps. 4. [PROVIDER/PLAN] may approve an individual’s request to restrict disclosure of PHI about the individual: a. For the purpose of treatment, payment or health care operations; b. Disclosure to person’s involved in the individual’s health care; or c. Disclosure to notify family members or others about the individual’s general condition,

location or death.1 5. Unless it is an emergency or otherwise noted herein, [PROVIDER/PLAN] is not required to agree to the restriction request.

1 http :// www. h hs. go v/o cr /pr ivac y/h ip aa/u nd er stand i n g/s umm ar y/ind e x. ht ml If Request for Restriction is Accepted :

1. [PROVIDER]2 must3 approve an individual’s request to restrict disclosure of PHI about the individual to a health plan (or the health plan’s business associate)4 if: A. The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law5; and B. The PHI pertains solely to a health care item or service for which the individual (or a person other than the health plan on behalf of the individual) has paid the [PROVIDER] in full (“Out-of-Pocket Restrictions”).6 a. [PROVIDER] will notify the individual of approval to restrict a disclosure to the health plan. (See Attachment B for sample letter). b. [PROVIDER] will inform the individual of any potential consequences pertaining to the restriction(s) such as: b.i. Regarding Out-of-Pocket restrictions; b.ii. Unbundling of items or services; b.iii. The impact of doing so; b.iv. The individual’s obligation to notify downstream or subsequent providers; b.v. The individual’s obligation to request restrictions for follow-up care; and b.vi. Whether the individual must use an out-of-network provider to restrict the disclosure of PHI.

2 In the preamble to the Omnibus Rule, the Department of Health and Human Services clarified that this provision regarding requests to restrict disclosures relating to items or services paid for in full by an individual (or someone other than a health plan on the individual’s behalf) applies only to covered health care providers. See 78 Fed. Reg. at 5630 (Jan. 25, 2013).

3 Effective February 18, 2010, the American Recovery and Reinvestment Act (ARRA) allowed an individual the right to request that a healthcare provider must comply with the individual’s request for restriction of disclosure to a Health plan for purposes of payment or healthcare operations when the PHI pertains to a service for which the healthcare provider has been paid in full by the individual “out of pocket.” The permissive nature of this ARRA restriction request was modified to a mandated restriction (when requested by the individual) in the Omnibus Rule. 4 Note: This restriction does not apply to [PROVIDER]’s disclosure to [PROVIDER]’s business associate(s) for [PROVIDER]’s own purposes.

5 “Required by law” is defined in 45 CFR § 164.103, but “required by law” also includes: (i) Medicare Conditions of Participation; (ii) other statutes that require the production of information if payment is sought under a government program providing public benefits; (iii) state or other law requiring a provider to submit a claim to a health plan and there is no exception/procedure for individuals wishing to pay out-of-pocket in full for the service. However, for Medicare beneficiaries, a request for restriction on the disclosure of PHI to Medicare for services paid for out-of- pocket in full (i.e., the beneficiary refuses to authorize the submission of a bill to Medicare for the service), the provider must restrict the disclosure of PHI regarding the service.

6 [PROVIDER] may choose to require payment in full at the time of the request for a restriction or at the time of precertification 2. [PROVIDER/PLAN] will inform the individual that the restriction(s) will be honored with the following exceptions: a. Emergency treatment situations in which the [PROVIDER/PLAN] may use or disclose information to a health care provider for providing treatment. [PROVIDER/PLAN] will request that the emergency treatment provider not further use or disclose the information; b. The restriction is terminated by either the [PROVIDER/PLAN] or the individual;

c. To the extent applicable, if restrictions prevent uses or disclosures permitted or required under 164.502(a)(2)(ii), 164.510(a) or 164.512. d. Where the PHI requested for restriction was used, disclosed, or released prior to the request. 3. If the agreed upon restriction(s) hampers treatment, a [PROVIDER] may ask the individual to modify or revoke the restriction(s). [PROVIDER] may require written agreement to the modification/revocation or document the individual’s oral agreement. 4. A notice of restriction(s) will be made in writing in the individual’s record and/or electronically recorded. 5. [PROVIDER/PLAN] will also notify any other departments within the [PROVIDER/PLAN] to which the restriction(s) may apply (e.g., marketing, public relations, administration, foundation, etc.) and if necessary, ensure that the individual’s name is removed from all applicable mailing lists. 6. As appropriate, [PROVIDER/PLAN] will notify any other business associates to which the restriction(s) may apply except downstream or subsequent entities rendering service under an individual’s Out-of-Pocket restriction (s). 7. [PROVIDER/PLAN] will not use or disclose PHI unrelated to the requested restriction(s), nor will its business associates do so until the restriction is terminated either by [PROVIDER/PLAN] or the individual.7 8. The [PROVIDER/PLAN] will flag documents with any PHI pertaining to Out-of- Pocket restrictions to ensure restricted PHI is not inadvertently disclosed for payment or health care operations purposes (including health plan audits). 9. [PROVIDER/PLAN] will restrict use and/or disclosure of PHI consistent with the requirements of the restriction in effect on the date it is used or disclosed.

If Request for Restriction is Denied: 1. If the request for restriction is denied, [PROVIDER/PLAN] will notify the individual. (See Attachment C for sample letter)

If Request for Restriction is Terminated: 1. The individual must submit a request for termination in writing

7 [PROVIDER/PLAN] may not terminate an Out-of-Pocket request unless the individual does not pay out-of-pocket for the relevant item or service. In situations in which an individual has a restriction in place with respect to a health care item or service but does not pay out-of-pocket and who requests a restriction regarding follow-up treatment, if the [PROVIDER/PLAN] needs to include PHI that was previously restricted in the bill in order to have the service deemed medically necessary or appropriate, [PROVIDER/PLAN] is permitted, without the individual's authorization, to disclose such information consistent with [PROVIDER/PLAN’s] minimum necessary policies and procedures. 2. If the [PROVIDER/PLAN] terminates the restriction, the individual must agree to the termination in writing or an oral agreement must be documented in accordance with 164.530(j). The [PROVIDER/PLAN] will notify the individual of the termination’s effective date with respect to only that PHI created or received after the individual was notified by [PROVIDER/PLAN].

If Request for Restriction Includes Records From An External Provider or Source:

1. Electronic medical records often contain information originating from a source other than [PROVIDER/PLAN]. For example: a. Referral documentation from a hospitalization; b. Information acquired through health information exchanges (e.g. CareEverywhere); c. Documentation received from a previous provider. 2. If an individual’s restriction request includes information received from an external entity, [PROVIDER/PLAN] may not honor this request for the information received from the external entity. The individual will be directed by the [PROVIDER/PLAN] to the entity or organization where the information originated.

Record Retention: 1. Except for a restriction that remains active, record restriction documentation will be maintained in writing or in electronic format for at least six (6) years from the date of its creation; the date which the information or conditions for the restriction are no longer applicable; or the date when it was last in effect, or if longer depending on state laws, whichever is later. 2. Unless the individual requests an expiration date or event to end the restriction, the restriction will be maintained as active indefinitely. 3. If the forms generated during the record restriction process are not stored in the individuals’ medical record, it is recommended that an electronic or written flag be prominently displayed or cross-referenced to the restriction to ensure necessary information is available for future care and treatment.

Version History:

Current Version: 8/7/17 Prepared by: Reviewed by: Content Changed:

. Cheri Fields, Monroe Clinic . Privacy Networking Review and revision. . Julie Coleman, Group Health Group Cooperative of South Central Wisconsin . Terry Murphy, Journey Mental Health Center . Carrie Aiken, Navitus Health Solutions Previous Version: 9/18/14 Prepared by: Reviewed by: Content Changed:

. Jodie Swoboda, Marshfield Clinic . Privacy Networking Review and revision . Barbara Zabawa, Center for Health Group to address updates due Law Equity, LLC, WPS Health Insurance . Jennifer Rust Anderson, Group to HIPAA Omnibus Health Cooperative of Eau Claire Rule. . Dawn Paulson, UW Health . Meghan O’Connor, von Briesen & Roper, s.c. . Wendy Ostrander, Beaver Dam Community Health . Cathy Hansen, St. Croix Regional Medical Center Previous Version: January 2010 Prepared by: Reviewed by: . Nancy Davis, Ministry Health Care, . Privacy Networking . Chrisann Lemery, WEA Trust Group

Original Version: February 2003 Prepared by: Reviewed by: . Gale Coleman, Elder Care of Dane . Privacy Networking County; Group . Nancy Davis, Ministry Health Care

ATTACHMENT A

SAMPLE REQUEST FOR RESTRICTIONS ON USE/DISCLOSURE OF PHI FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS

Name of Individual: Date of Birth:

Address:

Telephone: (H) (W) ID # of Individual: ______I am requesting a restriction on the use/disclosure of my health information in the manner described below. I understand that [PROVIDER/PLAN] may deny this request for any reason. I understand that the [PROVIDER/PLAN] will document this restriction to the best of its ability within the records controlled by [PROVIDER/PLAN]. If my request is approved, I understand that the restriction will not apply in case of an emergency. This request will be effective indefinitely unless otherwise indicated by the individual requesting the restriction. ☐The restriction(s) I am requesting are from visits/encounters that were paid for by me out of pocket.

Dates of Specific Health Information to be Restricted: ______Specific Conditions to be Restricted: Persons/Organizations Restricted from Use/Disclosure:

Signature of Individual: Date: Name of Personal Representative (if applicable): Signature of Personal Representative: Date: Relationship to Individual:

Forward Completed Form to Privacy Officer/designee for determination. ************************************************************************************* Date Request Reviewed: ______ICD-10 diagnosis code(s) family (first three digits) for restriction: ______Position Titles of Reviewers: ______Request is: ☐Approved ☐Denied Reason for Denial: ______Final Action Taken: ______Flagged in electronic record: ☐ Completed

Privacy Officer’s/Designee’s Signature: ______Date: ______ATTACHMENT B SAMPLE LETTER OF APPROVAL FOR REQUEST FOR RECORD RESTRICTION

Dear :

On (DATE), you submitted the following request for restrictions to the use/disclosure of your protected health information for the purposes of treatment, payment and health care operations.

The Privacy Officer/designee has reviewed your request and it has been approved with the following exceptions (AND MODIFICATIONS):

1. In an emergency treatment situation we may use or disclose information to a health care provider for providing treatment. We will request the emergency treatment provider not further use or disclose the information. 2. The restrictions are terminated by either you or by us.

Note: If your request for restriction relates to an item or service that you or someone on your behalf (other than a health plan) has paid in full, you must notify other providers of this restriction request if you require any follow-up care.8

(INSERT MODIFICATIONS AS REQUIRED)

If you agree to the above modifications, please forward written approval to me within five business days or call me at .

IMPORTANT NOTE: Approval of your request may result in the following consequences: .

(INSERT POTENTIAL CONSEQUENCES HERE, AS REQUIRED)

PROVIDER/PLAN will document this restriction to the best of its ability within the records controlled by PROVIDER/PLAN. If you have questions or concerns or wish to terminate this restriction, please contact me at [insert phone number].

Sincerely,

Privacy Officer/Designee

ATTACHMENT C

8 HMO providers that are prohibited by law from accepting payment from an individual above the individual’s cost- sharing amount may want to include information in the approval of request for restrictions that the individual that must use an out-of-network provider for the health care item or service to restrict the disclosure of PHI to the HMO for the health care. See 78 Fed. Reg. at 5629 (Jan. 25, 2013). SAMPLE LETTER OF DENIAL OF REQUEST FOR RECORD RESTRICTION

Dear :

On (DATE), you submitted the following request for restrictions to the use/disclosure of your protected health information for the purposes of treatment, payment and health care operations. .

In accordance with the requirements and limitations of the HIPAA Federal Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 & 164), we have reviewed your request and it has been denied for the following reasons:

☐Records belong to another provider or plan

☐Records were released prior to [PROVIDER/PLAN] receiving the request for restriction

☐Other: ______

If you have questions or concerns or would like to discuss this matter further, please contact me at [insert phone number].

Sincerely,

Privacy Officer/Designee

Load more

Recommended publications