Category Archives: Uncategorized

February 20, 2018

Producing Patient Records: The “Designated Record Set,” the “Legal Health Record,” and Records Created by Other Providers

Healthcare providers often misunderstand their obligation to provide patient records in response to a request from a patient or third party.

1. Patient Requests and the “Designated Record Set.” With very limited exceptions,[1] patients and their personal representatives generally have a right to access and/or require the disclosure of protected health information in the patient’s designated record set. (45 CFR § 164.524(a)). HIPAA defines “designated record set” as:

A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider; [or]
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(45 CFR § 164.501). As the OCR recently summarized:

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

(OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 (“OCR Access Guidance”), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html, emphasis added). In a separate FAQ, the OCR explained further:

What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?

With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans (HIPAA covered entities). See 45 CFR 164.524. Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501. Thus, individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or “SOAP” notes … but not including psychotherapy notes …), among other information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals….

Individuals do not have a right to access PHI about them that is not part of a designated record set because this information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, peer review files, practitioner or provider performance evaluations, quality control records used to improve customer service, and formulary development records may be generated from and include an individual’s PHI but may not be in the covered entity’s designated record set(s) to which the individual has access….

(See OCR FAQ, available at https://www.hhs.gov/hipaa/for-professionals/faq/2042/what-personal-health-information-do-individuals/index.html).

2. Records Created by or Received from Other Providers. As the OCR’s Access Guidance affirms, the “designated record set” includes records used by the covered entity to make healthcare decisions about a patient “regardless [of] where the [record] originated (e.g., whether the covered entity, another provider, the patient, etc.).” An OCR FAQ states:

A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.

(Available at http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/214.html). The OCR’s more recent Access Guidance confirms that not only may the provider disclose records received from other providers, it generally must disclose such outside records that are a part of the designated record set in response to the patient’s or personal representative’s request unless one of the limited exceptions apply; failure to do so could subject the provider to HIPAA penalties.

3. Third Party Disclosures and the “Legal Health Record”. Healthcare entities sometimes get hung up on the concept of the “legal health record” when trying to determine what may or must be provided in response to patient or third-party requests for protected health information. In contrast to the designated record set, there is no uniform or regulatory definition of the “legal health record”, and its meaning depends on the user and context. Some may intend it to refer to the patient’s “formal” medical record as defined and maintained by a provider; others use it to describe the medical records that would be used in court or produced in response to a subpoena. Thus, when someone refers to the “legal health record,” a provider must determine just what is intended. More specifically, when responding to a request for records, the covered entity must confirm who is requesting the information and what they are seeking rather than imposing its own unilateral definition of the “legal health record”:

  • As discussed above, if the patient or personal representative requests the patient’s records or asks that the patient’s records be sent to a third party, a provider generally must produce all requested records that are maintained in the patient’s designated record set unless one of the limited exceptions apply. (See 45 CFR § 164.524). If he or she chooses, a provider may ask or confirm with the patient or personal representative which records they actually want. For more information on responding to a patient’s request to disclose information, see our article at https://www.hollandhart.com/hipaa-releases-of-information-per-request-or-authorization.
  • If a provider receives a valid HIPAA authorization from a third party seeking records, the provider may (but is not required to) produce the specific records identified in the authorization, but not others. (See 45 CFR § 164.508). If there is any question about which records are covered by the authorization, the provider should check with the patient to confirm what they want disclosed. For more information about the requirements for a valid HIPAA authorization, see our article at https://www.hollandhart.com/valid-hipaa-authorizations-a-checklist.
  • If a provider receives a subpoena, order or warrant requesting records, the provider generally must produce the specific records or information identified in the subpoena, order or warrant. (See 45 CFR § 164.512(e)-(f)). Remember: the party issuing the subpoena or order may define the requested records differently than the provider. The issue is not what the provider thinks should be produced or how it unilaterally defines its own medical records; the issue is what records are requested by the subpoena, order or warrant. If the provider fails to produce the records that are requested, the provider may be subject to contempt sanctions. If the provider produces more than the records requested, the provider may be subject to HIPAA penalties. Accordingly, if there is any doubt as to the scope of records requested, the provider should contact the party issuing the subpoena to confirm what they intend, and only produce the records identified in the subpoena, order or warrant. In doing so, the provider should be careful to avoid disclosing protected health information in the discussion. For more information about the rules for responding to subpoenas, orders and warrants, see our article at: https://www.hollandhart.com/hipaa-responding-to-subpoenas-orders_and-administrative-demands.
  • If a provider is required to disclose protected health information pursuant to a statute or regulation, the provider should ensure that he or she limits the scope of the disclosure to the specific information or records identified in the statute or regulation, and strictly follows the statutory or regulatory process for such disclosures. (See 45 CFR § 164.512(a)).
  • If a provider is disclosing information for a purpose permitted by HIPAA without the patient’s authorization (g., disclosures to other providers for treatment purposes, or to a payer for payment purposes), the provider should generally comply with the minimum necessary standard, i.e., don’t disclose more than needed for the permissible purpose. (See 45 CFR § 164.514). Note that when the provider receives a request from another healthcare provider for treatment purposes, the provider may assume that the other healthcare provider needs the records requested, which may include outside records.

4. Conclusion. When responding to requests or demands for records, providers must be careful not to interpret or respond to the request based on their own unilateral concept of the “medical record”; instead, they must ensure that they produce the records described by applicable statutes, regulations, subpoenas, orders or warrants regardless of how the provider would characterize the records or, most often, who created the records.

[1] A provider may generally decline to produce records in response to a patient’s or personal representative’s request if, e.g., the requested records: (1) are not part of the patient’s “designated record set”; (2) are psychotherapy notes as defined by HIPAA; (3) were compiled in reasonable anticipation of litigation; (4) were obtained from a third party under the promise of confidentiality and disclosure would reveal the source of the information; or (5) disclosure would result in substantial harm to the patient or others. (See 45 CFR § 164.524(a)).

July 24, 2017

Offering Free Screening Tests to Patients

By Kim Stanger

Healthcare providers often offer free screening tests or services as a way to generate business for their facility or practice; however, doing so may violate federal and state laws unless structured properly.  The federal Anti-Kickback Statute (“AKS”)1 and Civil Monetary Penalties Law (“CMPL”)2 generally prohibit offering free or discounted items or services to patients as a way to generate business payable by Medicare, Medicaid or other federal healthcare programs unless the arrangement fits within a regulatory exception.3 Violations of the AKS or CMPL may result in criminal, civil, and/or administrative penalties. Continue reading

December 28, 2016

Idaho Peer Review Privilege

by Kim Stanger

Idaho has enacted a broad privilege that protects the confidentiality of credentialing, quality improvement, and similar peer review activities by Idaho hospitals and other health care entities. The statute encourages participation and protects the integrity of such peer review activities by ensuring that peer review communications and proceedings remain confidential, and that participants are immune from liability.

Application. The privilege applies to “peer review” activities conducted by “healthcare organizations”. (I.C. § 39-1392).

“Health care organization” means a hospital, in-hospital medical staff committee,1 medical society, managed care organization, licensed emergency medical service, group medical practice, or skilled nursing facility.

(I.C. § 39-1392a(3)).

“Peer review” means the collection, interpretation and analysis of data by a health care organization for the purpose of bettering the system of delivery of health care or to improve the provision of health care or to otherwise reduce patient morbidity and mortality and improve the quality of patient care. Peer review activities by a health care organization include, without limitation:
(a) Credentialing, privileging or affiliating of health care providers as members of, or providers for, a health care organization;
(b) Quality assurance and improvement, patient safety investigations and analysis, patient adverse outcome reviews, and root-cause analysis and investigation activities by a health care organization; and
(c) Professional review action, meaning an action or recommendation of a health care organization which is taken or made in the conduct of peer review, that is based on the competence or professional conduct of an individual physician or emergency medical services personnel where such conduct adversely affects or could adversely affect the health or welfare of a patient or the physician’s privileges, employment or membership in the health care organization or in the case of emergency medical services personnel, the emergency medical services personnel’s scope of practice, employment or membership in the health care organization.

(I.C. § 39-1392a(11)). Continue reading

July 6, 2016

Providers Must Post New Nondiscrimination Notices

By Kim Stanger, Holland & Hart LLP

Under the new ACA Nondiscrimination Rules, covered entities (including most healthcare providers) must post and publish new mandatory nondiscrimination statements and taglines by October 16, 2016.

1. Notice of Nondiscrimination + Taglines: Facility, Website, and Significant Publications. The new mandatory “Notice of Nondiscrimination” must inform persons that:

  1. the covered entity does not discriminate on the basis of race, color, national origin, sex, age, or disability in its health programs and activities;
  2. the covered entity provides appropriate auxiliary aids and services, including qualified interpreters for individuals with disabilities and information in alternate formats, free of charge and in a timely manner, when such aids and services are necessary to ensure an equal opportunity to participate to individuals with disabilities;
  3. the covered entity provides language assistance services, including translated documents and oral interpretation, free of charge and in a timely manner, when such services are necessary to provide meaningful access to individuals with limited English proficiency;
  4. how to obtain the aids and services described above;
  5. if the covered entity has fifteen or more employees, identification of, and contact information for, the employee responsible for coordinating the covered entity’s compliance as required by the regulations;
  6. if the covered entity has fifteen or more employees, the availability of the grievance procedure required by the regulations and how to file a grievance; and
  7. how to file a discrimination complaint with the Office for Civil Rights (“OCR”).

(45 C.F.R. § 92.8(a) and (b)(1)). HHS has published a sample Notice of Nondiscrimination, which is available here. Although HHS encourages entities to post the Notice of Nondiscrimination in languages other than English, covered entities are not required to do so. Continue reading

June 14, 2016

New ACA Anti-Discrimination Rules: Language Assistance for Non-English Speakers

By Kim Stanger, Holland & Hart LLP

On May 18, 2016, HHS published its final rules implementing the anti-discrimination provisions of the Affordable Care Act § 1557. This is the first of several alerts discussing aspects of the new rule: this alert focuses on those provisions requiring language assistance for persons with limited English proficiency; future alerts will cover rules related to sex discrimination and persons with disabilities. The new language assistance rules build on but extend beyond HHS’s 2003 Guidance Regarding Limited English Proficient Persons, 68 F.R. 47311 (“LEP Guidance”).

Application. The new rules apply to any entities (“covered entities”) that operate a health program or activity that receives federal financial assistance under programs operated by HHS, including but not limited to Medicaid or Medicare parts A, C and D, but excluding Medicare Part B. (45 C.F.R. § 92.2(a); 81 F.R. 31383). Among others, the rule applies to hospitals, clinics, medical practices, solo practitioners, nursing homes, or other healthcare entities that participate in federal programs other than Medicare Part B. (81 F.R. 31384-85). Covered entities are not required to comply if doing so would violate applicable federal statutory protections for religious freedom and conscience. (45 C.F.R. § 92.2(b)). Also, the regulations do not apply to employment discrimination. (45 C.F.R. § 92.101(a)(2)). Continue reading

June 9, 2016

New ACA Nondiscrimination Rules: Protecting Individuals Against Sex Discrimination

By Patricia Dean, Holland & Hart LLP

On May 18, 2016, HHS published its final rules implementing the anti-discrimination provisions of the Affordable Care Act § 1557. This is the third of three alerts discussing various aspects of the new rules. This alert focuses on the rules protecting individuals against discrimination based on sex. The first alert (available here) focused on the rules’ requirement for language assistance for persons with limited English proficiency. The second alert (available here) focused on the rules ensuring protections for individuals with disabilities. The final rule goes into effect on July 18, 2016.

Relationship to Other Laws. Section 1557 is the first federal civil rights law to prohibit discrimination “on the basis of sex” (including gender identity and sex stereotyping) in covered health programs and activities. In doing so, it builds on HHS Titles VII and IX, and federal case law to clarify what constitutes sex discrimination and prohibit specific discriminatory practices. It does not preempt or alter other laws, and providers must continue to comply with other state and federal laws in addition to the new ACA nondiscrimination rules. Continue reading

June 6, 2016

New ACA Nondiscrimination Rules: Assistance for Persons with Disabilities

by Teresa Locke, Holland & Hart LLP

On May 18, 2016, HHS published its final rules implementing the anti-discrimination provisions of the Affordable Care Act § 1557. This is the second of three alerts discussing various aspects of the new rules. This alert focuses on the rules ensuring protections for individuals with disabilities. The first alert – published on May 26 – focused on the rules’ requirement for language assistance for persons with limited English proficiency. The third and final alert – to be issued in the near future – will cover rules related to sex discrimination.

Relationship to Other Laws. The final rules are consistent with existing directives implementing the requirements already existing under the Americans with Disabilities Act (“ADA”) and Section 504 of the Rehabilitation Act of 1973 (“Section 504). Nothing in the new rules should be interpreted to invalidate or limit the rights, remedies, procedures, or legal standards available to disabled persons under the ADA or Section 504. Accordingly, entities must ensure compliance with existing laws in addition to the new ACA rules, including state laws that may be more restrictive than the ACA regulations. Continue reading

May 23, 2016

Charging Patients for Copies of Their Records: OCR Guidance

by Kim C. Stanger, Holland & Hart LLP

HIPAA generally gives patients or their personal representative the right to access or obtain copies of the patient’s protected health information (“PHI”) in their designated record set1, and limits the amount that providers may charge patients for PHI to a reasonable cost-based fee. (45 CFR 164.524). In February 2016, the OCR issued guidance (“Guidance”) which clarifies allowable fees and identifies additional actions providers should take when charging fees. The OCR’s Guidance may be accessed here.

Allowable Charges. The OCR confirmed that a provider may only charge the patient or personal representative for the following:

1. Labor for copying the requested PHI, whether in paper or electronic form. This includes only the labor for actually creating and delivering the paper or electronic copy in the form and format requested or agreed upon by the patient once the responsive information has been identified, retrieved, collected, compiled and/or collated. For example, allowable costs may include photocopying paper PHI; scanning paper PHI into an electronic format; converting electronic PHI in one format to the format requested by or agreed to by the patient; creating and executing a mailing or e-mail with the responsive PHI; and/or uploading, downloading, attaching, burning, or otherwise transferring electronic PHI from a provider’s system to portable media, e-mail, app, personal health record, web-based portal (where the PHI is not already maintained in or accessible through the portal), or other manner of delivery of the PHI. (See also 78 FR 5636). Labor for copying does not include costs associated with reviewing the patient’s request; searching for, reviewing, retrieving, segregating, collecting, compiling, or otherwise preparing the responsive information for copying; verifying that only information about the requested patient is included; complying with HIPAA; updating or maintaining record systems; etc. (See also 78 FR 5636). Likewise, it does not include administrative or other costs associated with outsourcing record functions to business associates or others beyond the business associate’s labor costs described above. Continue reading

February 5, 2016

Prompt Pay Discounts

by Kim C. Stanger, Holland & Hart LLP

Healthcare providers sometimes offer “prompt pay” discounts to encourage patients to pay their bills within a certain period, including outstanding copayments or deductible amounts. Such programs should be structured appropriately to ensure compliance with applicable laws and payer contracts.

1. Federal Fraud and Abuse Laws. If the discount is offered to induce the patient to receive other services payable by Medicare, Medicaid, or other government programs, the discount may violate federal fraud and abuse laws. The federal Anti-Kickback Statute (“AKS”) prohibits knowingly offering any remuneration to persons to induce or reward referrals for items or services covered by federal health programs, including Medicare or Medicaid. See 42 U.S.C. § 1370a-7b. The AKS applies to discounts offered to federal program beneficiaries if the purpose of the discount is to induce referrals. See, e.g., OIG, Special Advisory Bulletin: Offering Gifts and Other Inducements to Beneficiaries (8/30/02); OIG, Special Fraud Alert regarding Routine Waiver of Part B Co-Pays and Deductibles (12/19/94). Similarly, the federal Civil Monetary Penalties Law (“CMPL”) prohibits knowingly offering anything of value to Medicare or Medicaid beneficiaries that is likely to influence the beneficiary’s selection of a particular provider of services payable by Medicare or Medicaid, including waivers or discounts of coinsurance or deductible amounts. See 42 U.S.C. § 1320a-7a(a)(5); 42 C.F.R. § 1003.102 and .103(b)(13). Continue reading

December 18, 2015

Physician Timeshare Arrangements: New Stark Option for Sharing Space with Visiting Specialists and Others

by Kim C. Stanger, Holland & Hart LLP

Recent Stark law amendments will make it easier for physicians to share space, and for hospitals to provide space, equipment, and services to visiting specialists and other physicians on a non-exclusive, “as-needed” basis. Hospitals and physicians may want to review their current lease arrangements to determine whether the new exception is a better fit for their current or future relationships and, if so, structure their arrangements accordingly.

Prior Law. The federal Ethics in Patient Referrals Act (“Stark”) generally prohibits physicians from referring patients for certain designated health services (“DHS”) payable by Medicare to entities with which the physician has a financial relationship unless the relationship is structured to fit within a regulatory safe harbor. (42 USC 1395nn; 42 CFR 411.353). Providing space or equipment to a referring physician generally creates a financial relationship that triggers Stark1; consequently, such arrangements generally needed to be structured to satisfy Stark safe harbors for leases of space or equipment. Unfortunately, those safe harbors required, among other things, that the physician enter a formal lease that provided for exclusive use of the leased premises or equipment during defined lease terms (42 CFR 411.357(a)-(b)); the physician and lessor were generally not permitted to share space or equipment during the lease term, nor could the lease be on an “as needed” basis. Traditional timeshare arrangements in which physicians share space or equipment on a non-exclusive basis did not satisfy Stark, thereby forcing physicians and their landlords to enter formal, inefficient, and sometimes impractical lease arrangements. Continue reading