HIPAA Today: Individual access to PHI vs. Rx printout

October 20, 2003

Patients have a right to a copy of their protected health information under HIPAA

 

HIPAA Today

Individual access to PHI vs. Rx printout

By Walter L. Fitzgerald Jr., R.Ph., J.D.

The Health Insurance Portability & Accountability Act grants to individuals a right of access to inspect and obtain a copy of their protected health information in the designated record set of a covered entity, for as long as the PHI is maintained in the designated record set. But prior to HIPAA, requests for PHI were occurring at the pharmacy. Consider the routine request for a "printout" of prescriptions dispensed over the past year.

It is essential to recognize that the right to access PHI granted by HIPAA extends beyond a printout of Rxs dispensed. For example, with such a printout, the pharmacy likely created, using a function of the Rx dispensing software, a relatively simple list of Rxs dispensed. Information on this list may have included the patient name, drug name, quantity dispensed, and amount paid.

While such a list may have been provided to the patient, the actual electronic patient profile maintained by the pharmacy likely was not provided. Indeed, providing the actual profile would not be necessary if the patient's request was for prescriptions over the past year since the profile contained information for a longer period. But under HIPAA, the patient has a right to inspect and obtain a copy of the actual patient profile maintained by the pharmacy.

HIPAA defines a designated record set as a group of records maintained by or for a covered entity that is:

  • the medical and billing records about the individual

  • enrollment, payment, claims adjudication, and case or medical management record systems

  • used, in whole or in part, to make decisions about individuals

For purposes of this definition, the term record means any item or collection of information that includes PHI and is maintained, used, or disseminated by or for a covered entity. Records that come to mind include Rxs on file, patient profiles, and billing/claims records.

But upon a request for access to PHI, the privacy official should ensure that access is allowed to all records containing PHI. For example, if the pharmacy requires patients to complete a form for purposes of collecting information for incorporating into the electronic patient profile and the form is maintained by the pharmacy, access to the form should be provided.

Three exceptions exist to the granting of access to PHI. They are:

  • psychotherapy notes

  • information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding

  • PHI maintained by a covered entity that is subject to the Clinical Laboratory Improvements Amendments to the extent the provision of access to the individual would be prohibited by law or exempt from CLIA.

In relation to these exceptions, HIPAA permits a covered entity to deny access to PHI on the basis of "unreviewable grounds" and "reviewable grounds." Unreviewable grounds of significance to a pharmacy are the following:

  • The PHI is one of the three types of information listed above.

  • The request is from a prisoner, if obtaining the PHI would jeopardize the health, safety, custody, or rehabilitation of the prisoner or other inmates, or the safety of any other person at the prison.

  • The PHI maintained by the covered entity was obtained from someone other than a health provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the PHI.

Reviewable grounds of significance to pharmacy are the following:

  • A health provider has determined that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.

  • The PHI makes reference to another person (unless the other person is a healthcare provider) and a health professional has determined that the access requested is likely to cause substantial harm to the other person.

  • The request for access is made by the individual's personal representative and a health professional has determined that granting access to the representative is reasonably likely to cause substantial harm to the individual or another person.

If the basis for denial of access is a reviewable ground, the individual has a right to have the denial reviewed by a health professional designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny the request. The covered entity must provide or deny access in accordance with the decision of the reviewing official.

Finally, there are a number of "implementation specifications" with which the covered entity must comply, such as responding within 30 days of the receipt of the request and notifying the individual in writing if the request is denied, including whether the denial is based upon an unreviewable or reviewable ground. These specifications can be found by referring to 45 CFR 164.524 in the HIPAA resource maintained by the pharmacy. (For more on HIPAA, see "Solutions for compliance with HIPAA regulations".)

The AUTHOR, a pharmacist-attorney, is a professor of pharmacy at the University of Tennessee College of Pharmacy and author of the NCPA HIPAA Compliance Handbook for Independent Pharmacy. To access the NCPA Web site, go to: www.ncpanet.org .

 

Walter Fitzgerald. HIPAA Today: Individual access to PHI vs. Rx printout. Drug Topics Oct. 20, 2003;147:39.