Elbert Memorial Hospital Patient Education
 Latest News  Wellness Center
 Job Postings  Events Calendar
  E-Card   Foundation Focus
Facilities

'You Belong Here' Video
JCAHO Notice
Our Doctors
Patient Education
Our Community
EMH Auxiliary
Wellness Center
Employee Area
Staff Training
EMH Foundation
Online Donation
Healthy Living
Hospital Authority
Online Donation


HIPAA Privacy Program Compliance Manual

Patient Rights
The HIPAA Privacy Regulations create certain specific rights for patients with respect to their protected health information (PHI):

Right to Request Certain Restrictions on Uses and Disclosures of PHI
Right to Request Confidential Communications of PHI
Right to Receive a Notice of Privacy Practices
Right to Obtain Access and Copy PHI
Right to Request Amendment of PHI
Right to Receive an Accounting of Certain Disclosures of PHI

The Patient Rights listed in the HIPAA Privacy Regulations reflect a desire to give patients a degree of control over their health information. For the first time, federal law recognizes the right of a patient to have access to his/her health information, to correct errors in that information, and to learn about the ways in which that information is disclosed by the Hospital to others. In addition, the patient is granted certain rights to require the Hospital to communicate in a confidential manner and to request that the Hospital agree to certain restrictions in how the patient's health information is handled.

The following sets forth an overview of the Patient Rights that are provided in the HIPAA Privacy Regulations. For a more detailed explanation of each of these rights, please refer to the separate policies in this Chapter.

Right to Receive a Notice of Privacy Practices
With certain exceptions, HIPAA gives a patient the right to receive adequate notice of the uses and disclosures of PHI that may be made by the Hospital and of the patient's rights and the Hospital's duties with respect to PHI. Generally, the Notice must describe the patient's rights concerning PHI, how these rights may be exercised, and the types of uses and disclosures that may be made of PHI. The Notice also must describe the Hospital's duties concerning PHI and how a person may file a complaint with the Hospital or HHS if he/she feels that privacy rights have been violated. The Notice must identify the person or office a patient may contact for further information.

A Hospital must provide its Notice of Privacy Practices no later than the date of first service delivery to a patient after April 14, 2003. In an emergency treatment situation, the Hospital must provide the Notice as soon as reasonably practicable after the emergency. The Notice also must be available in a hard copy for a patient to take home. The Hospital is required to post the Notice on site in a clear and prominent location. If the Hospital maintains a web site with information about the services it provides, it must post the Notice prominently on its web site and make the Notice available electronically through the site. A Hospital may provide the Notice to a patient by e-mail as long as it has the patient's prior agreement to this.

Except in an emergency treatment situation, the Hospital must make a good faith effort to obtain from a patient written acknowledgment of his/her receipt of the Notice. If the Hospital does not obtain written acknowledgment, it must document its good faith efforts and the reason that the acknowledgment was not obtained.

Right to Request Restrictions on Uses and Disclosures of PHI
The Hospital must permit a person to request restrictions on the use or disclosure of his/her PHI for treatment, payment, and health care operations and disclosures to family members or others under certain circumstances. For example, a patient may request that a Hospital allow only certain providers to have access to his/her PHI. A Hospital is not required to agree to a patient's requested restriction, such as in cases where there are quality of care concerns. However, if the Hospital does agree to the restriction, then it must abide by its agreement, except in cases where the PHI is needed for emergency treatment.

An agreement to restrict the use or disclosure of PHI may be terminated if the patient requests or agrees to the termination in writing. A patient may agree to termination orally if the oral agreement is documented. The Hospital may terminate its agreement if it informs the patient of the termination, except that the termination is effective only with respect to PHI created or received after the patient has been informed of the termination.

Right to Request Confidential Communications
Further, a Hospital must accommodate a patient's reasonable requests to receive communications of PHI from the Hospital by alternative means or to alternative locations. For example, a patient may request that a Hospital communicate with him/her only at home or request that the Hospital enclose mailings in envelopes. The Privacy Regulations prohibit a Hospital from requiring the patient to explain the basis for the request as a condition to providing communications on a confidential basis.

Right to Obtain Access and Copy PHI
With certain exceptions, a patient has the right to inspect and obtain a copy of his/her PHI in a Designated Record Set. A Designated Record Set means a group of Records concerning the patient maintained by or for a Hospital that consists of:

Medical Records
Billing Records
Information used to make decisions regarding the patient

Patients do not have a right to access information compiled for civil, criminal, or administrative actions or proceedings, or PHI subject to or exempt from disclosure to the patient under the Clinical Laboratory Improvement Amendments of 1988 (CLIA).

The Hospital may provide a patient with a summary of PHI requested in lieu of providing access to PHI or it may provide an explanation of the PHI to which access has been provided--if the patient agrees in advance to the summary or explanation and to any preparation fees imposed by the Hospital.

A Hospital may deny a patient's request to access his/her PHI (i) if access is determined to be reasonably likely to endanger the life or physical safety of the patient; (ii) where PHI references another person and access is likely to cause substantial harm to that other person; or (iii) where the request is made by the patient's personal representative and access is likely to cause substantial harm to the patient or others. If such access is denied for one of these reasons, the patient may request a review by a licensed health care provider who is designated by the Hospital and who did not participate in the original decision to deny access.

A Hospital also may deny a patient's request for access for the reasons set forth below. If the request is denied for one of these reasons, the patient is not entitled to a review of the decision.

If the information is exempt from access (see above)
If the Hospital is a correctional institution (or acting under the direction of a correctional institution), where the request is made by an inmate and access would jeopardize the health, safety, security, custody or rehabilitation of the requesting patient or certain other people
If the PHI concerns a research participant while the research is in progress, as long as the patient agreed to denial of access when giving consent to participate in the research and the Hospital has informed the patient that his/her right to access will be reinstated when the research is completed
Where records are subject to the federal Privacy Act
If PHI is obtained from someone other than a health care provider under a promise of confidentiality and access would likely reveal the source

If a Hospital denies a patient access to his/her PHI, the Hospital must provide a written denial to the patient stating the basis for the denial and the patient's right to review (if applicable) and describing how the patient can complain to the Hospital or the U.S. Department of Health and Human Services (HHS).

A Hospital may charge a reasonable, cost-based fee (which may be the per page copying charge allowable under Georgia law) for copying PHI, including the cost of supplies and labor, and postage if the patient requests materials to be mailed. A Hospital may not charge a patient the $20 retrieval fee otherwise allowed under Georgia law. A Hospital must respond to a request for access within thirty (30) days for records stored on-site. If records are stored off-site, then the Hospital has sixty (60) days to respond to a request. The deadline for responding may be extended once for up for thirty (30) days if the Hospital sends to the patient a written statement stating the reason for the delay and the date by which the Hospital will respond to the request.

Right to Request Amendment of PHI
A patient has the right to request an amendment of his/her PHI or a record about the patient in a Designated Record Set. This right applies to PHI created or obtained before or after the compliance date of the HIPAA Privacy Rule. It does not give a patient the right to alter his/her medical record and does not require the Hospital to delete existing records.

If the Hospital accepts an amendment, it must identify the records affected by the amendment and append the amendment, inform the patient of the acceptance, and obtain the patient's identification of and agreement to share the amendment with relevant persons. The Hospital must make reasonable efforts to inform and provide the amendment, within a reasonable amount of time, to (i) persons identified by the patient as having received PHI and needing the amendment and (ii) persons the Hospital knows to have PHI that is subject to the amendment and who may rely on the information to the detriment of the patient.

The Hospital may deny a patient's request for amendment for any of the following reasons:

The PHI was not created by the Hospital, unless the patient has reasonable basis to believe the originator of the PHI is no longer available to act on the request
The PHI is not part of a Designated Record Set
The PHI would not be available for inspection by the patient
The PHI is accurate and complete as it stands

If the Hospital denies the requested amendment, it must provide the patient with a written denial. The written denial must state the basis for the denial, the patient's right to submit a statement disagreeing with the denial and how to do so, the right to request that future disclosures of PHI include the request and denial if a statement of disagreement is not submitted, and how to complain to the Hospital or HHS. If a patient submits a statement of disagreement to the Hospital, the Hospital may prepare a written rebuttal. If the Hospital prepares a written rebuttal, a copy of the rebuttal must be provided to the patient. If the patient files a statement of disagreement, subsequent disclosures of PHI must include the following (or a summary): the patient's request for amendment, the Hospital's written denial, the patient's statement of disagreement, and the Hospital's rebuttal (if any). If the patient has not filed a statement of disagreement, the request and response are appended to disclosures of PHI only upon request of the patient.

A Hospital has sixty (60) days to act on a patient's request for an amendment. This deadline may be extended once for up to thirty (30) days if the Hospital provides the patient with a written statement containing the reasons for the delay and the date on which the Hospital will respond to the request. It the patient has been provided with mental health, mental retardation, or alcohol/drug abuse services, the Hospital will be required under Georgia law to make the requested correction or indicate the reason for its inability to make the correction within 5 days of receipt of the request. Such patients also have a right to have a review of a decision not to make a requested correction.
Right to an Accounting of Disclosures

A patient has the right to receive an accounting of certain disclosures of PHI made by a Hospital during the prior six (6) years. This right does not apply to disclosures that occurred prior to April 14, 2003.

This right also does not apply to disclosures:
For treatment, payment, and health care operations
To the patient of PHI about him/her
For a facility's directory or to persons involved in the patient's care
For national security or intelligence purposes
To correctional institutions or law enforcement officials
To a health oversight agency or law enforcement official under certain circumstances
Pursuant to a written authorization from the patient

An accounting must provide for each disclosure: (1) the date of the disclosure, (2) the name of the entity or person who received PHI and address if known, (3) a brief description of PHI disclosed, and (4) a brief statement of the purpose of the disclosure (or copy of the request for disclosure).

The Hospital must act on a request for an accounting within sixty (60) days. One extension of up to thirty (30) days is permitted if the Hospital sends the patient a written statement of the reasons for the delay and the date by which the Hospital will respond. The Hospital must provide free of charge one (1) accounting per any twelve (12) month period. For additional requests during that same twelve (12) months, the Hospital may charge a reasonable, cost-based fee to prepare the accounting as long as the patient is informed of the fee in advance.



Email Us 4 Medical Dr. Elberton, GA 30635 (706) 283-3151

© 2021 FastHealth Corporation  Terms  Privacy