Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers Prepared for: CALIFORNIA HEALTHCARE FOUNDATION Prepared by: Health Privacy Project Author: Joy Pritts, J.D. February 2002 Acknowledgments Health Privacy Project is a part of the Institute for Health Care Research and Policy at Georgetown University. The Health Privacy Project is dedicated to raising public awareness of the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and a community level. Additional background information on health privacy can be obtained by visiting www.healthprivacy.org. The author would like to acknowledge the participation of a group of individuals whose expertise, industriousness, and guid- ance were essential to this report: Janlori Goldman, Director, Health Privacy Project; Sam Karp and Claudia Page, California HealthCare Foundation; and Scott Sanders, High Noon Com- munications. A special thank you also goes to the following pro- fessionals for taking time out of their busy schedules to review this guide; their input was invaluable: Catherine I. Hanson, Vice President and General Counsel, California Medical Association; Steven M. Fleisher, Vice President and General Counsel, MEDePass, Inc.; and Regina M. Boyle, J.D., Director of Legal Services, California Primary Care Association. The California HealthCare Foundation (CHCF) is an inde- pendent philanthropy committed to improving California’s health care delivery and financing systems. Our goal is to ensure that all Californians have access to affordable, quality health care. CHCF’s work focuses on informing health policy decisions, advancing efficient business practices, improving the quality and efficiency of care delivery, and promoting informed health care and coverage decisions. The iHealth Reports series focuses on emerging technology trends and applications and related policy and regulatory developments. Additional copies of this report and other publications in the iHealth Report series can be obtained by calling the California HealthCare Foundation’s publications line at 1-888-430-CHCF (2423) or visiting us online at www.chcf.org. Disclaimer This guide is intended to provide information related to the requirements for implementing the HIPAA Privacy Rule as of the date hereof. It is provided with the understanding that the authors and publishers are not engaged in rendering legal or other professional services. To obtain more current information on the Privacy Rule, or if legal advice or other expert assistance is required, the services of a competent professional should be sought. The authors and publishers specifically disclaim any liability, loss or risk incurred as a consequence of the use, either direct or indirect, of any information presented herein. ISBN 1-929008-82-1 Copyright © 2002 California HealthCare Foundation Contents 5 Overview 6 Purpose 7 I. Background The Value of Health Information Why Health Privacy Matters Protecting Health Privacy 9 II. The Federal Health Privacy Rule Introduction Who is Covered? What is Covered? Requirements Compliance Remedies and Penalties 16 III. The Interaction of the Federal Health Privacy Rule and California Privacy Laws Introduction Complying with Both State and Federal Laws 18 IV. The Confidentiality of Medical Information Act and the Patient Access to Medical Records Act Background Restrictions on Use and Disclosure of Health Information Patient Rights Administrative Requirements Looking Ahead 38 Appendices Appendix A: Key Resources for Implementation Assistance Appendix B: Checklist of Key Items for Implementation 40 Endnotes Overview THIS GUIDE IS INTENDED FOR THOSE HEALTH care providers who are subject to two of the major health privacy statutes in California: the California Confidentiality of Medical Information Act1 and the Patient Access to Medical Records Act.2 These providers include the following licensed health care professionals and facilities: s Physicians s Marriage, family, and child counselors s Osteopaths s Clinical social workers s Surgeons s Hospitals s Podiatrists s Community clinics s Dentists s Outpatient clinics s Optometrists s Home health agencies s Psychologists s Others3 s Chiropractors Pharmacists, acupuncturists, and other providers who are not subject to the Patient Access to Medical Records Act should consult Implementing the Federal Health Privacy Rule in California: A Guide for Pharmacists, a CHCF publication specifically designed for their needs. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 5 Purpose THIS GUIDE IS DESIGNED TO HELP CALIFORNIA health care providers to comply with the new Federal Health Privacy Rule, which was issued by the U.S. Department of Health and Human Services in December 2000. The guide is specific to holders of health information in California, which has its own state health privacy laws. The guide is meant to serve as a general road map for imple- menting the Privacy Rule and will help providers begin the process of determining what steps they will need to take to come into compliance with the Privacy Rule in April 2003. The guide, however, is not a step-by-step manual for bringing a health care practice or organization into compliance. It provides a thorough understanding of what will and will not be required under the Privacy Rule and will help individuals and organizations begin to think about how to best integrate those requirements into existing practices. As implementation draws near, it will be important to consult other resources, as appropriate, to ensure full compliance. Specifically, the guide: s Provides background on the value of health information and health privacy; s Explains the Privacy Rule—how it came into being, who and what it covers, and its general framework; s Discusses, in general, the preemption provisions of the Privacy Rule and explains the resulting relationship between the federal rule and California health privacy laws; and s Analyzes how health care providers such as doctors, dentists, hospitals, and outpatient clinics will be required to imple- ment the Privacy Rule and the rights it provides to patients to access and amend their health information in light of existing California law. 6 | CALIFORNIA HEALTHCARE FOUNDATION I. Background The Value of Health Information Health care providers are naturally aware of the value of health information. Its primary value is the key role it plays in the provision of high-quality care to the patient. Without information about a patient’s condition, providers cannot offer adequate care, nor can payers cover the cost of that care. Some other uses of health information also benefit patients and the larger community, while others primarily benefit the holder of the information. Some of the latter uses include: s Managing disease; s Ensuring quality and accountability; s Investigating fraud and abuse; s Monitoring public health; s Insuring adequate government oversight; and s Expanding commercial activities. Why Health Privacy Matters Given the numerous uses of health information and the num- ber of people who have access to health information in today’s complex health care system, many patients have concerns about the privacy of their own identifiable health information. Patients fear that their employers, family members, or friends may discover that they have a sensitive health condition that could negatively impact their job security, relationships, or personal safety. Among those with heightened concerns are adolescents, immigrants, mental health patients, people with HIV/AIDS, and victims of domestic violence. These concerns are magnified by the increased use of technology by health care organizations. While computerized records and use of the Internet can provide greater protections for information, they also open the door for broader access if confidentiality and security are breached. In fact, the media reports regularly on health privacy and security violations. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 7 Many patients have developed a variety of Protecting Health Privacy “privacy-protective” behaviors to shield them- As a result of these fears and their negative selves from what they consider to be harmful impact on the quality of health care, many and intrusive uses of their health information. states—including California—and the Federal A poll conducted for the California HealthCare government have enacted protections for health Foundation in January 1999 found that: information. These laws vary considerably as s One in five American adults believes that a to the entities and types of specific information health care provider, insurance plan, govern- they cover and the strength of the protections ment agency, or employer has improperly that they provide. disclosed personal medical information. Half of these people say it resulted in personal embarrassment or harm. s One in six American adults says he or she has done something out of the ordinary to keep personal medical information confidential. Among the actions reported are: going to another doctor; paying out-of-pocket for services; not seeking care; giving inaccurate or incomplete information on a medical history; and asking a doctor not to write down the health problem or record a less serious or embarrassing condition. s Only a third of U.S. adults say they trust health plans and government programs like Medicare to maintain confidentiality all or most of the time. 8 | CALIFORNIA HEALTHCARE FOUNDATION II. The Federal Health Privacy Rule In the broadest terms, the Introduction Privacy Rule does two things: In the last few years, health privacy has emerged as a prom- inent health care policy issue at the federal level. Although (1) it imposes new restrictions Congress has recognized the importance of protecting the con- on how covered entities can fidentiality of health information, it has been unable to pass any comprehensive health privacy legislation. Congress did, use and share health infor- however, give limited authority to the U.S. Department of mation; and (2) it creates Health and Human Services to issue regulations protecting the privacy of health information. Understanding the genesis of new rights for individuals the Federal Health Privacy Rule is important for understanding concerning their own health the scope of the federal rule and how it operates. information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes a major initiative intended to cut administrative health care costs by standardizing health care transactions. The provision, known as “Administrative Simpli- fication,” is aimed at facilitating the exchange, storage, and Privacy Rule Updates analysis of health information in uniform format across entities. To receive email notification on changes to the Privacy Rule Prior to HIPAA’s passage, this move towards standardization and other health privacy news raised serious privacy concerns. To reconcile these competing sign on to the Health Privacy priorities of safeguarding privacy and easing the flow of Project’s listserv at: health data, Congress included in HIPAA a requirement that http://www.healthprivacy.org. if it failed to pass comprehensive health privacy legislation by August 1999, the Secretary of the United States Department of Health and Human Services (HHS) would issue regulations. Despite the introduction of numerous proposals, Congress failed to meet its deadline, and the duty passed to HHS to promulgate health privacy regulations. As required under HIPAA, the Secretary of HHS issued final health privacy regulations in December 20004 (see Timeline next page). After a short delay, the final regulation, known as the “Privacy Rule,” became effective April 14, 2001. The Privacy Rule has the force of law. Compliance with the Privacy Rule is generally required by April 2003. Although the Privacy Rule is “final,” that does not mean that it will not be changed. HHS has made it clear that it intends to engage in additional rule-making to substantively change the rule in the near future.5 Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 9 These persons and organizations are referred to Timeline as “covered entities.”7 Any person or organization November 3, 1999 that provides or pays for health care should review Draft rule published in the Federal Register. these provisions carefully to determine whether February 17, 2000 or not they are covered by the Privacy Rule. Public comment period closes. The Department of Health and Human Services Health Plans received more than 52,000 comments The definition of “health plan” is quite broad on the draft. and generally includes any individual or group December 28, 2000 plan that provides or pays for medical care.8 The final privacy rule is published in the The term encompasses both private and govern- Federal Register. mental plans. It includes health insurance issuers April 14, 2001 and HMOs. High-risk pools are specifically The rule becomes effective, but covered covered, as are Medicaid and Medicare plans. entities do not yet have to comply with it. Additionally, most employee health benefit July 6, 2001 plans are covered. HHS releases guidance, interpreting the final rule. The Privacy Rule specifically excludes certain April 14, 2003 entities that provide or pay for health care. Covered health care providers and most For example, small employee health benefit health plans must be in compliance with plans (fewer than 50 participants) that are self- the rule. administered are exempt. Likewise, workers’ April 14, 2004 compensation carriers are excluded from the Small health plans must be in compliance. definition of health plan. Furthermore, govern- ment-funded programs that only incidentally provide or pay for the cost of health care are not health plans.9 Who Is Covered? Health Care Clearinghouses The Privacy Rule does not apply to everyone “Health care clearinghouse” is a term of art who receives or maintains health information. under the Privacy Rule, and differs somewhat Congress authorized HHS to issue regulations from the manner in which the term is generally only with respect to three specified types of used. Under the Privacy Rule, a health care entities that transfer or maintain health infor- clearinghouse is an entity that translates health mation. The Privacy Rule, therefore, directly information received from other entities either applies only to: into or from the standard format that will be s Health plans; required for electronic transactions under s Health care clearinghouses; and HIPAA.10 For instance, many health providers s Health care providers who transmit health use the services of a health care clearinghouse to information in electronic form in connection process their claims information into a standard with specified financial and administrative format for submission to a health plan. transactions (such as claims for payment).6 10 | CALIFORNIA HEALTHCARE FOUNDATION Health Care Providers Who Electronically Standard transactions.16 To come within the Transmit Health Information scope of the Privacy Rule, the health information The Privacy Rule covers health care providers must be transmitted in standard format in con- who transmit health information in electronic nection with one of the financial and administra- form in connection with HIPAA standard trans- tive transactions listed in Section 1173 of HIPAA. actions.11 A health care professional or facility These transactions include, but are not limited must meet all three of the following criteria to to, health claims, determining enrollment and be covered by HIPAA. eligibility in a health plan, and referral authoriza- tion.17 Providers who submit health claims elec- Health care provider. For purposes of the regula- tronically will be required to transmit them in tion, “health care provider” includes any person standard format by October 2003 at the latest.18 or entity that furnishes, bills, or is paid for health In addition to covering those providers who care in the normal course of business.12 “Health directly engage in such transactions, the Privacy care,” in turn, is broadly defined as “care, ser- Rule also covers those who rely on third-party vices, or supplies related to the health of an billing services to conduct such transactions on individual.”13 Thus, the term health care provider their behalf.19 In contrast, providers who operate includes both persons (such as dentists and podi- solely on an out-of-pocket basis and do not sub- atrists) and entities (such as hospitals and clinics). mit insurance claims probably will not be subject It includes mainstream practitioners (such as to the rule. For instance, an Internet pharmacy physicians, nurses, and psychotherapists), as well that only accepts credit card payments will not be as providers of alternative care (such as home- covered by the Privacy Rule. If this Internet phar- opaths and acupuncturists). The Privacy Rule macy also accepts insurance payments, however, also covers both the providers of care and then it may be covered by the rule. services (such as practitioners) and the providers of health supplies requiring a prescription (such as pharmacists and hearing aid dispensers). What is Covered? However, the Privacy Rule is not intended to Generally, the Privacy Rule covers “protected encompass blood banks, sperm banks, organ health information” in any form that is created banks, or similar organizations.14 or received by a covered entity.20 There are a Transmitting health information electronically.15 number of elements that must be satisfied before To “transmit health information in electronic health information is protected by the Privacy form,” a provider must transfer personally identi- Rule. First, it must be “health information” as fiable health information via computer-based defined in the rule. Second, the health informa- technology. Using the Internet, an Intranet, or tion must be individually identifiable. Finally, it private network system will bring a provider must be created or received by a covered entity.21 within the reach of the Privacy Rule. Similarly, information transferred from one location to another using magnetic tape or disk is covered by the Privacy Rule. In contrast, sending informa- tion via fax is not considered to be transmitting information electronically. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 11 Health Information If health information meets these criteria, it “Health information” is broadly defined as is considered “protected health information” and meaning any oral or recorded information relat- is covered by the rule regardless of the media ing to the past, present, or future physical or or form in which it is maintained or transmitted. mental health of an individual, the provision of This means that oral, written, and electronic health care to the individual, or the payment for information is protected health information.26 health care.22 This definition is broad enough to Because this guide focuses on implementing encompass not only the traditional medical the Privacy Rule, the term “health information” record but also physicians’ personal notes and as used in this guide refers only to “protected billing information. health information,” i.e., individually identifiable health information created or received by a Individually Identifiable Information covered entity. “Individually identifiable health information” is health information that identifies or reasonably can be used to identify the individual.23 Health Requirements information that has been “de-identified” is In the broadest of terms, the Privacy Rule does not covered. A covered entity may de-identify two things: (1) it imposes new restrictions on how health information by removing specific identi- covered entities can use and share health infor- fiers (including, but not limited to, name, social mation; and (2) it creates new rights for indi- security number, medical record number, and viduals concerning their own health information. address). Alternatively, a covered entity may A general overview of the requirements of the treat information as de-identified if a qualified Privacy Rule follows. The specific implementation statistician, using accepted principles, determines requirements will vary depending on existing that the risk that the individual could be identi- California law and are discussed in the fourth fied is very small.24 section of this guide. Created or Received by a Covered Entity General Restrictions on Use and Disclosure Health information that is “created or received by The Privacy Rule governs the “use” and “disclo- a covered entity” is protected under the rule.25 sure” of protected health information by covered Any health information that a patient would entities. These two terms have specific meanings divulge to his or her doctor would be covered. within the context of the Privacy Rule.27 In contrast, health information that is created or received by others is not covered. For example, if Use. Protected health information is used when it is shared, examined, applied, or analyzed an individual fills out a health assessment survey within a covered entity that receives or maintains as part of donating blood to the Red Cross, that the information. information would not be protected because the Red Cross is not a covered entity. Disclosure. Protected health information is disclosed when it is released, transferred, allowed to be accessed, or otherwise divulged outside the entity holding the information. 12 | CALIFORNIA HEALTHCARE FOUNDATION In general, the Privacy Rule prohibits covered Authorization entities from using or sharing protected health s If the intended purpose of obtaining or using information without the individual’s permission. health information is not specifically permitted The Privacy Rule then lists a number of excep- in the Privacy Rule, any covered entity must tions where use and disclosure are permitted obtain an individual’s signed written permis- without the individual’s written permission. sion, an “authorization,” prior to using or When disclosure is permitted without the disclosing the health information. patient’s permission, the Privacy Rule generally imposes conditions specific to the purpose for s An authorization is generally used for purposes which the health information is being released. other than treatment, payment, or health care In order to use or disclose health information operations. Authorization forms are specifically for a purpose that is not specified in the rule, the required for many uses, such as disclosures covered entity must first obtain a patient’s of psychotherapy notes. written permission. s In contrast to a consent, an authorization is a detailed form containing specifics about: Key Restrictions on Use and Disclosure (1) with whom information is being shared; Some of the major restrictions on using and (2) how it is to be used and disclosed; and disclosing health information include: (3) the length of time it is effective. These forms must be tailored to fit the particular Consent purpose for which the health information is s Health care providers who provide direct treat- to be used or disclosed. ment to patients must obtain an individual’s written permission, a “consent,” prior to using Minimum Necessary or disclosing health information for treatment, s For most uses and disclosures, a covered entity payment, or health care operations purposes.28 is required to develop policies and practices s Health plans are not required to obtain such reasonably assuring that the minimum amount a consent. of health information necessary is used or shared. Consent forms generally advise patients that their health information may be used for treat- s This standard does not apply to requests ment, payment, and health care operations by or disclosures to health care providers for purposes and inform them of their general rights treatment purposes. with respect to this information. Consents do not contain specific details of the covered entities’ Business Associates use and disclosure of health information, but In order to disclose protected health information refer patients to the covered entities’ notice to a third party who assists them with their of privacy practices for this information. (See business functions (business associates), covered “Patients’ Rights,” below.) entities are required to have contracts ensuring that the business associate will adequately safe- guard the information. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 13 Affording Patient Rights Compliance The Privacy Rule also grants individuals a Health care providers, health care clearinghouses, number of rights over their health information. and most health plans that are covered by the The main rights include: (1) the right to receive Privacy Rule must comply with the new require- a notice of information practices; (2) the right ments by April 2003.29 Small health plans to see and copy their own health information; (those with annual receipts of $5 million or less) (3) the right to amend their health information, have an additional 12 months to come into if it is inaccurate; and (4) the right to an compliance30 (see Timeline). It should be noted accounting of disclosures. that these deadlines might change if HHS Covered entities have the duty to ensure that substantively alters the Privacy Rule through individuals are able to exercise these rights with official rule-making procedures.31 respect to protected health information that The HHS Office for Civil Rights (OCR) is in they maintain. charge of ensuring compliance with and enforcing the Privacy Rule.32 In performing these functions, Administrative Requirements OCR’s general philosophy is to provide a cooper- The Privacy Rule requires covered entities to ative approach towards compliance, including use implement a number of administrative practices of technical assistance and informal means to in order to ensure compliance. Among other resolve disputes.33 things, covered entities are required to: On July 6, 2001, OCR issued its first set of s Develop written privacy policies and proce- guidance to answer many common questions dures with respect to who has access to health about the new Privacy Rule and to clarify some information within an organization, how it of the confusion regarding the Privacy Rule’s will be used, and when the information may potential impact on health care delivery and be disclosed; access.34 Within its limited resources, OCR intends to continue to provide technical assis- s Put into place appropriate administrative, tance to help covered entities implement the technical, and physical safeguards to protect Privacy Rule.35 The initial guidance and other the privacy of protected health information; information about the new rule are available on s Train personnel about the Privacy Rule; the Web at http://www.hhs.gov/ocr/hipaa. s Designate a privacy officer, who will be in charge of implementing the Privacy Rule; s Designate a contact person, whom people can contact with questions about privacy; and s Maintain documentation of consents, author- izations, procedures and policies, training, and other activities undertaken in compliance with the Privacy Rule. 14 | CALIFORNIA HEALTHCARE FOUNDATION Covered entities are not required to obtain Remedies and Penalties prior approval from HHS for their compliance HIPAA establishes civil and criminal penalties activities (such as developing privacy policies). for violations of the Privacy Rule. There is a $100 Neither are they currently required to submit civil penalty up to a maximum of $25,000 per compliance reports, although this may change in year for each standard violated.42 For knowing, the future.36 Rather, compliance issues will come wrongful disclosures of health information, a to the OCR’s attention primarily through two criminal penalty may be imposed.43 It is a gradu- different means: ated penalty that may escalate to a maximum s Complaints. Anyone who believes that a of $250,000 for particularly egregious offenses. covered entity is in violation of the Privacy HIPAA does not give individuals a federal right Rule may file a complaint with OCR.37 to sue for violations of the Act. Because the s Compliance reviews. OCR has the authority Privacy Rule creates a new “duty of care” with to conduct compliance reviews to determine respect to health information, it is possible, whether covered entities are complying with however, that violations may be the grounds for the requirements of the Privacy Rule.38 state tort actions. The rule requires covered entities to cooperate The Privacy Rule does not contain any provisions with any resulting investigations.39 In these specifically addressing penalties. Rather, HHS proceedings, covered entities are required to doc- plans at a future date to issue an Enforcement ument that they have undertaken the necessary Rule governing penalties that will apply to all of steps to achieve compliance (e.g., establishing a the regulations issued under the Administrative privacy policy).40 They are also required to pro- Simplification provisions of HIPAA, including vide access to such protected health information the Privacy Rule.44 and other relevant information as necessary for compliance and investigation purposes.41 Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 15 III. The Interaction of the Federal Health Privacy Rule and California Privacy Laws In a state like California, Introduction where there are strong, The Federal Privacy Rule was not issued in a vacuum. Privacy protective laws already exist in many states. California, in detailed health privacy particular, has been in the forefront of enacting laws that pro- standards in place, there tect the privacy of health information. effectively will be dual tracks The Federal Privacy Rule essentially sets a national “floor” of privacy standards that protect the health information of all of regulation, one state and Americans. It preempts or overrides state laws that are contrary one federal, whose require- to the Federal Privacy Rule and that are less protective. ments often intertwine. State laws that are not contrary to the Federal Privacy Rule remain effective. A state law is “contrary to” the Federal Privacy Rule when: s A covered entity would find it impossible to comply with State Reporting Laws both the state and federal requirements; or Q: Will the Federal Privacy s The provision of state law stands as an obstacle to the Rule interfere with state reporting laws? accomplishment and execution of the Federal Privacy Rule.45 A: No. HIPAA expressly excludes Even if a state law is contrary to the Federal Privacy Rule, it from federal preemption state will not be preempted if it is “more stringent.” Generally, a laws that provide for the state law is considered to be more stringent if: reporting of disease or injury, child abuse, birth, or death, s It is more restrictive than the Federal Privacy Rule with or for the conduct of public respect to a use or disclosure; health investigations. s It provides greater rights of access or amendment with respect See 45 C.F.R. § 160.203(d). to individuals’ access to their own health information.46 In a state like California, where there are strong, detailed health privacy standards in place, there effectively will be dual tracks of regulation, one state and one federal, whose require- ments often intertwine. Complying with Both State and Federal Laws A health care provider should first determine whether it is covered by the Federal Privacy Rule. It should then determine which health privacy laws it must already comply with under California law. Some of the major California health privacy statutes that may apply to a health care provider include: s Confidentiality of Medical Information Act;47 s Patient Access to Medical Records Act; 48 and s The Medi-Cal statute and regulations.49 16 | CALIFORNIA HEALTHCARE FOUNDATION Additionally, there are a number of state statutes The Federal Privacy Rule has many standards that protect the privacy of health information that are similar to those in California privacy associated with information gained through the laws. When the standards are comparable, plans treatment of certain medical conditions, and providers should follow the “more stringent” including, but not limited to, the following: standard. For example, the Federal Privacy Rule s Mental health;50 gives covered entities 30 days to respond to an individual’s request to inspect his or her own s HIV/AIDS tests;51 and health information, while California law requires s Alcohol and drug dependency.52 a response within 5 business days. To comply Once health care providers have identified all with both laws, follow the strictest standard—in the state laws that are particularly applicable to this case, provide access within 5 business days. them, they will need to compare the provisions When the state and federal standards are not of the state laws to the requirements of the comparable, it will be necessary to determine if Federal Privacy Rule on an item-by-item basis. the state law is contrary to the Federal Privacy The following sections of this guide will discuss Rule and, if so, if it is more stringent. Making many of the provisions of the Federal Privacy this determination will not always be a straight- Rule, California state laws, and how they interact. forward process. Using this guide should make it somewhat easier. The purpose of this guide is to provide a general Enforcing California Law road map to the combined state and federal Q: Who will enforce the California health requirements that health care plans and health privacy laws after implementation of care providers will have to comply with upon the Federal Privacy Rule? implementation of the Federal Privacy Rule. A: California health privacy laws will continue From the state perspective, this guide focuses on to be enforced at the state level. Violation the Confidentiality of Medical Information of a California law may result in the im- and the Patient Access to Medical Records Act. position of civil and/or criminal penalties by a California court, licensing body or This guide does not identify or address all of the regulating agency. state health privacy laws that may be applicable to any given covered entity—it only highlights Q: Will patients have the right to sue? some of the major relevant state privacy laws. A: Yes, in many cases. Many California health privacy statutes (e.g., Confidentiality of The guide also only addresses some of the major Medical Information Act) give patients changes in practice that the Federal Privacy the right to sue if their health information Rule will require. The Federal Privacy Rule is is improperly disclosed or if they are im- lengthy and detailed, and careful reading of the properly denied access to their health entire rule will be necessary to ensure complete information. Patients generally will retain compliance. these rights to sue for violations of their privacy rights under California law after implementation of the Federal Privacy Rule. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 17 IV. The California Medical Information Act and the Patient Access to Medical Records Act Doctors, pharmacists, Background hospitals, clinics, counselors, The Federal Privacy Rule applies to “health care providers” who engage in certain electronic transactions. The term physical therapists, and “health care provider” is broadly defined in the Privacy Rule countless others. . . are subject and encompasses just about anyone who furnishes, bills, or is paid for health care or health care supplies pursuant to to the same set of require- prescription.53 It includes doctors, pharmacists, hospitals, ments under the Privacy Rule. clinics, counselors, physical therapists, and countless others. All of these providers are subject to the same set of require- In contrast, California law ments under the Privacy Rule. does not apply uniformly to In contrast, California law does not apply uniformly to all all of these different providers. of these different providers. Some providers, such as doctors, hospitals, and health clinics, are subject to both the Confi- dentiality of Medical Information Act (CMIA) and the Patient Access to Medical Records Act (PAMRA). Other providers, such as pharmacists and acupuncturists, are covered by the CMIA but are not covered by the PAMRA.54 Because large portions of the CMIA and the PAMRA will remain in place after the implementation of the Federal Privacy Rule, these differing groups of providers will continue to be governed by different rules. This guide only discusses those health care providers—listed at the beginning of the docu- ment—which are subject to both the CMIA and the PAMRA. A separate guide is available for those health care providers, such as pharmacists and acupuncturists, that are subject to the CMIA but not the PAMRA. Existing Requirements in California Law Doctors, hospitals, outpatient clinics, and many other health care providers in California should be familiar with state laws governing the disclosure of medical information, such as the CMIA, which restricts how health care providers may disclose “medical information.”55 The CMIA covers individ- ually identifiable information regarding a patient’s medical history, mental or physical condition, or treatment that is in the possession of or was derived from a provider of health care, a health care service plan, or a contractor. It protects informa- tion in electronic and physical form. Generally, the CMIA 18 | CALIFORNIA HEALTHCARE FOUNDATION prohibits a provider from disclosing medical Key Differences Between California Law information without a patient’s written authori- and the Federal Privacy Rule zation.56 It then specifically lists a number of The Privacy Rule differs from California law in exceptions where disclosure is permitted without the following key areas: the patient’s permission. For each permitted s A patient’s written consent generally must be disclosure, the CMIA generally imposes specific obtained before a provider can use or disclose conditions dependent on the purpose of the health information for the purposes of treat- disclosure. If a purpose is not enumerated in the ment, payment, and health care operations. CMIA, the health care provider must obtain a patient’s authorization prior to disclosure. s Providers will be required to have contracts The CMIA sets out the form and substance with those with whom they share information for such authorizations.57 In addition to the for administrative functions. These contracts CMIA’s restrictions on the disclosure of medical must require those “business associates” to information, the PAMRA requires these health adequately safeguard the health information. care providers to furnish a patient access to his or her own medical records. Under the PAMRA, s In many circumstances, providers will be patients have the right to see, copy, and append required to limit the health information they their own medical records that are maintained use and disclose to the minimum amount by certain health care providers.58 necessary to accomplish the intended purpose. s Providers will be required to furnish a patient Similarities Between California Law with a notice of privacy practices detailing and the Federal Privacy Rule how the provider may use and share health The Federal Privacy Rule’s structure is fairly information, as well as informing the patient similar to California law: It prohibits the sharing of his or her rights concerning his or her own of individually identifiable health information health information. (“health information”)59 without the patient’s permission unless the purpose of the disclosure s Providers will be required to undertake is permitted by the rule. When disclosure is additional administrative duties to comply permitted without the patient’s permission, the with the federal rule, such as implementing Privacy Rule generally imposes conditions safeguards, training employees, designating a specific to the purpose for which the health privacy official, and maintaining documen- information is being released. If a purpose is not tation of compliance with the regulation. specified in the regulation, the provider must This implementation guide will focus on these obtain a patient’s authorization prior to using or major changes providers may have to implement disclosing the health information. And like under the Federal Privacy Rule. Providers should California law, the Federal Privacy Rule gives be aware, however, that there are also numerous patients the right to see, copy, and amend their other effects that the Privacy Rule will have on health information. existing California law that are beyond the scope of this general guide. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 19 As a practical matter, for ethical and Patient Consent: Treatment, Payment, and Health Care Operations professional reasons, many health care Health care providers, by the very nature of providers routinely obtain a patient’s their occupations, receive and maintain vast quantities of identifiable health information. This written permission to share their information is primarily used for the “core” pur- health information with others... poses of treatment of the patient, payment for The Privacy Rule builds upon these the health care services, and for health care oper- ations such as quality assessment and peer review. informal practices and makes them law. Currently, health care providers in California may use and disclose health information for these purposes without the patient’s express written permission.66 However, as a practical matter, for Restrictions On Use and Disclosure ethical and professional reasons, many health of Health Information care providers routinely obtain a patient’s written Format of Health Information Protected permission to share their health information The Federal Privacy Rule expressly covers health with others, such as insurance companies. information transmitted or maintained in any form or medium.60 Although the Privacy Rule’s restrictions on oral communications61 generated HIV/AIDS much controversy,62 this requirement should not California law gives heightened protection substantively change the way health care to HIV/AIDS information. Generally, a provider providers practice in California. The inclusion of must obtain a patient’s written authorization oral communications reflects many professional specifically permitting the disclosure of the codes of ethics, which generally require that the results of an HIV/AIDS test for each separate disclosure made. A patient’s signing a consent health care professional maintain the confiden- form required by the Federal Privacy Rule is tiality of medical information, and do not limit not enough. The federal consent form is too that requirement to information in physical general, does not specifically address HIV/ form.63 And although the CMIA does not cover AIDS information, and is not required for every oral information,64 an individual’s right to privacy separate disclosure. under California’s constitution would appear to There are exceptions to this general rule. For be broad enough to prohibit inappropriate oral example, providers may disclose HIV/AIDS disclosures of personal medical information.65 test results as required under state reporting laws. Additionally, no specific authorization is required for disclosures to a provider (exclud- ing health care service plans) for the direct purposes of diagnosis, care, or treatment of the patient. 20 | CALIFORNIA HEALTHCARE FOUNDATION The Privacy Rule builds upon these informal Consent Requirements practices and makes them law. Under the Privacy Although providers may be generally familiar Rule, health care providers are required to obtain with obtaining patients’ written permission to their patients’ consent prior to using or disclosing share their health information, the specific health information for treatment, payment, or requirements for obtaining and using such con- health care operations.67 However, providers who sents under the Federal Privacy Rule are new. have an indirect treatment relationship with a patient (such as a radiologist in a hospital setting First, the Privacy Rule permits providers to refuse who does not interact with the patient) need not to treat patients who will not sign a consent obtain a patient’s consent.68 The Privacy Rule also permitting the use and disclosure of their health specifies some circumstances (such as in emer- information for treatment, payment, or health gencies or when the provider is required by law care operations purposes.70 The rule takes this to treat the patient) where no patient approach in order to ensure that providers will be consent is required.69 able to carry out their essential duties. The activities encompassed by the consent Additionally, it is not necessary for providers to requirement are fairly broad. “Treatment” obtain a new consent every time they see a includes not only providing health care to a patient. Rather, providers need to obtain consent patient, but also coordinating or managing the from a patient for use or disclosure of health patient’s care with a third party, consulting information for treatment, payment, and health with another provider, and referring a patient care operations only once. This is true regardless to another health care provider. of whether there is a connected course of treat- ment or treatment for unrelated conditions.71 “Payment” includes: obtaining reimbursement for the provision of health care, billing, claims management, health care data processing, and Revoking Consent other activities. Q: Can a patient revoke his consent? “Health care operations” includes: quality A: Yes, a patient has the right to submit a writ- assessment (e.g., outcomes evaluation); case ten revocation at any time. management and care coordination; peer review; accreditation and licensing; conducting or Q: What happens if a patient revokes his con- sent after receiving treatment, but before arranging for medical review, legal services, and the provider has received payment? auditing functions; customer service; business management; and other activities. A: The general rule is that a revocation is not effective to the extent a provider has acted in reliance on it. Since the provider in this example relied on the consent in providing treatment, it will still be able to use the con- sent to obtain payment for that treatment. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 21 Format of Consent Form Consent in an Integrated Health Under the Federal Privacy Rule, a consent form Care Setting may not be part of a notice of privacy practices. How will consent work in a hospital setting? These are two distinct documents. The consent Will the patient have to sign a separate consent must be written in plain language. It can be form for the hospital and for each provider brief and contain general terms. If a provider they may come into contact with? desires, it can combine a consent for the use and Providers who practice in a clinically integrated disclosure of health information with another care setting (such as a hospital) have the option type of written legal permission from the indi- of reducing paperwork by using a single joint vidual (e.g., an informed consent for treating the consent form, which applies to a number of patient). However, the consent for using health different providers working in one setting. In information must be visually separate from the order to use a joint consent form, the providers rest of the document and be signed separately must first furnish patients with a joint notice by the individual.72 of privacy practices. This notice must provide a description of the providers and the service Content of the Consent Form delivery sites to which it applies, in addition to In order to be valid, the consent must: all of the information otherwise contained in a s Inform the patient that his or her health infor- privacy notice. If the providers covered by the mation may be used and disclosed for treat- privacy notice intend to share health information ment, payment, and health care operations. with each other to carry out treatment, payment, and health care operations, they must advise s Advise the patient of his or her right to: patients of this arrangement.75 Review the provider’s privacy notice; Request restrictions on how information is Patient Ability to Restrict Consents used and disclosed for treatment, payment and In certain situations, patients have heightened health care operations purposes; and concerns about the confidentiality of their Revoke consent. health information. A patient may have friends or relatives who are employees of the health care s Be signed and dated by the patient (or his or organization. Perhaps a patient has a sensitive her personal representative).73 medical condition or is apprehensive about Providers are required to keep copies of consent receiving mail or phone calls at home. Such con- forms (either in paper or electronic format) for cerns may be more frequently associated with six years.74 certain services, such as family planning, mental health treatment, treatment for sexually trans- mitted diseases, or for injuries resulting from domestic violence. Many providers already infor- mally accommodate these concerns by limiting the health information that they share or by restricting the method in which they communi- cate with the patient. 22 | CALIFORNIA HEALTHCARE FOUNDATION The Privacy Rule formalizes these practices Right to Request Confidential by giving patients the right to request restrictions Communications and the right to request confidential commun- The Privacy Rule also creates a right to request ications. Signing a consent form provides a that communications be made by specific means prime opportunity for discussing these potential or at specific locations.79 For instance, a patient limitations on the use and disclosure of health could request that bills for health care services be information for treatment, payment, and health sent to a relative’s house, instead of to her home. care operations. Providers must accommodate such requests if they are reasonable. The Privacy Rule recognizes that there may be practical consequences to Planning Consent Forms and Procedures accommodating a request for confidential com- Providers who participate in organized health munications and permits a provider to impose care arrangements should decide whether certain conditions on fulfilling such a request. they want to use a joint consent with other A provider may require the patient to put the participants. request in writing, to provide information as to how Draft a standard consent form for future use. payment will be handled, and to specify an alter- Consents contain only general information native address or another method of contact. and their wording is not dependent on specific privacy practices and policies. When a provider is prepared to distribute its notice of privacy practice, the consent form will be ready to use. Minimum Necessary vs. Transaction Standards Determine how consents will be processed Under the HIPAA transaction standards, pro- and maintained. viders who submit health-claims information Determine how revocations will be made electronically will be required to use a set for- effective. mat that includes certain data elements. For example, providers will be required to submit health claims to insurers in a standard format. Q: How will the minimum necessary stan- Right to Request Restrictions dard affect these standard transactions? Under the Privacy Rule, a patient has the right A: It depends on the specific data element to request that a provider restrict how his or at issue. The minimum necessary rule does her health information is used or to whom it is not apply to those data elements that are disclosed for treatment, payment, and health required under the transaction standards. care operations purposes.76 The provider does These required data elements can be not have to agree to such a request. A provider is, submitted without any minimum necessary analysis. However, to the extent providing however, bound by any restriction to which information on a standard form is discre- it does agree.77 A written documentation of an tionary, providers will have to conduct the agreed restriction must be kept for six years.78 minimum necessary analysis to determine whether providing such optional information is necessary to accomplish the intended purpose. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 23 Minimum Necessary Standard Exceptions. There are a number of major excep- Existing Requirements. The CMIA currently tions to the minimum necessary requirement. limits the amount of health information that a Most significantly, the minimum necessary provider can disclose in certain circumstances. standard does not apply to disclosures to or For example, a provider may disclose health requests by a health care provider for treatment information to those responsible for paying for purposes.82 the health care services rendered to the patient, Standard for Uses. For uses (i.e., using or sharing but only to the extent necessary to allow health information within a provider organiza- responsibility to be determined and payment to tion), a provider must identify those within be made.80 Additionally, many providers have its organization who need access to health infor- policies in place that limit the health information mation, the categories or type of information accessible to certain personnel. A hospital, for they need, and conditions appropriate to such instance, may have a policy that allows staff access.83 For instance, a hospital may develop pharmacists access only to prescription or med- a policy that a clerk who schedules medical ication information, as opposed to an entire procedures only needs access to limited relevant medical record. health information. The provider must develop New Requirements. The Federal Privacy Rule policies and procedures that implement its builds on these existing rules and policies by gen- analysis and must document them in written erally requiring that covered entities, including or electronic form.84 providers, use and disclose the minimum amount of health information necessary to accomplish their goals. This is known as the “minimum Privacy Rule Impact on Treatment necessary” standard. Providers should be aware Q: Does the Privacy Rule preclude a that the “minimum necessary” standard generally provider from using a patient’s entire applies to a broader range of circumstances medical record for treatment? than the limitations on disclosure imposed by A: No. In fact, HHS anticipates that providers California law. will have policies that allow a treating physi- Case-by-case Review Not Required. The Federal cian access to a patient’s entire medical record. There must, however, be a written Privacy Rule is intended to make providers policy in place that supports this use.85 evaluate their privacy practices and improve them as needed to prevent unnecessary or inappropri- ate access to protected health information.81 For most routine purposes, the rule requires that providers have policies and procedures to use and share the minimum amount of health information necessary to accomplish the intended purpose. As a general rule, providers are not required to conduct a case-by-case review. 24 | CALIFORNIA HEALTHCARE FOUNDATION Standard for Disclosures and Requests for Dis- Compliance will require identifying all closures. First and foremost, it is important to remember that the minimum necessary standard of the privacy-related statutes... and in the Federal Privacy Rule does not apply to any doing a line-by-line comparison of disclosure to or request by a health care provider for treatment purposes.86 In contrast, the rule these state requirements with those of the does apply for disclosures made for payment and Privacy Rule. Providers will need to health care operations purposes. review their existing practices to see what For other routine or recurring requests and changes they will need to make to come disclosures, a provider’s standard policies must limit the protected health information disclosed into compliance. or requested to the minimum amount necessary for that particular type of disclosure or request.87 These policies must also be maintained in Preparing to Implement the Privacy written or electronic form.88 Rule: Key Questions Perform a “health information” audit of your Requests from Other Covered Entities. Under organization or practice answering some of the Privacy Rule, the requesting covered entity these key questions: has the responsibility to request the minimum Who has access to health information within amount of health information necessary for the the organization or practice? proposed purpose of obtaining the information. Who should have access to health information? The covered entity releasing the information may (but is not required to) rely on the requesting What type and amount of health information is covered entity.89 For example, health plans reasonably necessary for employees to accom- plish a specific job? routinely request health information from health care providers to support a claim for payment. Should there be a limit on the time frame in In this circumstance, the burden is on the health which they have access? plan to request the minimum amount of health Should there be other constraints on access, information necessary. To comply with the (e.g., information should not be removed from minimum necessary standard, the provider can the premises)? rely on the request. The provider does have To whom does the provider disclose health the option, however, of making its own determi- information on a regular basis? nation as to the amount and type of health What types of health information are requested? information necessary. Is all the information requested necessary for the intended purpose? Is the provider willing to rely on requests from other covered entities, such as health plans, to establish the boundaries of what information is needed? Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 25 Business Associates: Sharing Health The Necessary Elements of a Business Associate Information for Administrative Purposes Contract. The Privacy Rule contains a fairly Existing Requirements. Health care providers lengthy, detailed list of provisions that must be routinely hire other companies and consultants included in a business associate contract. Among to perform a wide variety of functions for them. other things, the contract must provide that the Providers, for example, may work with outside business associate will: 94 attorneys, bill collectors, or accreditation organi- s Not use or further disclose the information zations. Under the CMIA, providers currently other than as permitted or required by the may freely disclose health information without contract or as required by law; patient permission for a variety of these admin- istrative purposes, such as billing, claims man- s Use appropriate safeguards to prevent use or agement, and medical data processing. The disclosure of the information other than as CMIA then prohibits the recipient of this health provided for by its contract; information from further disclosing it in a way s Ensure that subcontractors who receive pro- that would violate the Act.90 tected health information from a business New Requirements. This practice will change associate agree to the same restrictions and with the implementation of the Federal Privacy conditions as in the contract; and Rule. Providers will be prohibited from disclosing s Authorize termination of the contract by the health information to outside sources who per- covered entity if the covered entity determines form these types of administrative functions that the business associate has violated a (“business associates”) unless they have entered material term of the contract. into written contracts ensuring that the recipient of protected health information appropriately safeguards that information.91 Entering into business associate contracts will be a major Violation of Contracts change for many providers. Q: Can a health care provider be held responsible if a business associate violates Determining Who Is a Business Associate. a contract? Under the Privacy Rule, anyone who performs a A: Only if the provider knew the business function involving the use of health information associate was materially violating its con- on behalf of a provider or who furnishes certain tractual duty to safeguard health information services (such as legal, actuarial, or other admin- and did nothing about it. A plan that knows istrative services) to the provider is a “business that its business associate engages in a associate.”92 A key element of being a business pattern of activity or a practice that materially associate is that the person or organization violates the privacy provisions of its contract must take reasonable steps to correct the receives health information either from or on situation. If these steps are unsuccessful, behalf of a provider. Under this standard, a the plan is required to either: (1) terminate billing agency would be a business associate, the contract if feasible; or (2) if termination while a supplier of paper products would not. of the contract is not feasible, report the The Privacy Rule is not intended to cover those problem to HHS. who merely act as a conduit of protected health 45 C.F.R. § 164.504(e). information, like the U.S. Postal Service.93 26 | CALIFORNIA HEALTHCARE FOUNDATION Sharing Health Information with Friends and Family of the Patient The Difference Between a "Consent" and an "Authorization" As a matter of practice, providers often share Both are written permission forms that allow health information with family members and a provider to use and/or disclose health close friends of the patient, particularly with information. They substantially differ, however, those who are involved with the patient’s care. in both substance and form. The Federal Privacy Rule does not prevent this A consent: practice, so long as the patient is given a chance • Is ongoing. It is obtained one time, and is to object. If the individual objects, the provider is good until the patient revokes it; prohibited from sharing health information • Is used only in relation to treatment, pay- with a patient’s family or friends.95 ment, and health care operations; and • Contains only general information and refers Facility Directories a patient to a notice of privacy practices for Some providers, such as hospitals, maintain details; can be a standard form. a public directory of individuals at their facility. An authorization: California statute currently restricts how this • Is limited; information may be collected and shared, per- • Expires upon a specified date or event; mitting providers to use their discretion within the specified parameters.96 The Federal Privacy • Is used in relation to uses and disclosures of health information for purposes other than Rule has more stringent requirements for in- treatment, payment, or health care opera- cluding health information in a facility directory. tions that are not otherwise permitted by the Therefore, by following the standards of the Privacy Rule; and Federal Privacy Rule, providers should be able • Is detailed, providing specifics about who to comply with both state and federal law. may receive information and how it is to be used. Under the Privacy Rule, providers will be required to inform patients that their health information may be included in a directory and generally identify to whom the information may be disclosed.97 Both the notice and any objection to inclusion in the directory may be made orally. Even if a patient does not object, the provider may only disclose the health information to a person who asks for the patient by name.98 And the information that may be released is limited to the individual’s name, location in the facility, and condition described in general terms that do not include specific medical information about the individual.99 Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 27 Uses and Disclosures That Do Not Require Civil Discovery. A provider may disclose a Authorization or Consent patient’s health information in response to a sub- Both the CMIA and the Federal Privacy Rule poena issued in a civil proceeding only if the allow a provider to use and disclose health party requesting the information follows either information without the patient’s consent or of two specified procedures. The requesting authorization in a number of circumstances.100 party must either: (1) furnish the patient’s writ- The laws generally impose conditions specific to ten authorization to release the records, signed by the particular purpose for which the health the patient or his attorney; or (2) furnish proof information is to be used or disclosed. Due to that it has served on the patient (at a very mini- the number of circumstances under which use mum 10 days prior to the specified production and disclosure is permitted without any patient date) a copy of the subpoena and the affidavit permission and the details of the related condi- supporting the issuance of the subpoena.104 tions, only a few of these purposes are discussed. Research. Both the CMIA and the Federal Law Enforcement. Under the CMIA and the Privacy Rule permit providers to disclose health Federal Privacy Rule, a health care provider may information for research purposes without the disclose health information pursuant to a search permission of the patient.105 Providers should be warrant lawfully issued to a governmental law aware, however, that the conditions under which enforcement agency.101 However, California’s health information can be disclosed for research Penal Code imposes more stringent restrictions purposes are substantially altered by the Federal on responding to search warrants for medical Privacy Rule. In the most general terms, in order records when the target of the investigation is not to disclose health information to researchers, the provider.102 For instance, the records may be a provider will be required to obtain documen- released only to a “special master” (an attorney tation that a waiver of authorization for the appointed by the court) rather than the law use and disclosure of health information was enforcement agent, and if the provider states approved by either an Institutional Review Board that the items sought should not be disclosed, (IRB), which reviews federally funded research; the items are to be sealed and taken to the court or a “privacy board,” a new board that will review for a hearing. There are additional procedural privately funded research using the same princi- requirements as well.103 ples as an IRB.106 The specific conditions under which health information can be used and disclosed for research purposes are quite detailed and should be reviewed closely. 28 | CALIFORNIA HEALTHCARE FOUNDATION Authorizations s State the name or functions of persons Currently, under the CMIA, if a disclosure is not (organization) authorized to use or receive the specifically permitted or required by the statute, information;119 a provider must obtain a patient’s authorization s State the specific uses and limitations on the prior to disclosing medical information.107 The use of medical information by the persons Federal Privacy Rule takes a similar approach. authorized to receive the information;120 For purposes that are not expressly addressed in the Privacy Rule, a provider will be required s Advise the individual of his or her right to to obtain a patient’s authorization prior to using receive a copy of the authorization;121 or disclosing his or her protected health infor- s Inform the individual of his or her right to mation.108 For example, a provider would be revoke the authorization under the Federal required to obtain a patient’s authorization prior Privacy Rule; and122 to disclosing his or her health information to a health insurer for initial enrollment purposes.109 s Include a statement that information used or disclosed under the authorization may be Essential Elements of Authorization Forms That subject to redisclosure by the recipient and Will Meet State and Federal Requirements. may no longer be protected by the Federal Because the authorization required by the Privacy Privacy Rule.123 Rule is quite similar to that provided for in the CMIA,110 most plans will probably prefer that When a health care provider seeks an authoriza- requesters of information use a single authoriza- tion to use or disclose health information that it tion form that conforms to both federal and state maintains, the authorization form must include requirements. In order to comply with both the additional elements. Among other things, such CMIA and the Federal Privacy Rule, an authori- an authorization must:124 zation form must, at a minimum: s If applicable, state that the provider will not s Be written in plain language;111 condition treatment, payment, enrollment s Be handwritten by the person who signs it or in the health plan, or eligibility of benefits on be in 8-point typeface or larger;112 the individual’s providing the requested s Be separate (with some exceptions);113 authorization; and s Be signed and dated;114 s State that the individual has the right to refuse s Specifically describe the health information to to sign the form. be used or disclosed;115 A provider that obtains an authorization for its s State the specific limitations on the type of own uses or disclosures must furnish the individ- information to be disclosed;116 ual a copy of the signed authorization.125 s State the name or function of person (organi- zation) authorized to make the disclosure;117 s State the specific date after which the provider is no longer authorized to disclose the infor- mation;118 Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 29 Information Related to Mental The request must include specific information Health Treatment related to psychotherapy treatment that is being Information related to mental health treatment requested; the specific intended use of the infor- is given heightened protection by both California mation; how long the information will be used; law and the Federal Privacy Rule. The rules and other information. The patient’s signature is vary depending on the specific type of mental not required on the request; however, a copy health information at issue. The CMIA contains must be provided. The patient may waive notifi- some restrictions on mental health information cation of the request by submitting a letter to generated in an outpatient setting with private this effect to the provider.127 therapists. The Lanterman-Petris-Short Act The heightened restrictions of the Federal Privacy imposes more extensive restrictive conditions on Rule will govern the disclosure of psychotherapy mental health information obtained in an institu- notes (i.e., notes documenting or analyzing tional setting (either voluntary or involuntary) or the contents of conversations taking place during pursuant to certain publicly funded community therapy that are maintained separately from the mental health treatment programs. rest of a patient’s medical record).128 A consent Mental Health Information Covered by the and a request under the CMIA will not be CMIA. A provider is required to comply with sufficient for disclosing these notes. Rather, a provisions of both the Privacy Rule and the detailed authorization signed by the patient that CMIA in order to disclose psychotherapy-related specifically permits the use or disclosure of psy- information. Both laws have discrete rules chotherapy notes is required for their release.129 governing psychotherapy-related information. Perhaps most importantly, health plans are pro- The Privacy Rule has particularly stringent rules hibited from making enrollment or payment of pertaining to psychotherapy notes. claims conditional on a patient’s signing such an authorization to disclose psychotherapy notes.130 When a third party requests health information related to psychotherapy (other than psycho- Information Subject to therapy notes) a provider may disclose the infor- the Lanterman-Petris-Short Act mation only if they have obtained: A signed Certain mental health information is governed general consent to use and disclose health infor- by California’s Lanterman-Petris-Short Act131 mation for treatment, payment, and health (LPSA) in lieu of the CMIA.132 The LPSA care operations (under the Federal Privacy Rule); imposes strict restrictions on the disclosure of and detailed written request from the person information obtained in the course of providing seeking the information (under the CMIA).126 mental health services: For example, if a health insurer requests informa- s To patients who are either voluntarily or invol- tion about a diagnosis related to psychotherapy, untarily treated in an institutional setting;133 a provider would need both a signed consent form (generally authorizing the provider to use or s Pursuant to a community mental health disclose health information for treatment, pay- treatment program (funded under the ment, and health care operations) and a written Bronzan-McCorquodale Act); or request from the insurer specifically detailing the s In the course of providing intake, assessment, information they require. or services to persons with developmental disabilities by or on behalf of a regional or state developmental center. 30 | CALIFORNIA HEALTHCARE FOUNDATION Providers who are subject to the LPSA will need Providers in California, however, should be aware to comply with both the Federal Privacy Rule that the CMIA appears to require a patient’s and state law. Many of the limitations on disclos- written authorization before engaging in many ure contained in the LPSA are more stringent marketing activities.140 Because this standard is than those contained in the Privacy Rule. more consumer-protective than the federal For example, under the LPSA, when a patient regulation, the state law will remain in effect. is unable to authorize the release of his or her This means that providers should get patients’ health information to family members, the written authorization before using or sharing provider may only disclose that the patient is their health information for marketing. present in the facility.134 Because this standard is more stringent than that contained in the Privacy Patient Rights Rule, the state law should be followed. Similarly, the LPSA provides that a researcher must sign an In addition to imposing restrictions on how oath of confidentiality as a condition of receiving providers can use and disclose protected health mental health information for research purposes, information, both California law and the Federal a requirement not found in the Privacy Rule.135 Privacy Rule grant patients rights with respect to their own health information. These rights are The Privacy Rule does, however, provide addi- based in fair information practice principles, tional protection for psychotherapy notes (i.e., which give patients the right to know how their notes documenting or analyzing the contents of information is being used and who it is being conversations taking place during therapy that shared with; to see and copy their own health are maintained separately from the rest of a information; and to amend it, if necessary. patient’s medical record).136 A detailed author- ization signed by the patient that specifically Notice of Privacy Practices permits the use or disclosure of psychotherapy Under the Federal Privacy Rule, covered health notes is required for the release of this material care providers will be required to give patients a for most purposes.137 Perhaps most importantly, written notice describing their privacy practices.141 health plans are prohibited from conditioning This will be a new requirement for California enrollment or payment of claims on a patient’s providers, which currently are not required to signing such an authorization to disclose furnish such notices under state law. psychotheraphy notes.138 Providers should furnish these privacy notices to Marketing patients on or before the first time they provide Among the more controversial aspects of the health care after April 14, 2003 (the compliance Federal Privacy Rule are the “marketing provi- date for the regulation). In addition to giving sions.” Under these provisions, providers are per- the patients a copy of the notice, providers must mitted to use health information for marketing post the notice on their premises. health-related products or services (their own or those of a third party), so long as the marketing material identifies the provider as the source and gives the patient the opportunity to “opt out” of receiving further materials.139 This gives the provider “one free shot” at sending the patient marketing materials before the patient is even given the opportunity to object. Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 31 The Federal Privacy Rule is quite detailed in the Giving Patients Access content requirements for a notice of privacy to Their Own Health Information practices. Providers will need to consult the rule Existing Requirements. The PAMRA provides to determine the exact language that a notice patients a right of access to “patient records” requires in order to be in compliance. In general, maintained by specified health care providers a notice of privacy practice must:142 including doctors; dentists; psychologists; optometrists; clinical social workers; home health s Be written in plain language; agencies; marriage, family and child counselors; s Contain a prominent statement about how and hospitals and other health care facilities. health information may be used and disclosed; It generally requires health care providers to permit patients to see and copy their own s Describe how the provider protects health “patient records,” a term defined as “records in information under the Privacy Rule; any form. . . maintained by. . . a health care s Specify when health information may be provider relating to the health history, diagnosis, used or released without the individual’s prior or condition of a patient, or relating to treatment written consent or authorization; provided or proposed to be provided to the patient.”143 By recent amendments, it also grants s Describe, including at least one example, the many patients the right to submit a written types of uses and disclosures that a health care addendum to their medical record with respect to provider is permitted to make for treatment, any item or statement that they believe to be payment, and health care operations purposes incomplete or incorrect.144 under the Privacy Rule; s Describe individuals’ rights with respect to their protected health information (such as Providing Laboratory Tests Results their right to revoke an authorization and their Electronically right to amend their health information) and California requires providers to furnish the describe how to exercise those rights; results of lab tests to patients in oral or written form.145 Under recent amendments, health s Notify individuals how they may obtain access care providers may also deliver laboratory test to their health information, including obtain- results in electronic form if they obtain a ing copies; patient’s written authorization to do so. Patients may not be charged for electing to receive their s Include information about how an individual laboratory results in another format.146 can file complaints about privacy matters with both their provider and the U.S. Department of Health and Human Services; and s Provide the name of a contact person for additional information. 32 | CALIFORNIA HEALTHCARE FOUNDATION New Requirements. The Federal Privacy Rule Time Limits. A provider must allow a patient to has a similar regulatory scheme. It requires review his or her health information within five covered providers to permit patients to see working days of receiving a request.152 If a patient and copy their health information that is in a requests a copy of this information, the provider “designated record set,” a term that includes must furnish the copy within 15 days of receiving (with respect to providers) medical records, the request.153 billing records, and any other group of health Format. A provider may prepare a summary information that is used to make decisions about of the requested health information, rather than the individual.147 The Privacy Rule also grants allowing access to the entire medical record, if patients the right to request amendments to their the patient agrees to this format and to pay the health information if it is incorrect or inaccurate. fees associated with preparing the summary.154 Generally, the “floor” set by the Federal Privacy Rule is less detailed and protective than that Fees. In order to offset the costs of providing contained in PAMRA. access to health information, a provider may charge copying fees, which are set at 25 cents per Complying with both Federal and page for a photocopy and 50 cents per page for State Requirements microfilm.155 In addition, providers may charge The net result of the interplay between the for the labor cost of copying the documents, PAMRA and federal law is that, for the most as well as for postage.156 HHS takes the position part, providers who already comply with the state that providers may not charge for retrieving and statute will not be required to substantially handling the information or for processing the change their practices with the implementation request.157 It is unclear whether a provider that of the Federal Privacy Rule. The utilizes a third party record keeper that imposes a combined requirements of the state and federal charge to retrieve records may pass such a change law are discussed below. on to the patient. A provider can also charge a reasonable cost-based fee for explaining or sum- Scope. Patients in California have the right to marizing health information, where a patient has see and copy their health information that is agreed to this format.158 maintained by a health care provider. This right extends to medical records and billing records Denying Patients Access. In some circumstances, maintained by a covered provider.148 a provider is reluctant to provide a patient access to his own medical records for fear of the impact Requests. Under state law, a patient’s request to it may have on the patient. Under PAMRA, inspect or copy his or her health information a provider may deny access to only a narrow must be in writing.149 The Federal Privacy Rule will category of health information based on this allow this practice to continue so long as the premise—mental health records (i.e., information provider has given the patient notice that it only that relates to the evaluation or treatment of a accepts written requests.150 The provider should mental disorder).159 require the patient to provide reasonable verifica- tion of identity before responding to the request.151 Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 33 Although state law determines the category of Accounting of Disclosures information that may be denied, the Federal The Federal Privacy Rule grants patients the Privacy Rule will set the standard under which right to receive an accounting of prior disclosures access may be denied.160 Under the federal of health information.165 This will impose regulation, a provider may deny a patient access a new duty on providers, who are not currently based on potential endangerment only when required to furnish such an accounting under granting access is reasonably likely to endanger the PAMRA. the life or physical safety of the patient or another person.161 Within 60 days of receiving a request, a provider is required to furnish the patient with a list of The Federal Privacy Rule also creates a new disclosures made within the past six years.166 framework for reviewing denials of access to This accounting is not as broad as it first appears. health information.162 A provider must furnish a First, it only applies to “disclosures,” i.e., infor- patient a written denial in plain language that mation shared with third parties. It does not generally explains the basis of the denial. This apply to “uses,” i.e., information utilized or notice must also advise the individual of his or shared within a provider’s organization. Addition- her right to have this decision reviewed. If the ally, the accounting provisions do not apply to patient requests a review, the provider must any disclosures that are made for treatment, promptly refer the material to a licensed health payment, or health care operations purposes.167 care professional who did not participate in the original decision. The designated reviewer, who is Providers will, however, be required to account selected by the provider, makes the final determi- for other disclosures that they may routinely make, nation whether the patient should be furnished such as those made to public health authorities, with access to the records.163 to researchers, and to health oversight agencies. Even if access is denied at this point, the patient Patients’ Right to Amend retains the right under California law to desig- Health Information nate another provider to review his or her health Patients in California will have two methods of information.164 At the patient’s request, the holder amending their health information after the of the records must furnish the health informa- Federal Privacy Rules are implemented—one tion to the designated provider for his or her based in state law, the other grounded in the review. That designated provider, however, is pro- Federal Privacy Rule. This results from the fact hibited from allowing the patient to see or copy that the state requirements, while different from the records. the federal requirements, do not conflict with them. Because each method has its own advan- tages, providers should expect to encounter and respond to both types of requests to amend. 34 | CALIFORNIA HEALTHCARE FOUNDATION State Procedure. California statutes provide a Denying Requests for Amendment. A provider fairly simple method for requesting amendments may deny a patient’s request for amendment if of health information. Under recent amendments the provider determines that the information or to the PAMRA, adult patients have the right to record (1) was not created by the covered entity, submit to their health care provider a written unless the originator of the protected health statement, no more than 250 words long, regard- information is no longer available to make the ing any information contained in their medical amendment; (2) is not a part of a designated records that they believe to be incomplete or record set; (3) would not be available for inspec- inaccurate.168 The statement becomes part of the tion (see summary of right of access above); or medical record and must be included whenever (4) is accurate and complete.172 the provider discloses the contested information. If the provider denies a patient’s request, it must Although this procedure is simple, it does not give the individual a timely, written denial that require any input or review by any health care includes (1) the basis for the denial, (2) the provider and, therefore, may lack credibility. individual’s right to submit a written statement Federal Procedure. Under the Privacy Rule disagreeing with the denial and how to exercise patients will have the right to request that their that right, (3) a statement that the individual provider amend their health information.169 can request the covered entity to include the Although the procedure for amendment under individual’s request and the denial with any the federal regulation is more complex than future disclosures of the information (if the indi- under state law, it may be used by patients who vidual does not file a statement of disagreement), believe that a change made by their provider and (4) a description of how the individual can will be more credible than a statement merely file a complaint with the covered entity or the submitted on their own. Secretary of HHS.173 Providers may require patients to submit their If the patient files a statement of disagreement, requests in writing and to provide reasons the provider can include a rebuttal to the supporting their request, so long as patients are patient’s statement in the record. The provider informed of these procedural requirements in must also give a copy of the rebuttal to the advance. The provider must act on the request patient. The request for amendment, the denial, for amendment within 60 days of receiving it.170 the statement of disagreement (if submitted), and rebuttal (if any), or a summary of such infor- Accepting Requests for Amendment. If the mation must be provided with any subsequent provider accepts the request it must (1) make disclosure of the protected health information.174 the appropriate amendment, and (2) inform the patient in a timely fashion that the amendment It should be noted that even if a patient initiates is accepted. The provider must then furnish a request to amend under the federal regulations, the amendment to both entities identified by he or she do not give up their right under state the individual and other entities known to have law to submit their own 250-word addendum. received the erroneous information.171 Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 35 Administrative Requirements HHS has emphasized that this rule requires The Federal Privacy Rule will impose a number only “reasonable efforts” to protect health infor- of administrative requirements on all covered mation. The rule does not require hospitals or health care providers. For the most part, these doctors’ offices to be retrofitted to provide private requirements are fairly general. HHS, recognizing rooms or soundproofed walls, or otherwise that there are vast differences in the nature, restructured.179 Rather, providers are urged to take size, and organization of health care providers, a common sense approach.180 decided that a “one-size-fits-all” set of adminis- Sign-in sheets are somewhat problematic since trative requirements would not be workable. by their very nature they disclose protected Rather, the administrative requirements are health information to others who are signing in intended to be flexible and scalable, depending for health care service. HHS expects to issue on the particular provider’s circumstances.175 modifications to the Privacy Rule to clarify that Some of the major administrative requirements sign-in sheets and similar practices will remain are listed below. permissible.181 Policies and Procedures Training Providers must develop and implement policies A covered provider will be required to train all and procedures for using and maintaining health members of its workforce on the policies and information in compliance with the Privacy procedures regarding protected health infor- Rule.176 These policies and procedures should mation required by the regulation no later than address, at a minimum, who has access to health its compliance date. New members of the work- information within the organization; how health force should receive training within a reasonable information will be used within the organization; period of time after they begin working.182 and when, to whom, and under what conditions the information may be disclosed. Again, training requirements are flexible and scalable. For example, in a small physician prac- Safeguards tice, the training requirement could be satisfied A covered provider must have appropriate by providing each new member of the workforce administrative, technical, and physical safeguards with a copy of the practice’s privacy policies and in place to protect the privacy of protected health requiring these members to acknowledge that information, and reasonably safeguard the infor- they have reviewed them.183 mation from intentional or unintentional use or disclosure.177 Examples of appropriate safeguards include requiring that documents containing protected health information be shredded prior to disposal, and requiring file cabinets containing such records to be locked.178 36 | CALIFORNIA HEALTHCARE FOUNDATION Privacy Officer and Contact Person Looking Ahead The Federal Privacy Rule requires a covered Clearly, the new Privacy Rule will require health provider to designate a privacy official for the care providers to make significant changes to development and implementation of its policies their operations in order to comply with both and procedures.184 In addition, a provider the Privacy Rule and existing California laws. will be required to identify a contact person who Understanding how the various laws interact and is responsible for receiving complaints.185 At its what practices will be required will be challeng- option, the provider can designate one person ing. Compliance will require identifying all of the for both functions.186 privacy-related statutes that apply to a particular The implementation of these requirements provider and doing a line-by-line comparison will depend on the size and organization of the of these state requirements with those of the provider’s office. For example, a small physician’s Privacy Rule. Providers will need to review practice might designate the office manager their existing practices to see what changes they to assume these roles along with other admin- will need to make to come into compliance. istrative duties.187 Hopefully, this guide has helped to begin that process. There is not a substantial amount of Complaint Procedure time for providers to complete the changes they will need to make and it is incumbent upon Providers must establish a process for individuals providers to use this period wisely. to file complaints about the provider’s health privacy policies and practices and its compliance with the Federal Rule.188 Health Information for Minors Documentation The Federal Privacy Rule will not change Providers will be required to maintain documen- how the health information of minors is treated. tation in a variety of areas including, but not Under both the Patient Access to Medical limited to, the following: Records Act and the Federal Privacy Rule, generally it is the parent (not the minor) who s Consents;189 has the right of access to the minor’s health s Agreed restrictions on using or disclosing information. Both laws make an exception, however, when the information relates to health information for treatment, payment medical treatment for which a minor is author- and health care operations;190 ized by law to consent. For example, in certain s Authorizations;191 circumstances, a minor in California has the right to consent to reproductive services and s Disclosures for purposes other than treatment, mental health services. In these situations, the payment and health care operations;192 minor, not the parent, has the right of access s Minimum necessary policies for use and dis- to the related health information. closure of health information;193 and s Training of personnel.194 This documentation must be kept for six years from the date of its creation or the date it was last in effect, whichever is later.195 Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 37 Appendix A: Key Resources for Implementation Assistance Department of Health and Human Services (HHS) Information on all the Administrative Simplification require- ments (including, but not limited to, the Privacy Rule): http://aspe.hhs.gov/admnsimp/index.htm. Office of Civil Rights (OCR), HHS Information on the Privacy Rule, including the text of the rule and technical guidance: http://www.hhs.gov/ocr/hipaa. Massachusetts Medical Society HIPAA Resources Useful links, questions/answers, and HIPAA implementation tips: http://www.mass.med.org. American Health Information Management Association Association that represents health information management professionals who work throughout the health care industry. HIPAA related articles, frequently asked questions, practice briefs, and links to other Web sites: http://www.ahima.org/hot.topics. Health Privacy Project Information about protecting the privacy of health information, including the Federal Privacy Rule, state health privacy laws, and current developments: http://www.healthprivacy.org. 38 | CALIFORNIA HEALTHCARE FOUNDATION Appendix B: Checklist of Key Items for Implementation 1. Adopt written privacy procedures, specifying: s who has access to health information, s how health information will be used within the provider’s organization, and s when the information may be disclosed. (New under HIPAA) 2. Draft Notice of Information Practices. (New under HIPAA) 3. Draft Consent Forms. (New under HIPAA) 4. Revise or draft Authorization Forms. (CMIA and HIPAA) 5. Revise or draft Contracts with Business Associates. (New under HIPAA) 6. Designate: s contact person for receiving complaints, and s privacy officer (can be same person). (New under HIPAA) 7. Train personnel about protecting privacy and requirements of Privacy Rule. (New under HIPAA) Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 39 Endnotes 1. Cal. Civ. Code § 56-§ 56.37. 18. Congress recently passed the Administrative Simplification Compliance Act, Pub. Law 107-105, 2. Cal. Health & Safety Code § 123100 - § 123149.5. that permits covered entities that cannot meet the 3. The Patient Access to Medical Records Act applies October 2002 deadline for complying with the to all health facilities licensed pursuant to Cal. transactions regulations to obtain a one year delay. Health & Safety Code, Div. 2, Chap. 2 (commenc- In order to qualify for the one-year delay, a covered ing with Section 1250), as well as all clinics licensed entity must submit a compliance plan no later pursuant to Cal. Health & Safety Code, Div. 2, than October 2002. The date for complying with Chap. 8 (commencing with Section 1725). Cal. the Privacy Rule is not delayed or effected by Health & Safety Code § 123105. this Act. See 147 Congressional Record S13077 4. Standards for Privacy of Individually Identifiable (daily ed. December 12, 2001) (statement of Health Information: Final Rule, vol. 65, Federal Senator Dorgan). Register (“65 Fed. Reg.”) pp. 82462-82829 19. See Standards for Privacy of Individually Identifiable (Dec. 28, 2000). This rule is codified in title 45, Health Information: Final Rule, Preamble Code of Federal Regulations (45 C.F.R.). (“Preamble to Privacy Rule”) 65 Fed. Reg. 82477. 5. Standards for Privacy of Individually Identifiable 20. 45 C.F.R. § 164.500. Health Information: Guidance (hereinafter 21. 45 C.F.R. § 164.501 (defining “protected health “HHS Guidance”) (July 6, 2001). Available online information” and “individually identifiable health at http://www.hhs.gov/ocr/hipaa/. information” ) and § 160.103 (defining “health 6. 45 C.F.R. § 160.102 and § 164.104. information”). 7. 45 C.F.R. § 160.103 (defining “covered entity”). 22. 45 C.F.R. § 160.103 (defining “health information”). 8. 45 C.F.R. § 160.103 (defining “health plan”). 23. 45 C.F.R. § 164.501 (defining “individually 9. 45 C.F.R. § 160.103 (defining “health plan”). identifiable health information”). 10. 45 C.F.R. § 160.103 (defining “health care 24. 45 C.F.R. § 164.502 and § 164.514. clearinghouse”). 25. 45 C.F.R. § 164.501 (defining “individually 11. 45 C.F.R. § 160.102 and § 164.104 (explaining identifiable health information”). “applicability”). 26. There is some controversy over the scope of 12. 45 C.F.R. § 160.103 (defining “health care information that may be protected by HHS in the provider”). Privacy Rule. Some parties have challenged the constitutionality of the rule, contending that HHS 13. 45 C.F.R. § 160.103 (defining “health care”). only had the authority to regulate claims-related 14. 65 Fed. Reg. 82477. health information in electronic format. See South Carolina Medical Association v. HHS, No. 15. See Standards for Privacy of Individually Identifiable 01-CV-2965 (U.S.D.Ct. S. Car.) (filed 7/16/01). Health Information: Proposed Rule, Preamble (“Preamble to Proposed Privacy Rule”), 64 Fed. 27. See 45 C.F.R. § 164.501 (defining “use” and Reg. 59937 (November 3, 1999). “disclosure”). 16. There is some controversy concerning whether 28. Providers who have only an indirect treatment a provider must actually use the required format relationship with patients are not required to obtain to become a “covered entity” or whether it may consent. See 45 C.F.R. § 164.506(a)(2). An indirect become “covered” by merely electronically conduct- treatment relationship is one where the health care ing one of the transactions listed in HIPAA. provider does not directly interact with patients, such as many radiologists in hospital settings. 17. See 42 U.S.C. Sec. 1320d-2(a) for the full list of See 45 C.F.R. § 164.501 (defining “indirect treat- electronic transactions that will trigger coverage of ment relationship”). the privacy regulation. 29. Even if a covered entity obtains a delay for com- plying with the transaction standards, it still must comply with the Pirvacy Rule by April 2003. See note 18 above. 40 | CALIFORNIA HEALTHCARE FOUNDATION 30. 45 C.F.R. § 160.103 (defining “small health plan”) 55. The CMIA applies to licensed health care pro- and § 164.534 (specifying compliance dates). viders, health care service plans licensed under the Knox-Keene Act, and contractors (medical groups 31. See HHS Guidance at 6-7, stating that HHS intends that do not technically fall within the other to alter the rule. categories). Cal. Civ. Code § 56.10. 32. Statement of Delegation of Authority, 65 Fed. 56. Cal. Civ. Code § 56.10. Reg. 82381 (Dec. 28, 2000). 57. Cal. Civ. Code § 56.11. 33. Preamble to Proposed Privacy Rule, 64 Fed. Reg. 6002. 58. Cal. Health & Safety Code § 123100 et. seq. 34. See HHS Guidance, note 5. 59. The definition of “health information” under the Privacy Rule appears to be broader than 35. See HHS Guidance, note 5, at 3; 45 C.F.R. “medical information” under the CMIA. § 160.304 and 65 Fed. Reg. 82603. 60. See 45 C.F.R. § 164.501 (defining “protected health 36. See 45 C.F.R. § 160.310. information”). 37. 45 C.F.R. § 160.306. 61. Oral communications do not have to be recorded. 38. 45 C.F.R. § 160.308. Since patients only have access to health infor- 39. 45 C.F.R. § 160.310. mation in “designated record sets,” as a practical matter they do not have access rights to oral 40. See discussion of documentation requirements in information. However, if oral communications “Administrative Requirements,” above. are recorded and used to make decisions about a 41. 45 C.F.R. § 160.310. person, oral information may become part of a designated record set and then must be made 42. 42 U.S.C. § 1320d-5. available to the patient upon request. Standards for 43. 42 U.S.C. § 1320d-6. Privacy of Individually Identifiable Health Infor- mation: Guidance at 28 (July 6, 2001) (hereinafter 44. Preamble to Privacy Rule, 65 Fed. Reg. 82488. “Guidance”). 45. 45 C.F.R. § 160.202. 62. See Robert Pear, White House Plans to Revise 46. 45 C.F.R. § 160.202. New Medical Privacy Rules, N.Y. Times, April 8, 47. Cal. Civ. Code § 56-§ 56.37. 2001 at 22. 48. Cal. Health & Safety Code § 123100 - 63. See American Medical Association Canon 5.05. § 123149.5. 64. Cal. Civ. Code § 56.10 and § 56.05(f) (defining 49. Cal. Welf. & Inst. Code § 14100.2. “medical information.”). 50. The Lanterman-Petris-Short Act, codified at Cal. 65. See Cal Const, art I § 1; Jeffrey H. v. Imai, Tadlock Wef. & Inst. Code § 5328 et seq. & Keeney, 100 Cal. Rptr.2d 916 (2000) (state constitutional right to privacy extends to the details 51. Cal. Health & Safety Code § 120775, § 120975 - of a person’s medical history). § 121020. 66. Cal. Civ. Code § 56.10. 52. Cal. Welf. & Inst. Code § 11970.5 - § 11977. 67. 45 C.F.R. § 164.506. 53. See 45 C.F.R. § 160.102 (defining “health care” and “health care provider”). 68. 45 C.F.R. § 164.506. 54. Both the CMIA and the Patient Access to Health 69. 45 C.F.R. § 164.506 Records Act apply to providers of health care. See 70. 45 C.F.R. § 164.506(b)(1). Cal Civ. Code § 56.10 and Cal. Health & Safety 71. HHS Guidance at 9. Code § 123110. However, due to differing defini- tions of the term “health care provider,” the Patient 72. 45 C.F.R. § 164.506(b)(3) and (4). Access to Health Records Act applies to a narrower 73. 45 C.F.R. § 164.506(c). category of providers than the CMIA. Compare Cal. Civ. Code § 56.05(h) (defining “provider of health care”) with Cal. Health & Safety Code § 123105 (defining “health care provider”). Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 41 74. 45 C.F.R. . § 164.506(b)(6) and § 164.530(j). 97. 45 C.F.R. § 164.510(a). 75. 45 C.F.R. § 164.506(f); § 164.520(d) and § 164.501 98. Providers may also disclose health information to (defining “organized health care arrangement”). clergy who do not ask for patients by name. 45 C.F.R. § 164.510(a). 76. 45 C.F.R. § 164.522. 99. 45 C.F.R. § 164.510(a). 77. 45 C.F.R. § 164.522. 100. See generally Cal. Civ. Code § 56.10 and 45 C.F.R. 78. 45 C.F.R. § 164.530(j). § 164.512. 79. 45 C.F.R. § 164.522(b). 101. Cal. Civ. Code § 56.10(b) and 45 C.F.R. § 164.512. 80. Cal. Civ. Code § 56.10(c)(2). 102. See Cal. Penal Code § 1524, which generally applies 81. Guidance at 20. when medical records are sought from a provider 82. 45 C.F.R. § 164.502(b) (explaining when who is not the target of a criminal investigation. minimum necessary standard applies). 103. Cal. Penal Code § 1524. 83. 45 C.F.R. § 164.514(d)(2). 104. Cal. Civ. Code § 56.10(b) Cal. Code of Civ. Pro. § 84. 45 C.F.R. § 164.530(j). 1985.3 and 45 C.F.R. § 164.512(f). 85. 45 C.F.R. § 164.514(d)(5); 65 Fed. Reg. 52544 105. Cal Civ. Code § 56.10 (c)(7) and 45 C.F.R. (“[W]e expect that covered entities will implement § 164.512(i). policies that allow persons involved in treatment to 106. 45 C.F.R. § 164.512(i). have access to the entire record, as needed”). 107. Cal. Civ. Code § 56.10. 86. 45 C.F.R. § 164.502(b)(2). 108. 45 C.F.R. § 164. 87. 45 C.F.R. § 164.514(d)(3) and (4). 109. See 65 Fed. Reg. 82490 (explaining that an authori- 88. 45 C.F.R. § 164.530(j). zation is required to release health information for 89. See 45 C.F.R. § 164.514(d)(3) and (4). purposes of pre-enrollment underwriting). 90. Cal. Civ. Code § 56.10(c)(3). 110. See Cal. Civ. Code § 56.11. 91. 45 C.F.R. § 164.502(e). 111. 45 C.F.R. § 164.508(c)(2). 92. 45 C.F.R. § 160.103 (defining “business associate”). 112. Cal. Civ. Code § 56.11. 93. 65 Fed. Reg. 82476. 113. See 45 C.F.R. § 164.508(b)(2). An authorization can be combined with other authorizations to 94. 45 C.F.R. § 164.504(e)(2). use or disclose health information. This rule does 95. Of course, if the family member is responsible not apply to authorizations to use or disclose psy- for payment of the health care services, disclosure is chotherapy notes, which must always be separate. permitted to the extent necessary to obtain pay- It also does not apply where a covered entity has ment pursuant to the patient’s signed consent form. conditioned the provision of treatment, payment or 45 C.F.R. § 164.506. enrollment in a health plan, or the eligibility of benefits on the provision of an authorization. 96. Under California law, upon an inquiry concerning a specific patient, a provider is allowed to disclose 114. Cal. Civ. Code § 56.11 and 45 C.F.R. certain health information unless the patient has § 164.508(c)(1). made a written request to the contrary. If the 115. 45 C.F.R. § 164.508(c). patient has not made such a request, the provider may, at its discretion, release any of the following 116. Cal. Civ. Code § 56.11. medical information: the patient’s name, address, 117. Cal. Civ. Code § 56.11 and 45 C.F.R. § 164.508(c). age, and sex; a general description of the reason for 118. Cal. Civ. Code § 56.11 and 45 C.F.R. § 164.508(c) treatment (such as a burn or poisoning); the general (the Federal Privacy Rule also allows a person nature of the medical condition; and the general to specify an event that would terminate the condition of the patient. Cal. Civ. Code § 56.16. authorization). 42 | CALIFORNIA HEALTHCARE FOUNDATION 119. Cal. Civ. Code § 56.11 and 45 C.F.R. § 164.508(c). 137. See 45 C.F.R. § 164.508(a)(2). 120. Cal. Civ. Code § 56.11. 138. See 45 C.F.R. § 164.508(b)(4). 121. Cal. Civ. Code §56.11. 139. 45 C.F.R. § 164.514(e). 122. 45 C.F.R. § 164.508(c). 140. Cal. Civ. Code § 56.10(d) specifies that a provider may not share, sell, or otherwise use any medical 123. 45 C.F.R. § 164.508(c). The Federal Privacy information for any purpose not necessary to Rule does not directly regulate the recipients of provide health care services to the patient. health information, and therefore requires this notice. It should be noted, however, that the CMIA 141. 45 C.F.R. § 164.520. often directly prohibits these recipients from re-dis- 142. 45 C.F.R. § 164.520(b). This list is not exhaustive closing health information. In these circumstances, because the requirements of the Federal Privacy patients will be protected by Rule are so detailed in this area. Please see the state, rather than federal, law. regulation itself for all of the required elements of 124. 45 C.F.R. § 164.508(d). a notice of privacy practices. 125. 45 C.F.R. § 45 C.F.R. § 164.508(d)(2). 143. Cal. Health & Safety Code § 123105 (defining “patient records”) and § 123110. 126. Cal. Civ. Code § 56.104. The heightened protec- tion afforded by California law appears to apply 144. Cal. Health & Safety Code § 123111. only when the third party requests information. 145. Ca. Health & Safety Code § 123148. It does not appear to apply when a provider initiates the transfer of information. For example, 146. Ca. Health & Safety Code § 123148. when a provider submits to an insurer a claim 147. See 45 C.F.R. § 164.524 (giving patients access to for payment related to psychotherapy no specific information in a “designated record set”) and request under Section 56.104 is required. However, 45 C.F.R. § 164.501 (defining “designated record if an insurer wants to obtain additional information set” as including “medical records and billing in support of the claim, it would need to submit records about individuals maintained by or for a such a request. covered health care provider.”) 127. Cal. Civ. Code § 56.104. 148. A California appellate court has ruled that the 128. 45 C.F.R. § 164.508(a)(2). “patient records” covered by the Patient Access to Medical Records Act include billing records. See 129. 45 C.F.R. § 164.508(a)(2). Person v. Farmers Insurance Group, 61 Cal. Rep.2d 130. See 45 C.F.R. § 164.508(b)(4). 30 (1997). The Federal Privacy Rule also clearly grants patients access to information related to the 131. Cal. Welf. & Inst. Code § 5328 et seq. payment of health care. See 45 C.F.R. § 164.524 132. See Cal. Civ. Code § 56.30. (giving patients access to information in a “desig- 133. Institutional settings include any private nated record set”) and 45 C.F.R. § 164.501 (defin- institution, hospital, clinic, or sanitrium which ing “designated record set” as including “medical conducts care and treatment for the mentally records and billing records about individuals main- disordered. tained by or for a covered health care provider.”) 134. Compare Cal. Welf. & Inst. Code § 5328.1 149. Cal. Health & Safety Code § 123110(a). (limiting such information to the fact that the 150. 45 C.F.R. § 164.524(a). patient is present in the facility) with 45 151. Cal. Health & Safety Code § 123110(a) and 45 C.F.R. § 164.510(b) (which allows the provider to C.F.R. §164.514(h). use its professional judgment). 152. Cal Health & Safety Code § 123110(a). 135. Welf. & Inst. Code § 5328(e). 153. Cal. Health & Safety Code § 123110(b). 136. See 45 C.F.R. § 164.508(a)(2) and § 164.501 (defining “psychotherapy notes”). 154. 45 C.F. R. § 164.524 (c). 155. Cal. Health & Safety Code § 123110(b). Implementing the Federal Health Privacy Rule in California: A Guide for Health Care Providers | 43 156. 45 C.F.R. § 164.524(c). 171. 45 C.F.R. § 164.526(c). 157. See 45 C.F.R. § 164.524 and 65 Fed. Reg. 82557 172. 45 C.F.R. § 164.526(d). (explaining HHS’s position on the fees acceptable 173. 45 C.F.R. § 164.526 (d). under the rule). 174. 45 C.F.R. § 164.526 (d). 158. 45 C.F.R. § 164.524(c). 175. 65 Fed. Reg. 82471. 159. Cal. Health & Safety Code §§ 123115 and 123105 (defining “mental health records”). Providers should 176. 45 C.F.R. § 164.530. note that although the Lanterman-Petris-Short Act 177. 45 C.F.R. § 164.530(c) and Cal. Civ. Code (LPSA) governs the disclosure of mental health § 56.101 (requiring providers to preserve the con- information generated through treatment obtained fidentiality of medical information if they create, at institutions and certain community clinics, the maintain, preserve, store, abandon, destroy, or PAMRA governs a patient’s access to that informa- dispose of such information). Additionally, HHS tion. See Section V B xi above (discussing disclosure is to issue more detailed final HIPAA-mandated requirements under the LPSA) and Cal. Health & security regulations. Safety Code, §. 23110, the PAMRA, (stating that it applies “notwithstanding” provisions of the LPSA). 178. 65 Fed. Reg, 82562. 160. The interplay between the Federal Privacy Rule and 179. Guidance at 23. California law is complex in this area. The state 180. 65 Fed. Reg, 82562. law permits denials with respect to a narrow catego- ry of information whereas the federal rule permits 181. Guidance at 23. access to be denied to any health information. 182. 45 C.F.R. § 164.530(b). However, the standard for denial is generally stricter 183. Preamble to Proposed Standard for Privacy of under federal law than it is under state law. But the Individually Identifiable Health Information, federal regulation would allow a denial of access 64 Fed. Reg. 59989 (Nov. 3, 1999). to be based on endangerment to others, while California limits denial to where the access would 184. 45 C.F.R. § 164.530(a). endanger the patient. We have attempted to analyze 185. 45 C.F.R. § 164.530(a). this complicated interaction of state and federal law with an eye towards giving a patient the most 186. Preamble to Proposed Rule, 64 Fed. Reg. 59988. access to their own health information, but advise 187. Preamble to Proposed Rule, 64 Fed. Reg. 59988. providers to exercise caution in denying patients’ access to their own information based on potential 188. 45 C.F.R. § 164.506(d). endangerment. 189. 45 C.F.R. § 164.506(b). 161. 45 C.F.R. § 164.524(a). 190. 45 C.F.R. § 164.522(a). 162. 45 C.F.R. § 164.524(d). 191. 45 C.F.R. § 164.508(b)(6). 163. 45 C.F.R. § 164.524(d). 192. 45 C.F.R. § 164.528(d)(1). 164. Cal. Health & Safety Code § 123115. 193. 45 C.F.R. § 164.514 and § § 164.530(i) and 165. 45 C.F.R. § 164.528. 164.530(j). 166. 45 C.F.R. § 164.528. 194. 45 C.F.R. § 164.530(b) and § 164.530(j)(1). 167. 45 C.F.R. § 164.528. 195. 45 C.F.R. § 164.530(j)(2). 168. Cal. Health & Safety Code § 123111. 169. 45 C.F.R. § 164.526. 170. 45 C.F.R. § 164.526(b). 44 | CALIFORNIA HEALTHCARE FOUNDATION Related Publications in the iHealthReports series include: q HIPAA Administrative Simplification: Tool Kit for Small Group and Safety-Net Providers q Comparing eHealth Privacy Initiatives q E-Encounters q E-Disease Management q E-Prescribing q Wireless and Mobile Computing These reports can be obtained by visiting the CHCF Web site at www.chcf.org or by calling the Publications line at 1-888-430-CHCF (2423).