[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Section 112 accounting for disclosures
JAMIE WROTE:
>Deirdre Mulligan has explained to me what the Sec. 112 accounting for
>disclosures. This is my understanding of what the bill says,
>followed by some questions.
>
>Section 112, states that health information trustee's shall create and
>maintain records of disclosures of information not related to treatment.
>
>Section 101 gives individuals rights to see and copy the Sec. 112
>disclosures, except for several exceptions (which I will not go into here).
>Section 202 (d) requires the health information trustee to maintain
>records of authorizations of disclsoures. These are the provisions on
>record keeping.
>
> So, I apparently have rights to ask for these items.
DEIRDRE's RESPONSE
RESPONSE TO JAMIE'S INITIAL QUESTION: Section 112 Accounting for
disclosures states that a record of each disclosure made must be kept, and
that this record is protected health information. Section 101 gives the
individual the right to see and copy protected health information -- this
includes the record created under 112.
Section 202 (d) requires the trustee to maintain a copy of the
authorization form for each disclosure. This too, is personally
identifiable health information, part of the patient record and covered by
Section.
RESPONSES TO JAMIE'S CURRENT QUESTIONS:
JAMIE'S Q: How does this work?
RESPONSE: Everytime you authorize a disclosure a record is kept of that
disclosure. Everytime a disclosure occurs that falls within the
authorization -- for example you authorized disclosures ONLY for treatment
and payment, your hospital in order to complete the billing process uses a
company that puts the information into standardized forms and sends it to
your insurance company -- a record must be kept of this disclosure. The
company that receives the information to complete the billing process by
putting it into standardized format, is an agent of the hospital, and
completely bound by all rules of the bill. Of specific importance are 2
provisions -- 1) the hospital can only realease the Minimum amount of
information necessary for the billing company to complete there task; and,
2) the billing company may not do anything with the information except
complete the billing process (they can't use it for anything else, they
can't capture it, collect it, manipulate it etc. NOTHING).
You the individual have the right to access your health information from
ANYBODY who has it and fits the definition of trustee:
health care providers, health plan, health oversight agency, health
researcher, public health authority, employer, insurer, school or
university, or health information service insofar as it creates,
receives, obtains maintains, uses, or transmits protected health
information, or any persons who obtains protected health care
information
under sections 206, 207, 208, 209, 210, 211, or 212 or the bill, or any
employee, agent, or contractor who "creates, receives, obtains,
maintains, uses, or transmits" protected health information.
Therefore, you get access to every last peice of information.
JAMIE'S Q: My doctor has my records, and they give them to
>my insurance company.
RESPONSE: only if you have authorized this disclosure. Maybe you want to
pay out of pocket and then you wouldn't have to authorize any information
to flow to your insurance company because it would Not be needed for
payment.
JAMIE'S Q: Say my insurance company then gives the records to
>someone else
RESPONSE: Only with your consent unless it fits into one of the exceptions.
JAMIE'S Q: say a government agency
RESPONSE: A government agency might get information if it is your payor
(Medicaid Medicare) but only with your CONSENT.
A government agency might get access to your data if it fits the
Oversight exception: 1) is a HEALTH OVERSIGHT AGENCY, and
2) is perfoming an OVERSIGHT FUNCTION AUTHORIZED BY LAW.
BUT they may not use this information against the individual unless the
action or investigation arises out of and is directly related to 1) the
receipt of health care or payment for health care; or 2) an action
involving a fraudulent claim related to health care.
In other words, if a health oversight agency that is authorized to oversee
a specific program (like Medicare/Medicaid) gets information they can only
use it to prosecute an individual for something that they were supposed to
be overseeing -- ie. Medicaid fraud, Medicare fraud. They cannot use
against the individual in any other context.
A law enforcement agency has access under the warrant and
subpoena process. Information disclosed to them is still covered by the
minimization rule and the general rule limiting the informations use.
JAMIE'S Q: or a company like equifax
RESPONSE: If the hospital has contracted with a company to perform a
specific function, which you have Authorized (consented to) otherwise no
one can do it, the company is bound by all the rules of the bill. They can
only use the information for the limited purpose you authorized (see
example above) They can NOT use it for any other purpose.
JAMIE'S Q: hundreds of health care trustees may have had access to my
medical records. Do I have to ask each one for my sec.112 info? If I
don't know who to ask, do I have to ask everyone?
RESPONSE: You have a relationship with your doctor and your insurance
company -- they should have records of every disclosure you have authorized
and every agent with whom they have contracted to complete activities for
which you authorized them to use information. The object of the record
keeping and access rights provisions of the bill is so that the individual
can oversee the use of their information by making sure it is only flowing
when they have authorized the flow. The bill creates a paper trail. The
way the bill is written you can go to anyone who has handled your
information and get access to your record and record of disclosures. But,
practically if you start from your provider you should be able to trace the
information's path. Especially if you have only authorized the use of your
information for treatment and payment purposes.
JAMIE'S Q: What if my companies gives a record to someone for
"administrative" purposes (A Sec. 101 exception), and they disclosue the
information to one of the groups that is not required to obtain notice or
consent?
RESPONSE: In order to fit into the "administrative purposes exception"
Sec. 101(b)(3) the information must be used by the trustee "solely for
administrative purposes" and "NOT in the provision of health care or
administrative benefits" AND "HAS NOT BEEN DISCLOSED TO ANY OTHER PERSON"
JAMIE'S Q: Won't this be very difficult if not impossible to track?
RESPONSE: Most people today have no ability to track, let alone CONTROL,
how their sensitive information is used and disclosed. The Bennett-Leahy
bill puts control over information flow back into individual's hands by
requiring consent for the information to flow with a limited number of
exceptions (which we have discussed, and agree that we would like to see a
number of them tightened). It facilitates tracking so individuals and
others responsible for enforcing the bill can ensure compliance and
identify abuses, by requiring that those who handle information maintain a
record of how the information flows. Right now no one is under a legal
obligation to keep track of where your health information is sent and you
have very little actual or legal control.
Deirdre
**** Please note: I request that all recipients obtain my prior
**** consent before electronically forwarding or otherwise disseminating
**** this message. Thank you for protecting my privacy.
Deirdre K. Mulligan
Staff Counsel
Center for Democracy and Technology
1001 G Street, NW
Suite 500 East
Washington, DC
20001
(202)637-9800
(202)637-0968
http://www.cdt.org/