HealthPort & HIPAA
HealthPort's HIPAA Statement
April 2003 marked the compliance deadline for the HIPAA Privacy Rule, and 2009 marked the first amendments to the law. Found in the HITECH Act of ARRA (the American Recovery and Reinvestment Act), the changes were specifically directed at producing copies of medical records electronically.” Our suite of technology and services meets or exceeds the requirements set by this rule.
How Does HealthPort's System Comply with HIPAA?
HealthPort executives and legal counsel have thoroughly reviewed the Department of Health and Human Services’ Security Standards and the Privacy Standards, including the Final Privacy Rule published in August 2002.
The Security Standards specify the steps that must be taken to ensure the security of protected health information that is transmitted electronically.
The Privacy Standards and the Final Rule, effective in 2003, apply to all uses of individually identifiable health information, whether or not it is in electronic form. HealthPort's Release of Information services are subject to the Rule, as HealthPort is a "Business Associate" as defined within. HealthPort has worked closely with its member facilities to stay abreast of changing requirements and to help its members ensure compliance. Since HealthPort's business depends on ensuring the confidentiality and security of the data it handles, most of what is required under the Privacy Rule was incorporated into HealthPort's policies, procedures, and training prior to the April 2003 deadline. Additional (and now annual) training is done for all HealthPort associates about the requirements of the HITECH Act pertaining to delivery and charges for records that patients request to receive electronically.
HealthPort's Legal Position Regarding Patient Fees Under HIPAA
HealthPort's compliance with the provisions of the Privacy Rule under HIPAA (the Health Insurance Portability and Accountability Act) is as follows:
In Section 164.524(c)(4), HIPAA states that:
"If the individual requests a copy of the protected health information...the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: (i) Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual; (ii) Postage, when the individual has requested the copy...to be mailed, and (iii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(ii) of this section."
This reasonable, cost-based fee excludes charging individuals for such items as the records search, retrieval of the file, administrative costs, clerical costs, etc., although these items typically constitute a considerable percentage of HealthPort's cost for performing these services. In regulated states, the statutory/regulatory per-page fee is deemed to be reasonable for this "individual" fee purpose under HIPAA.
Attorney and insurer rates did not change under HIPAA. This is due to specific direction from the Department of Health and Human Services (HHS), the author of the HIPAA Privacy Rule. In the August 14, 2002, Final Rule published in the Federal Register of that date, Volume 67, No. 157, on page 53254, HHS states:
"The Department clarifies that the Rule, at Section 164.524(c)(4), limits only the fees that may be charged to individuals, or to their personal representatives in accordance with Section 164.502(g), when the request is to obtain a copy of protected health information about the individual in accordance with the right of access. The fee limitations do not apply to any other permissible disclosures by the covered entity, including disclosures that are permitted for treatment, payment and health care operations, disclosures that are based on an individual's authorization that is valid under 164.508, or other disclosures permitted without the individual's authorization as specified in 164.512...."
(Note: "personal representatives" are defined in 164.502(g) as (1) parents/guardians, or (2) administrators/executors of the estate of a deceased person, or (3) those who hold a healthcare power of attorney.)
This definitive statement by HHS in the Comments section of the Final Rule bolsters the language of the regulation as published in December 2000 in 65 Fed. Reg. 250, page 82824.
The HITECH Act added a new section about pricing of medical records; it applies to those records which are stored electronically (in an EHR or EMR) and which the patient chooses to receive electronically. The price covers only labor for producing the record electronically, the price of the electronic medium itself, postage (if a CD or other medium is mailed), and applicable tax (if any).
Click here to visit archived HIPAA newsletters.
Click here to see a sample HIPAA Authorization Form
Click here to view the HIPAA Provider Comparison Chart
Click here to see the Security Rule Flyer
Click here to view the Security Rule - Client