|
HIPAA Overview
On April 14, 2003, the privacy rules
promulgated under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) changed the way that
certain health record custodians (called “covered entities”)
will respond to a request for disclosure of a person’s
protected health information.
At The MCS Group, we understand how
HIPAA impacts the process of procuring medical records.
This is why we have been working closely with our
team of outside lawyers to understand the various ways that
the new laws affect our clients and us. We know which
entities are “covered entities” and which are not. We also
know when we’re requesting “protected health information”
and when we’re not. We understand and are prepared to
address how HIPAA impacts (1) court orders, (2) subpoenas,
whether issued under state or federal law, (3)
authorizations, (4) qualified protective orders and (5)
workers’ compensation matters.
HIPAA and Subpoenas
In response to a subpoena,
the record provider must disclose the information requested
by the subpoena if record provider receives a written
statement and documentation showing:
1. MCS has made a good faith
attempt to provide notice to individual covered by the
subpoena;
2. Notice included information
about the litigation; and
3. Time for objection has
elapsed and (a) no objection was filed or (b) any objection
was resolved in favor of the requested disclosure.
45 CFR § 164.512(e)(1)(ii)(A).
How MCS Will Handle Subpoena Issues
HIPAA’s impact on the subpoena process
depends on whether federal or state law applies to the
underlying case.
We understand how record providers may
need to change their disclosure process to comply with
federal and state subpoenas. We have developed
appropriate forms and procedures to meet HIPAA’s new
requirements.
Note – because we believe that some
record providers are likely to be more conservative than
HIPAA may require, we have also developed (and will continue
to develop) standard letters explaining HIPAA’s requirements
and why a record provider must comply with a
subpoena.
MCS Fights for Compliance with
Subpoena Requests
The following letters will be sent to
providers who refuse to comply with subpoena requests. The
letters are intended to provide them with the necessary
HIPAA guideline references that will force them to comply
with the subpoena.
The first example (Sample A) will be
used in direct response to any provider that rejects a
subpoena request simply because it is a subpoena. MCS will
work with the providers to be sure that they understand HIPAA guidelines completely.
The second example (Sample B) will be
used in instances where providers request “satisfactory
assurance” that MCS has made a good faith attempt to provide
written notice to the subject. Since MCS operates under
agreement of counsel and notifies the opposing counsel on
ALL subpoena requests, any opposing party that doesn’t
object to the subpoena is providing this assurance as per HIPAA rules.
HIPAA and Authorizations
In response to an authorization,
the record provider must disclose the information requested
by the authorization. 45 CFR § 164.508.
Note – in order to comply with HIPAA,
an authorization must contain all of the elements required
by 45 CFR § 164.508.
Therefore, MCS has created a sample
authorization form that will meet HIPAA guidelines.
Sample of HIPAA Compliant Authorization
– Prepared by MCS’ Attorneys
Dealing with Providers
You should be aware that as providers
begin to comply with HIPAA’s new authorization requirements, there is no guarantee that our
sample form will be universally accepted. In fact, we
expect that most providers will require some revisions, and
the more conservative providers may refuse to process any
authorization that is not submitted on their own unique
form. Thus, MCS will: (1)
continue to refine our sample form to address the concerns
or modifications requested by providers from which we
routinely request records, as appropriate, and (2) compile a
list of those providers that require their own authorization
forms.
HIPAA and Workers Compensation
Matters
In connection with a Workers
Compensation matter, the record provider must disclose
information requested in connection with that matter. 45
CFR § 164.512(l).
Therefore, MCS has developed a standard
letter(Sample C) explaining (a) that HIPAA permits disclosure in
connection with this type of request and (b) that the record
provider should comply with our request.
HIPAA and the “Business Associate Agreement”
MCS recognizes that “covered entities”
under HIPAA are responsible for entering into agreements
with each of their “business associates” pursuant to which
the business associate will agree to honor HIPAA’s privacy
policies and procedures related to the use and disclosure of
protected health information (“PHI”). However, HIPAA
defines a business associate as an entity that performs or
assists in the performance of activities involving the use
or disclosure of PHI on behalf of a covered entity, or that
provides administrative or other services to or for the
covered entity. MCS, a private record production company,
provides reproduction services to our clients in connection
with judicial and administrative proceedings, which may
involve the use or disclosure of PHI, but does not provide
any services to the provider or on behalf of
the provider as a covered entity.
Therefore, MCS will not
execute any Business Agreements requested by providers.
Commitment to Outstanding Customer
Service
The MCS Group is committed to
continuously reviewing and improving our HIPAA compliance
efforts in order to provide quick and efficient service to
our customers. If you have any questions or concerns with
The MCS Group’s approach to HIPAA compliance, please contact
your MCS Account Manager.. |
