roundtable: Re: Section 112 accounting for disclosures
roundtable: Re: Section 112 accounting for disclosures
Re: Section 112 accounting for disclosures
Deirdre Mulligan (deirdre@cdt.org)
Wed, 8 Nov 1995 13:02:30 -0400
Message-Id: <199511081757.MAA03347@cdt.org>
Date: Wed, 8 Nov 1995 13:02:30 -0400
To: roundtable@cni.org
From: deirdre@cdt.org (Deirdre Mulligan)
Subject: Re: Section 112 accounting for disclosures
> JAMIE WROTE:
>
> Deirdre Mulligan has explained to me what the Sec. 112 accounting for
> disclosures. This is my understanding of what the bill says,
> followed by some questions.
>
> Section 112, states that health information trustee's shall create and
> maintain records of disclosures of information not related to treatment.
>
> Section 101 gives individuals rights to see and copy the Sec. 112
> disclosures, except for several exceptions (which I will not go into
> here). Section 202 (d) requires the health information trustee to
> maintain records of authorizations of disclsoures. These are the
> provisions on record keeping.
>
> So, I apparently have rights to ask for these items.
DEIRDRE's RESPONSE
RESPONSE TO JAMIE'S INITIAL QUESTION: Section 112 Accounting for
disclosures states that a record of each disclosure made must be kept,
and that this record is protected health information. Section 101
gives the individual the right to see and copy protected health
information -- this includes the record created under 112.
Section 202 (d) requires the trustee to maintain a copy of the
authorization form for each disclosure. This too, is personally
identifiable health information, part of the patient record and
covered by Section.
RESPONSES TO JAMIE'S CURRENT QUESTIONS:
>JAMIE'S Q: How does this work?
RESPONSE: Everytime you authorize a disclosure a record is kept of
that disclosure. Everytime a disclosure occurs that falls within the
authorization -- for example you authorized disclosures ONLY for
treatment and payment, your hospital in order to complete the billing
process uses a company that puts the information into standardized forms
and sends it to your insurance company -- a record must be kept of this
disclosure. The company that receives the information to complete the
billing process by putting it into standardized format, is an agent of
the hospital, and completely bound by all rules of the bill. Of specific
importance are 2 provisions -- 1) the hospital can only realease the
Minimum amount of information necessary for the billing company to
complete there task; and, 2) the billing company may not do anything
with the information except complete the billing process (they can't use
it for anything else, they can't capture it, collect it, manipulate it
etc. NOTHING).
You the individual have the right to access your health information from
ANYBODY who has it and fits the definition of trustee:
health care providers, health plan, health oversight agency, health
researcher, public health authority, employer, insurer, school or
university, or health information service insofar as it creates,
receives, obtains maintains, uses, or transmits protected health
information, or any persons who obtains protected health care
information under sections 206, 207, 208, 209, 210, 211, or 212 or
the bill, or any employee, agent, or contractor who "creates,
receives, obtains, maintains, uses, or transmits" protected health
information.
Therefore, you get access to every last piece of information.
JAMIE'S Q:
>
> My doctor has my records, and they give them to my insurance company.
RESPONSE: only if you have authorized this disclosure. Maybe you want
to pay out of pocket and then you wouldn't have to authorize any
information to flow to your insurance company because it would Not be needed for payment.
JAMIE'S Q:
>
> Say my insurance company then gives the records to someone else
RESPONSE: Only with your consent unless it fits into one of the
exceptions.
JAMIE'S Q:
>
> say a government agency
RESPONSE: A government agency might get information if it is your payor
(Medicaid Medicare) but only with your CONSENT.
A government agency might get access to your data if it fits
the Oversight exception: 1) is a HEALTH OVERSIGHT AGENCY, and
2) is perfoming an OVERSIGHT FUNCTION AUTHORIZED
BY LAW.
BUT they may not use this information against the individual unless the
action or investigation arises out of and is directly related to 1) the
receipt of health care or payment for health care; or 2) an action
involving a fraudulent claim related to health care.
In other words, if a health oversight agency that is authorized to oversee
a specific program (like Medicare/Medicaid) gets information they can only
use it to prosecute an individual for something that they were supposed to
be overseeing -- ie. Medicaid fraud, Medicare fraud. They cannot use
against the individual in any other context.
A law enforcement agency has access under the warrant and subpoena
process. Information disclosed to them is still covered by the minimization
rule and the general rule limiting the informations use.
JAMIE'S Q:
>
> or a company like equifax
RESPONSE: If the hospital has contracted with a company to perform a
specific function, which you have Authorized (consented to) otherwise
no one can do it, the company is bound by all the rules of the bill.
They can only use the information for the limited purpose you authorized
(see example above) They can NOT use it for any other purpose.
JAMIE'S Q:
>
> hundreds of health care trustees may have had access to my medical
> records. Do I have to ask each one for my sec.112 info? If I don't
> know who to ask, do I have to ask everyone?
RESPONSE: You have a relationship with your doctor and your insurance
company -- they should have records of every disclosure you have
authorized and every agent with whom they have contracted to complete
activities for which you authorized them to use information. The object
of the record keeping and access rights provisions of the bill is so that
the individual can oversee the use of their information by making sure it
is only flowing when they have authorized the flow. The bill creates a
paper trail. The way the bill is written you can go to anyone who has
handled your information and get access to your record and record of
disclosures. But, practically if you start from your provider you should
be able to trace the information's path. Especially if you have only
authorized the use of your information for treatment and payment purposes.
JAMIE'S Q:
>
> What if my companies gives a record to someone for "administrative"
> purposes (A Sec. 101 exception), and they disclosue the information
> to one of the groups that is not required to obtain notice or consent?
RESPONSE: In order to fit into the "administrative purposes exception"
Sec. 101(b)(3) the information must be used by the trustee "solely for
administrative purposes" and "NOT in the provision of health care or
administrative benefits" AND "HAS NOT BEEN DISCLOSED TO ANY OTHER PERSON"
JAMIE'S Q:
>
> Won't this be very difficult if not impossible to track?
RESPONSE: Most people today have no ability to track, let alone CONTROL,
how their sensitive information is used and disclosed. The Bennett-Leahy
bill puts control over information flow back into individual's hands by
requiring consent for the information to flow with a limited number of
exceptions (which we have discussed, and agree that we would like to see
a number of them tightened). It facilitates tracking so individuals and
others responsible for enforcing the bill can ensure compliance and
identify abuses, by requiring that those who handle information maintain
a record of how the information flows. Right now no one is under a legal
obligation to keep track of where your health information is sent and you
have very little actual or legal control.
Deirdre
**** Please note: I request that all recipients obtain my prior
**** consent before electronically forwarding or otherwise disseminating
**** this message. Thank you for protecting my privacy.
Deirdre K. Mulligan
Staff Counsel
Center for Democracy and Technology
1001 G Street, NW
Suite 500 East
Washington, DC
20001
(202)637-9800
(202)637-0968
http://www.cdt.org/
![[CNI Home Page]](/Images/home.gif)