PHI request- What can they see?

SMace

If someone requests to see their PHI, I say it does not include any employee/employer health information such as FMLA certs, WC info, medical notes for absences, disability info, employment physicals, etc. I say it only includes identifiable information related to our health insurance. Does anyone agree or disagree?

System

Why do you think the employee shouldn't see his/her own PHI? What do you mean by 'identifiable information related to our health insurance?'

I don't see why not. I would not, however, provide correspondence related to workers' comp, other than physicians' notes the employee should already know about anyway.

SMace

The question was regarding HIPAA's right to request covered PHI. If they make the request under HIPAA I say you only give them the covered PHI which does not include the gobbly-gook above. Basically I'm trying to apply HIPAA regs to real life and I'm not exactly sure I'm right. Agree or disagree?

mushroomHR

PHI does not include any employee/employer health information. PHI is information that relates to your health insurance program. Employee/employer health information is individually identifiable health information (IIHI) and is not considered PHI.

SMace

Does that mean you agree?

Don D

Aren't you simply asking, "Does an employee have a right to see the medical section of their personnel file?"

SMace

No. When the employees get their Notice of Privay Practices it states they have a right to review their covered PHI. They come to me and say I want to assert my HIPAA rights and see my PHI. What should I give them? See above for what I think I should give them. I think asking to see their medical records is a different question and would be governed by state laws regarding access to personnel files.

Crout

So do you have a State reg that allows them to see their med file?

SMace

Yes, we have state regs that cover personnel file access. That's not the question. My question is what would you give them if they request access to their PHI that is goverened by HIPAA?

Crout

>Yes, we have state regs that cover personnel
>file access. That's not the question. My
>question is what would you give them if they
>request access to their PHI that is goverened by
>HIPAA?


Sheeesh...no need to be testy. HIPAA is intended to protect the privacy of the people working for you. It does that by regulating the flow of specific information held by your company to any inside or outside entity. As a Federal law, it can trump a State law where a conflict exixts. However, in the absence of a conflict, you would need to follow the State law. To me, it seems illogical to think that HIPAA is intended to DENY information to the very people whose privacy it is supposed to protect.

SMace

I did not intend to be testy, sorry. Making HIPAA work in the real world is STRESSING ME! I just want to know what people are giving ee's that fill out the request to see PHI form that allows ee's to see their PHI. It has not happened yet, but I bet I can name the ee's that are going to do it. I understand you to say you will let them see any and all files as determined by state law. I'll cross one chalk line in the Do Not Agree section. Thanks and sorry again for the testy.

Crout

Oh, there's no need to apologize. I understand completely how stressed you must be right now. I guess your question sounded a little odd to me because I work in a union environment, and coupled with our State law means that our files are probably more transparent than yours. Good luck with a tough transition.

Pearce

The privacy notice is issued to participants in a covered health plan. You may have been designated by the plan as the Privacy Official and the person to whom requests are directed. The PHI provided should be from the plan.

Don D

We seem to be dancing around the issues to the tune of the HIPAA polka. Employees who present themselves at the HR office doors and request to see any and all information in the company's posession regarding their personal medical information, including physicals that were given to them or information that was given to the company about their medical issues.....ARE RESPONDED TO HOW?

Before you answer, remember that it was the ADA that required employers to separate out from the personnel file all medical related information. So, that information is (probably) technically, a part of the personnel file, just maintained separately per law.

Janet

Back to the original question--
I agree.

LindaS

An individual's right to access their PHI means their PHI that is contained in a "designated record set". This record set will contain information regarding enrollment, payment of claims, information regarding the medical necessity of a procedure, etc.. It is NOT FMLA requests, ADA information or other such medical information you as the employer maintain on an employee in your duties as an employer. So, to answer your question, if an employee came into your office and requested to see their PHI, the information in your office would likely be limited to their enrollment paperwork. Any additional information in their "designated record set" would come directly from your insurance company, unless you are the person who made the decisions regarding what claims were paid.

SMace

Bingo! I'll cross one line of chalk in the Agree section. We also help ee's with getting claims paid, so that would be included in our "designated record set" along with our enrollment forms. Thanks, Linda.

Betty I_O

Since you also "help employees with getting claims paid," presumably every employee who comes to you with a claims problem (whereby you will have access to their and/or their dependents' medical info) signs an authorization for you to act as the employee's representative?

SMace

No. If I'm helping someone with their specific claims I do not get an authorization. Their consent is implied in the Notice of Privacy Practices. It states we will release and receive information for payment operations.

If an ee asks about their spouse's claims, I would have to get an authorization before I spoke to the ee about it.

LindaS

SMace, in all the training sessions I have gone to regarding HIPAA, ALL the trainers have advised that if an employee comes to you wanting assistance with their claims you should have them complete an authorization.

The Privacy Notice pertains to the insurance companies ability to obtain medical information to process payment of claims, not you unless you are the person who makes the final determination regarding the eligibility of the claim.

Don D

>SMace, in all the training sessions I have gone
>to regarding HIPAA, ALL the trainers have
>advised that if an employee comes to you wanting
>assistance with their claims you should have
>them complete an authorization.

That's my understanding as well. I also have understood that the authorization is signed for the benefit of the people you may be calling or speaking with in the claim pipeline. They'll want it faxed to them before they'll talk to you.

Betty I_O

Our HIPAA compliance training also included the employee authorization. It is a protection for all parties concerned.

The authorization allows an employee to limit certain data from being released. Their health information may contain sensitive information, such as diagnosis and treatment data, including information on chronic diseases, behavioral health conditions, treatment for alcohol or substance abuse, and communicable diseases including AIDS, ARC or HIV (including the fact that an HIV test was ordered, performed or reported, regardless of whether the results of such tests were positive or negative).

The employee can decide that all such information can be released, or that information regarding behavioral health conditions, alcohol or substance abuse, and communicable diseases including HIV/AIDs should NOT be discussed with or disclosed to you.

SMace

We are self-insured and are the plan sponsor/administrator. Essentially we have the final determination on how the claim is paid but we follow the guidelines set out in our plan book. We sent out our own NPP which outlines the disclosure of information for payment of claims. That is used as their "consent". Company-wide we probably average 5 claims questions a day. When they ask me for their own info, I'm going to give it to them without an authorization. If they want info for a spouse or child 18 and over, I'll ask for a consent from the spouse or child. As you know this law is open to interpretation and it will take a few years of case law before we are all clear. Our attorneys, which have benefits specialists that exclusively deal with HIPAA, back this up, so right or wrong we are doing it.