Current law recognizes
that medical records are the property of the patient and allows the patient to
obtain a copy of the records. Current
law forbids a provider from disclosing “confidential communications or information”
about a patient without patient consent, except as provided
for by law or to protect the welfare of the individual or the public interest. Current law also forbids using any
patient identifying information for sales purposes without the patient’s
written authorization.
The patient would be permitted to ask for an audit trail going back 3
years for anyone with access for a purpose other than treatment, payment or
health care operations. The patient would
also be entitled to an explanation of any notations, abbreviations, symbols
used, etc. In addition, the patient
would be entitled to a “yes” or “no” answer about whether a specific provider
has accessed the record.
The proposed law
would allow disclosure of PHI for treatment, payment and essential health care
operations – unless the patient restricts disclosure.
The proposed law
also allows shared access to medical records by affiliated providers, by
business associates or by providers who are structured as an “organized health
care arrangement” if:
-
‘Grand-fathered
Systems” The EMR doesn’t have firewalls restricting specific provider access to
specific patients, and sharing is limited to community providers who were
offered the opportunity to share in the EMR system before 1/1/2010; or
-
“Firewalled
Systems” The sharing includes providers who were invited into the EMR system
after 1/1/2010 and the EMR does have fire-walls;
At a provider’s
initial meeting with a patient, the patient must be informed of his / her right
to restrict disclosure of his / her health records. The provider would be required to instruct
the patient on the possible consequences of restricting disclosure and provide
a form (to be created by the State Department of Health) the patient may use to
restrict disclosure. The restriction would
be immediately effective and the provider will be liable for any subsequent
disclosures in violation to the patient’s instructions. If the patient revokes the restriction, this
too will be immediately effective.
The provider may
refuse to treat a patient who chooses not to disclose information that the
provide deems necessary and if the provider does treat, will not be liable for
outcomes that could have been avoided if access to the information was
available. If a patient refuses to
allow disclosure to for payment, unless prohibited by law, the provider can
refuse to treat unless / until the patient self pays. A payor cannot be responsible for paying a claim
of which it was not informed or for which it had insufficient information to
determine coverage.
A patient’s
request to restrict his / health information will not prevent disclosure to:
-
An
insurer who has the patient’s signed authorization (the bill does not say that
the signature must be subsequent to the restriction);
-
A
pharmacist when the physician arranges to submit the patient’s prescription
directly to the pharmacy and the patient does not object;
-
New
Hampshire as required by New Hampshire law;
-
When
a treating provider determines that a medical emergency exists and cannot
obtain the patient’s authorization;
If a prohibited disclosure
occurs, the provider is required to notify the patient. The patient may complain to the licensing
board which will investigate and take appropriate action against the
provider. A patient whose information is
inappropriately disclosed would be liable for $1000 + costs.
Hospitals are required
to audit the greater of 1% or 500 inpatient admissions for compliance with any
restrictions and inappropriate staff access and report the results to the Commissioner.
Comments