Medical, Health and Billing Records System Q&A'sThe information on this page was removed for updates. If you have any questions, please contact your Area Privacy Act Advocate or the IHS Privacy Act Officer at 301-443-1116. The following are basic questions and answers regarding Privacy Act system of records: 09-17-0001, Indian Health Service Medical, Health and Billings Records, HHS/IHS/OIT-HIT and OCPS. The answers are of a general nature and may not apply to your specific situation. In matters of the laws and regulations that affect the above, the Privacy Act of 1974, as amended (5 U.S.C. 552); the Federal Records Act of 1950, as amended (44 U.S.C. 21, 29, 31, 33); OMB Paperwork Reduction Act (44 U.S.C. 35). When in doubt, do not disclose medical records information until you have consulted with the appropriate Area Privacy Act Advocate or Privacy staff.
1. System name
2. System location
3. Categories of individuals covered by the system
4. Categories of records in the system
5. Authority for maintenance of the system
7. Routine uses of records maintained in the system
10. Safeguards - authorized users
11. Safeguards - physical
12. Safeguards - procedural
13. Safeguards - implementing guidelines
14. Retention and disposal
15. System manager(s)
16. Notification and access procedures
17. Requests in Person
18. Requests by mail
19. Requests by Telephone
20. Parents or Legal Guardians
21. Contesting record Procedure
22. Record source categories
23. Systems exempted from certain provisions of the act
24. Miscellaneous Questions
1. Are IHS patient medical records covered by a Privacy Act System of Records?Answer: Yes. The official name of the system of records is, 09-17-0001, Indian Health Service Medical, Health and Billing Records System, HHS/IHS/. In addition, since 2003, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provided additional protection of the above subject system of records notice.
2. Where is the IHS patient medical records located?Answer: The IHS medical records are located throughout the IHS system wherever patient care is provided by IHS staff or the IHS contractors. For example: If you continue to get your patient care at the Phoenix Indian Medical Center (PIMC), Phoenix, AZ then you medical record will be located there. If you have any questions, please contact your Area Privacy Act Advocate who will direct you to the proper location where your records is being maintained. The listing of the Area and Service Unit locations are noted in the Privacy Act System of Records Notice 09-17-0001 Medical, Health and Billing Records as Appendix 1.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM
3. Are all the IHS medical records, including those of non-Indians (non-IHS beneficiaries), covered by the Privacy Act?Answer: Yes. The Privacy Act covers the records of all individuals who receive health care services from the IHS. In addition, since 2003, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule apply; and the Alcohol and Substance Abuse Regulations.
CATEGORIES OF RECORDS IN THE SYSTEM
4. What types of records are covered under the IHS Privacy Act system of records for medical records?Answer: There are three major categories of records covered in the IHS medical records system: 1. A variety of health and medical records concerned with patient care, such as: patient's name, address, date of birth, tribal affiliation, Social Security Number (voluntary); medical history, diagnosis, treatment records, dental records, nursing logs, treatment logs, laboratory and x-ray records; social services records; disease registries. 2. Mental health and Alcohol/Substance Abuse Records; and 3. Third-party billing and reimbursement records, such as: patient's name, address, date of birth, Social Security Number (voluntary); date of admission; Medicare or Medicaid claim numbers; health plan name, insurance number; employer's name and address, employment status; and other relevant claim information necessary to process and validate billing and third-party reimbursement claims.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM
5. Under what authority does the IHS maintain medical records?Answer: Congress has passed a number of laws that authorize IHS to provide health care services and thereby maintain patient medical records. These are: Indian Self Determination and Education and Assistance Act (25 U.S.C. 450); Snyder Act (25 U.S.C. 13); Indian Health Care Improvement Act (25 U.S.C. 1601 et. seq.); Indian Health Service Transfer Act (42 U.S.C. 2001-2004); Section 321 of the Public Health Service Act, as amended (42 U.S.C. 248), Hospitals, Medical Examinations, and Medical Care. In addition, the Privacy Act if 1974, as amended (5 U.S.C. 552a); Alcohol and Substance Abuse Records (42 CFR Part 2) and the HIPAA Privacy Rule (45 CFR 160 & 164).
6. What are the purposes of the IHS medical records?Answer: There are sixteen (16) stated purposes for maintaining the IHS medical records:
- to provide for patient care and treatment;
- to provide statistical data for program evaluation;
- to communicate patient care information among providers;
- to serve as official documentation of patient care;
- to contribute to continuing education of IHS staff;
- for disease surveillance;
- to compile and provide aggregated program statistics;
- to process, document, and monitor third-party billing and reimbursement claims.
- to improve the IHS national patient care database by verifying patient's Social Security Numbers with the Social Security Admin.
- to provide information to organ procurement organizations.
- to provide for individuals about treatment alternatives or other health-related benefits and services.
- to provide information to FCA in connection with FDA regulated product or activity.
- to provide information to correctional institutions as necessary.
- to provide to government authorities on victims of abuse, neglect, sexual assault or domestic violence.
- to provide to NARA in records management inspections.
- to provide health care information to funeral directors.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM
7. Are routine use disclosures to third parties outside HHS permitted from the IHS patient medical records?Answer: Yes. The IHS medical records system contains 25 routine use disclosures. The complete text of the routine uses is published in IHS Privacy Act system notice 09-17-0001 and can be accessed at the Privacy Act web site. The Privacy Act System Manager or designee is the only person authorized to release records subject to the Privacy Act. Prior to disclosure, the records should be checked for accuracy, timeliness, relevancy, and completeness. Routine use disclosures must be documented as Accounting of Disclosures under the IHS Release of Information software package or the IHS form 505, Disclosure Accounting Record.
8. Can IHS staff release information from a patient's medical record, including a minor's, who has been admitted for drug or alcohol treatment without the knowledge and approval of the patient?Answer: No unless the clinician or provider has consulted with the patient prior to disclosure. In addition, consult with your local Privacy Act staff. If a patient receives treatment, or referral for treatment, for alcohol and drug abuse, then the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations (42 CFR Part 2) may apply.
9. Can IHS staff release information from a patient's record to a State, local or other health care organizations which provide health services to American Indians without the knowledge or approval of the patient?Answer: Yes. In accordance with routine use #1 of 09-17-0001 and also to meet the minimum necessary of the treatment, payment, healthcare operation of HIPAA Privacy Rule.
10. Are there limitations on sending a patient's medical history to another health care facility for a referral/consultation?Answer: Yes. In accordance with routine use #1, records may be disclosed in part or whole to another health care facility. However, only minimum necessary information, which is necessary to the patient's treatment, should be released to the requesting facility.
11. Can IHS release information from a minor's medical record to a school serving American Indians if the minor is attending that school?Answer: Yes. The information can be released under routine use #4 to the school health program for purposes of student health maintenance.
12. Can IHS release information to schools regarding children's eye examinations?Answer: Yes. In accordance with routine use #4 but only to the school health care program to be in compliance with the HIPAA Privacy Rule.
13. Can medical record information be disclosed to a State utilization review board or in response to a quality assurance or medical audit without the knowledge or approval of the patient?Answer: Yes. In accordance with routine use #6 and that has been deemed qualified by the Secretary of HHS.
14. Can information from a patient's medical record be released to organizations or individuals conducting IHS-sponsored analytical or evaluation studies?Answer: Yes. Routine use #7 permits such releases as long as a business associate agreement is in place..
15. Can information from a patient's medical record be released to organizations or individuals conducting non- IHS-sponsored analytical or evaluation studies?Answer: Yes, provided the procedures outlined in routine use #7 are followed.
16. Can information from a patient's medical record be released in response to a request from the Congressional office of a US Senator or U.S. Representative?Answer: Yes. In accordance with routine use #8, information can be released if the patient has made a written request (IHS 810 form or equivalent) that his/her Congressman act on his/her behalf. A copy of the patient's request should be attached to the Congressional inquiry.
17. Can information from a patient's medical record be released for research or statistical purposes?Answer: Yes, but only in accordance with the procedures and requirements set forth in routine use #9.
18. Can information from a patient's medical record be released for research or statistical purposes if it contains information on alcohol and/or drug abuse?Answer: Yes, in accordance with the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations, records identifying patients may be disclosed for research, audit, and evaluation purposes. See 42 CFR section 2.52 Research Activities and section 2.53 Audit and Evaluation Activities. However, it is usually recommended to seek and receive patient consent prior to the release.
19. Can information from a patient's medical record be released to Federal, State, or local authorities regarding a criminal investigation?Answer: Yes, in accordance with Privacy Act Disclosure Requirement (b)(7), provided that such a request is in writing from the head of the requesting Agency or in accordance with routine use #10.
20. Can information from a patient's medical record be released to Federal, State, or local authorities regarding a criminal investigation if the information concerns alcohol and/or drug abuse?Answer: Yes, if there is a court order signed by a federal judge or the patient signs a release of information form.
21. Can IHS release information regarding alcohol and/or drug abuse from a patient's medical record in response to a criminal investigation where child abuse is suspected?Answer: Yes, but generally a court order signed by a federal judge is required (42 CFR §2.65). However, this information is also releasable to appropriate State and local authorities in accordance with State law. See routine uses 10 and 11.
22. Can IHS release information from a patient's medical record regarding communicable diseases or tumor registries?Answer: Yes, in accordance with routine use #10.
23. Can IHS release information from the records of a deceased infant to the appropriate authorities if child abuse is suspected?Answer: Yes, but such a release would have to be made under the Freedom of Information Act (FOIA). The Privacy Act only applies to living persons.
24. Can IHS release information from a child's medical record if child abuse is suspected?Answer: Yes, under routine use #11, IHS health care providers (i.e. Physicians, Child Psychologists, Social Workers, etc.) may disclose such information to: (1) Federal, State, and Indian tribal agencies that have a need to know in the performance of their duties; and (2) members of community child protection teams.
25. Can IHS release information from a patient's medical record to the Department of Justice if a HHS health care provider or facility is being sued?Answer: Yes, in accordance with routine use #12.
26. Can IHS release information from a patient's medical records regarding children with disabilities?Answer: Yes, in accordance with routine use #5, however, such disclosures may only be made to the Bureau of Indian Affairs or its contractors.
27. Can IHS release patient medical records to IHS contractors for data entry or record maintenance?Answer: Yes, in accordance with routine use #13 provided the contractor is under a business associate agreement.
28. Can IHS release a minor patient's medical record to the minor's parent or legal guardian?Answer: Only under certain circumstances. In accordance with routine use #15, medical records concerning medical services that the minor's parent or legal guardian previously authorized may be released to the minor's parent or legal guardian. Everything else in the minor's medical record would have to be forwarded to the designated representative chosen to review the record.
29. Can IHS release a minor's medical record without the minor's consent to a minor's parents or guardians, such as pregnancy testing or sexually transmitted diseases, when the procedure was carried out without parental consent?Answer: No. When a minor received treatment for a condition that did not require parental consent, such information may not be disclosed to the parents or guardians without the consent of the minor.
30. If a grandparent becomes the legal guardian, do the biological parents still have a right to see the medical record of their minor child?Answer: No. In accordance with routine use #15, medical records concerning services that the parents previously authorized may not be disclosed if the grandparent has assumed legal guardianship. If a grandparent has permanent custody, IHS should determine if a court decree exists which may have terminated parental rights. If such a decree exists, the biological parents would not have a right to access or authorize the release of their minor child's medical record.
31. If a facility treats a minor who is in foster care, does that facility have a legal obligation to notify the biological parents of the minor's admission to the facility?Answer: No. When an IHS facility treats a minor who is in foster care, it does not have a legal obligation to notify the biological parents of the minor's admission. However, there may be a need to notify the Court/Social Services of that jurisdiction (i.e. Foster Care), who is considered the legal guardian of the minor.
32. If a patient is infected with the Human Immunodeficiency Virus (HIV), can IHS inform his/her sexual and/or needle sharing partner(s)?Answer: Yes, in accordance with routine use #19. The IHS must first make a reasonable effort to counsel the patient and encourage a voluntary disclosure. If IHS determines that the patient is unlikely to make the disclosure, the patient must be informed that IHS intends to inform his/her needle sharing and/or sexual partner(s). Whenever possible, such disclosures will be made by the patient's physician or a professional counselor.
33. Can volunteers be given access to IHS patient medical records?Answer: Yes. Under routine use #14, volunteers may have access to medical records to the extent needed in the performance of their assigned duties. Volunteers are considered employees of IHS and are subject to the Privacy Act and HIPAA Privacy Rule requirements.
34. Can IHS disclose to various Health Information Exchange and Regional Health Information Organization or E-prescribing Gateway?Answer. Yes, under routine use #13 providing a business associate agreement is in place for the purposes of computerizing data entry, medical transcription, duplication services, maintenance of records, data formatting service or for any other agency functions or activity the use or disclosure of records.
35. Can information from a patient's medical record be released to other IHS facilities, even from Area to another Area?Answer: Yes, if the IHS staff requesting the information have a "need to know" in the performance of their duties. Only minimum necessary information that is actually needed by the requesting facility should be released. This disclosure does have to be documented on IHS release of information software package or the IHS form 505.
36. Can information be released from a patient's medical record to Social Security Administration?Answer: Yes, under routine use #22. Records including name, DOB, SSN, gender and other identifying information may be disclosed to SSA.
37. Can information be released to funeral directors or representative of funeral homes?Answer: Yes, under routine use #23.
38. Can information be disclosed to a public or private covered entity to assist in disaster release efforts (e.g., the Red Cross or FEMA) for purposes of coordinating with other similar entities concerning individual's health care, payment of health care, or notification of the individual whereabouts or his or her health status or death?Answer: Yes, under routine use #24.
39. Can information be released from a patient's medical record to assist the Department efforts in responding to suspected or confirmed breach of security or confidentiality of information?Answer. Yes, under routine use #25. Information may be disclosed to appropriate Federal agencies and Department contractors that have a "need to know" for the information for the purpose of responding to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records.
40. How is information in the IHS patient medical records filed?Answer: The IHS files patient medical record information in a combination of file folders, ledgers, card files, microfiche, microfilm, computer tapes, disk packs, and automated files. IHS has currently converted over to the Electronic Health Record but the paper record must be kept active or forwarded to the Federal Records Center(s).
41. How are IHS patient medical records retrieved?Answer: The patient records are retrieved by either patient name, medical record number, Social Security Number, and are cross-indexed.
SAFEGUARDS - AUTHORIZED USERS
42. Which IHS employees are authorized to access IHS patient medical records?Answer: Access to the IHS patient medical record is limited to IHS and its IHS contractor staff who have a "need to know" in the performance of their duties. This staff may include: medical records personnel, health care providers, authorized researchers, medical auditors, health care team members, billing office and administrative staff. The IHS health facility director is responsible for developing and maintaining a list of facility staff authorized to access patient medical records.
SAFEGUARDS - PHYSICAL
43. Does the Privacy Act require that records subject to the Act be kept physically secure and safe from unauthorized disclosure?Answer: Yes. The Privacy Act requires that IHS safeguard and secure these records when they are not actually in use during working hours and at all times during non-working hours. They must be stored in accordance with appropriate fire and safety codes. Computerized records must be stored in accordance with the safeguards developed for automated records. Records stored in locked rooms, the door locks should be changed periodically and whenever an employee who has access authority resigns, retires or is reassigned.
44. Is the medical records work area, where the records are actually stored, considered a restricted area?Answer: Yes, and it should be secured accordingly.
45. What should IHS staff tell a patient who questions why his medical records are being placed in a locked file cabinet?Answer: The patient should be told this is standard operating procedure to ensure the privacy of the information in his/her record.
SAFEGUARDS - PROCEDURAL
46. How does IHS ensure that only authorized personnel have access to patient medical records?Answer: Each IHS facility maintains a list of personnel or a category of personnel who have a "need to know" in the performance of their duties. Authorized users must follow sign-out procedures for all patient medical records removed from the medical records area.
47. What if an IHS staff member is not on the list of staff authorized to have access to patient medical records?Answer: Each IHS facility should have procedures in place to grant or deny one-time requests for access to patient medical records from staff that are not on the authorized user list.
48. Are any procedures or training provided to staff authorized to access patient medical records?Answer: Yes, authorized staff must be instructed regarding confidentiality of records, making disclosures, and the penalties for violating the Privacy Act. The training is conducted by the local Privacy staff and/or the Area Privacy Act Advocate.
49. Are procedures in place to protect and ensure the confidentiality of automated (EHR) patient medical records?Answer: Yes. These procedures include security clearance screening of staff and contractors prior to access to the automated IHS patient record files (currently transferred to the EHR), periodic changing of passwords and log-on codes.
50. Are contractors who run or maintain automated (or EHR) patient medical record systems for the IHS required to have security procedures in place?Answer: Yes. Automated Information Systems security provisions must be specifically included in contracts whenever contractors run or maintain automated IHS patient medical record systems.
SAFEGUARDS - IMPLEMENTING GUIDELINES
51. Are there guidelines for safeguarding Privacy Act records?Answer: Yes, the General Administration Manual, HHS Chapter 45-13, "Safeguarding Records Contained in Systems of Records;" supplementary Chapter PHS.hf:45-13; and the HHS, "Automated Information Systems Security Program Handbook." IHS, OIT-DIS General User Security Handbook, DIS-SOP-06-11a; HHS-OCIO-2011-0003 HHS-OCIO Policy of Information Systems Security and Privacy.
RETENTION AND DISPOSAL
52. How long does IHS keep patient medical records?Answer: The records are retained in accordance with the IHS Records Disposition Schedule. Inactive patient medical records are kept anywhere from 3 to 7 years at the facility, then transferred to a Federal Records Center for seventy-five (75) years. All records must be retained in a usable format for the life of the record. Note: No paper records that have been converted over to EHR should be destroyed or shredded, follow the above guidance.
53. Are there Privacy Act System Managers for the IHS medical records system?Answer: Yes, the IHS Privacy Act System Mangers are: Area and Service Unit Directors. A complete listing of the system managers is set forth in 09-17-0001, IHS Health and Medical Records Systems, HHS/IHS/OHP, Appendix 1. Appendix 2 contains a listing of the Federal Archives and Records Centers
54. During evenings and weekends, who is the IHS official at the facility (Service Unit) level responsible for deciding whether information from a patient's medical record may be released to the patient or a third party?Answer: The facility (Service Unit) Director (Privacy Act system manager) should designate in writing, those individuals authorized to release information from a patient's medical record during non-regular hours (5pm-8am, weekends, and holidays).
NOTIFICATION AND ACCESS PROCEDURESIHS has published detailed instructions regarding notification and access procedures to patient medical records in the Notification and Access Procedure sections for this system notice under 09-17-0001, please reference these procedures.
55. Can patients see their own medical record?Answer: Yes, but only with the approval of the responsible IHS official and the assistance of a health care provider. Refer to HHS Privacy Act Regulations, section 5b.5.
56. Can a patient gain access to or get a copy of his/her medical record?Answer: Yes. The patient must designate a representative in writing, this may be an IHS health professional, who is willing to review the medical record and inform the patient of its contents at his/her discretion. If the IHS responsible official determines that there is nothing in the medical record that would have a negative affect on the patient, the patient may be given access to his medical record. However, if the responsible official cannot reach a decision on the matter, the medical record will be forwarded to the patient's designated representative. The patient should be informed in writing that his medical record have been forwarded to the designated representative.
REQUESTS IN PERSON
57. Can a patient gain access to their medical record if they are filed under her maiden name?Answer: Yes. The patient must first provide evidence that she is the person to whom the medical records applies. The notification procedures must be followed.
58. What types of identification (I.D.) are required from a patient to access their medical record?Answer: A driver's license or other official photo I.D. is preferred. However, if the individual is personally known to the IHS medical record's employee, a note to that effect can be put in the patient's medical record and the patient may be given access to their own record, provided procedures are followed. If no I.D. is available, and the individual is not known to the medical record's staff, the individual may attest in writing that he/she is the person to whom the record applies. Individuals attesting to their identity should be informed of the penalties for requesting records under false pretenses.
59. What if a person does not know how to write?Answer: They should make their mark on the release form and have it verified in writing by two witnesses.
REQUESTS BY MAIL
60. Can patients request a copy of their medical record through the mail?Answer: Yes. Written requests must contain the IHS 810 form or equivalent of the patient's name, address, D.O.B , if possible the Social Security Number, the patient's signature, and indicate a knowledge of something distinctive about the record, such as dates of service or treatment, or date of a past admission to a particular IHS facility, etc.
61. What is the best way for a patient to request access to his/her own medical record?Answer: The preferred manner for a patient to gain access to his/her medical record is to put their request in writing. The IHS facility should respond within 10 business days. A patient can also make his/her request in person, with proper I.D. Remember, that under 5CFR 5b.13, you are allowed to provide the first 250 pages of the medical record free of charge; copies over 250 pages are charged $.15 per page. If you have any questions, regarding this issue please contact your Area Privacy Act Advocate.
REQUESTS BY TELEPHONE
62. If a patient requests information from his/her medical record over the phone can IHS staff provide the information?Answer: No. Since positive I.D. of the caller cannot be established, telephone requests are not honored.
63. What should IHS staff do if they receive a telephone call from the local police, who want to confirm an inmate's medication or request information from the inmate's medical record?Answer: The process should be as follows: (1) callers should be referred to the medical record's Supervisor (2) medical record's Supervisor should take down the information being requested, get the name and number of the individual requesting the information; and (3) contact the SU CEO or designee who will determine whether to release the information. Under emergency life threatening situations, this information may be released. Remember you must record this disclosure under the Release of Information (ROI) software package.
64. How should staff handle outside calls for medical record information regarding third-party payments under a health plan?Answer: Take down the information being requested, the name and telephone number of the person requesting the information, and refer it to the Business Office staff in connection with the Medical Records Supervisor, who will determine whether the information will be released, or follow Service Unit written policies and procedures.
65. What information can IHS staff release to an outsider caller about a patient's medical condition or stay in an IHS hospital to: (1) immediate family members; (2) friends and relatives; or (3) other third parties?Answer: Unless the patient signed a restriction, form 912-1 the restriction IHS from disclosing any PHI or PII you are prohibited from disclosing information to the public. If no restrictions existing, IHS may elect to disclose that the patient is in the hospital and his hospital phone number is (usually the nurses' station) who will direct the call. It will be up to the patient consenting of whether to provide his diagnosis, prognosis or treatment and location of his room to whomever is calling or requesting.
66. The IHS staff received a telephone call from the HHS Office of the Inspector General (OIG) requesting information from a patient's medical record. Can IHS disclose the information to the OIG?Answer: No, The IHS Privacy Act staff should request a written explanation of why the HHS OIG is requesting the information. Once the justification is obtained, the release is permissible within HHS-to-IHS employees who have a need for the records in the performance of their duties.
PARENTS AND LEGAL GUARDIANS
67. Are parents or legal guardians required to information from the medical record of their minor children or legally incompetent individuals for whom they are responsible?Answer: No and Yes. Parents or legal guardians are not to receive any medical records information of their minor children unless the child consents. Parents and guardians must verify their I.D. A birth certificate or legal guardianship papers may be requested or required if there is any doubt as to the relationship with legally incompetent individual.
68. Are there procedures for a patient to access his/her reimbursement records?Answer: Yes. When seeking access, the patient must provide a description of the information he/she is seeking and provide identification.
69. Can a patient find out if any routine use disclosures have been made from his/her records?Answer: Yes. The patient can make a written request for a listing of the disclosures (Accounting of Disclosure) that have been made from his/her records.
70. Should a patient be given direct (hands-on) access to his or her own chart?Answer: Patients should NOT have direct access to their medical record for any reasons unless the medical records staff is identifying a section of the medical record.
71. Can patients be given their charts to carry to another department within the same facility or to another health care facility?Answer: It is preferable that charts be transmitted from one department to another or to another facility without involving the patient. However, each SU should develop internal procedures on how to handle of the medical record.
72. Can a patient be given direct (hands-on) access to another patient's medical record, i.e., a parent/child, husband/wife, etc.?Answer: No.
73. Can a supervisor be given direct access to information in an employee's medical record?Answer: No. Unless the employee consent to the disclosure of the minimum necessary portion of the medical information that the supervisor is requesting otherwise, under the HIPAA Privacy Rule the supervisor or any other staff person where the employee' works is not entitled to the medical record.
74. When a supervisor requests job-related information from an employee's medical record, does the request have to be in writing?Answer: No but the request will be denied and only the patient (or employee) can consent to the disclosure in compliance with the HIPAA Privacy Rule.
75. Is there a time limit in which a patient's request to access his Medical Records should be honored?Answer: While there is no statutory or regulatory requirement, as a matter of policy, a patient's request should be honored within 15 business days.
76. May a patient review someone else's medical record?Answer: No. Unless release of the requested information is permissible under the FOIA, he/she may not access information in the medical record of another patient unless the patient has consented in writing to the review.
77. If a patient is referred to another facility (IHS or non-IHS), can the patient take their medical record with them?Answer: No, the original patient medical record should never leave the IHS facility. A copy of the medical record will either be faxed to a secured fax machine or sent via express mail.
78. Does IHS have a standard form for patient's to release of information from their patient medical record?Answer: Yes. The form is the IHS-810, "Authorization for Use or Disclosure of Protected Health Information." In order to maintain consistency, IHS staff are required to use this form. As with other authorized agency forms, this form may not be changed, modified, or altered in any manner except by the IHS forms committee.
CONTESTING RECORD PROCEDURE
79. Can a patient contest information contained in his/her medical record?Answer: Yes. The patient will need to specify on IHS 917 form, "Request for Correction/Amendment of Protected Health Information."
- the information being contested,
- the corrective action being sought;
- the reason for requesting the correction; and
- produce supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant. See also, HHS Privacy Act Regulations, section 5b.7.
RECORD SOURCE CATEGORIES
80. What sources does IHS use to develop its records?Answer: In addition to the patient and his/her family, IHS may obtain information from IHS health care personnel, State and local health care providers, IHS Contract Health Services (CHS), Medicare/Medicaid agencies, and the Social Security Administration.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT
81. Are any IHS systems exempted from certain provisions of the Act?Answer: No.
Miscellaneous Questions About IHS Medical Records System
1. If a copy of a birth certificate or tribal enrollment form is in the patient's IHS medical record, can IHS staff give a copy to the patient because the patient lost the original and requests a copy?Answer: Yes. The patient has a right to a copy of any record in his/her file and cannot be charge for the copy as it meets the first 250 pages of the medical record is free of charge - 45 CFR 5b.13.
2. May information from a deceased person's (child or adult) medical record be disclosed to the public?Answer: No
3. Are the medical records of a deceased patient subject to the Privacy Act?Answer: No. The Privacy Act only applies to living individuals. Access to the records of a deceased individual must be made through the FOIA procedures.
4. Can the Service Unit medical record staff released deceased records to the legal guardian, next-of-kin, personal representative under FOIA?Answer: Yes, if the requestor has provided the proper legal documentation that states that they are the legal personal representative, next-of-kin, legal guardian etc., the medical record may be released at the local level and must be reported to Area FOIA Coordinator as a FOIA request. If no documentation is provided to the written request, then the request must be forwarded to the Area FOIA Coordinator. The Privacy Act only applies to living individuals. Access to the records of a deceased individual must be made through the FOIA procedures.
5. What do you do when the emergency room of another facility requires medical information concerning previous medications given to someone being treated for acute alcoholism? Can such information be released?Answer: This information is released under the HIPAA Privacy Rule Treatment, Payment, Healthcare Operations (TPO) requirement, and routine use #1 of the system notice. Please be advised that all TPO disclosure must be accounted for under the Release of Information software package.
6. How should IHS staff at the local level handle a court order for medical records information?Answer: Court orders (including tribal court orders) will need to be examined to see if they were issued by a "court of competent jurisdiction" as required by the Privacy Act, i.e., a court having jurisdiction over the parties and the subject matter. Staff should immediately refer all court orders to the Area Privacy Act Coordinator or the regional attorney for a technical advice and assistance.
7. Should IHS staff honor a subpoena signed by an attorney or the clerk of a court?Answer: No. Subpoenas for medical records, unless actually signed by a judge, are not court orders. A subpoena does not constitute "the order of a court of competent jurisdiction," as required by the Privacy Act. Also, there is no routine use allowing such a disclosure. However, subpoenas are legal documents and should be referred to the Privacy Act staff for appropriate follow-up.
8. May a IHS release medical records pursuant to a written request from a Federal agency performing a criminal investigation?Answer: Yes. The Privacy Act (5 U.S.C. §552(a)(b)(7)), allows such a disclosure. Such a request must be submitted by the head of the requesting agency, specify the records desired, and the law enforcement activity for which the record is sought.
9. Can IHS staff release information from a patient's medical records to a police officer so that he/she may contact a family member to notify them that the patient is in custody due to an alcohol/drug abuse related incident?Answer: No. IHS staff must have a release form signed by the patient before you can release information to a police officer.
10. Should Privacy Act responsibilities be designated in writing?Answer: Yes. The appropriate Privacy Act system manager (Area/Program and Service Unit Directors) are responsible for designating, in writing, staff assigned Privacy Act responsibilities. This staff includes Area Privacy Act Coordinators, Service Unit Liaisons, and their alternates, if any.
11. Should Service Unit Privacy Act staff review contracts that require a contractor to maintain or have access to the IHS Privacy Act medical records system?Answer: Yes, but it is the Area Privacy Act Coordinator and the IHS contracting specialist who have the primary responsibility for ensuring that the Privacy Act requirements are contained in Area contracts. In addition, to be in compliance with the HIPAA Privacy Rule, a business associate agreement must be included with the contract.
12. Can Service Unit management staff make and keep copies of employees SF-50's and SF-52's and maintain an unofficial personnel file as well as a unofficial medical records file?Answer: Yes. These records may be copied and filed at the local management level. However, only those IHS staff who have a "need to know" in the performance of their duties should have access to the information and the records must be safeguarded accordingly. Copies should be destroyed or returned when the "need to know" has expired.
13. What information from a patient's medical record can be released if it contains information on alcohol and/or drug abuse?Answer: If the Medical Record contains information on alcohol and/or drug abuse, then the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations apply (See, 42 CFR Part 2). In summary, such records may only be disclosed: (1) to meet medical emergencies; (2) for research, audit and evaluation; (3) pursuant to a court order signed by a judge; and (4) pursuant to an authorized and qualified service organization agreement.
14. The IHS mental health unit may maintain confidential mental health information in separate records. Should mental health prescriptions be kept in this record or in the patient's main medical record?Answer: Such records may be maintained in separate files, but they are part of the IHS medical records Privacy Act system, 09-17-0001 Medical, Health, and Billing Records.
15. What do I do if the local Privacy Act staff is unable to answer a Privacy Act question or problem?Answer: If local Privacy Act staff are unable to provide an answer to a Privacy Act question or problem, request technical assistance and guidance from the Area Privacy Act Advocate. If the Area Privacy Act Advocate is unable to respond, they should in turn refer the matter to the Agency Privacy Act Officer at IHS Headquarters, Rockville, MD. The Office of the General Counsel and regional attorneys may also be contacted for a legal advice and guidance. The agency Privacy Act Officer forwards copies of legal advice or guidance to the Privacy Act field staff and copy the Area Privacy Act Advocate.