California HIPAA training for small businesses


Access to Protected Health Information (PHI)

California HIPAA training for small businesses

Patients have a "...right of access to inspect and obtain a copy of PHI about the individual... for as long as the PHI is maintained ...except for (i) psychotherapy notes; and (ii)"Information compiled...[for legal purposes]..." § 164.524

However, HIPAA allows covered entities (CEs) to "...impose a reasonable, cost-based fee... for labor, supplies, postage..."§ 164.524(c)(4)

California allows providers to impose a "...fee to defray the cost of copying...up to 25 cents/page..." H&S C § 123110(b)

Electronic Health Records (EHR)

Recent modifications to HIPAA allows patients to access electronic PHI "...if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the CE and the individual..." § 164.524(c)(2)(ii)

Providers are not required to scan paper records into electronic format. But if the provider has both electronic and paper records, then it might be more efficient to scan paper records into pdf format instead of providing a combination of electronic and hard copies. 78 FR 5633, 5634 January 25, 2013

A CE is not required to use external media offered by patients. For example, an infected flash drive could introduce malware into the CE's information system. If the patient refuses to purchase portable media from the CE, the entity may offer to email the records to the patient.

Timely Response

California HIPAA training for small businesses

HIPAA allows CEs up to 30 days to respond to patient requests for access. But in California— a health care provider must provide the opportunity of "... inspection during business hours within 5 working days after receipt of the written request..." H&S C § 123110(a) California's short deadline is permitted by HIPAA because it is "more stringent" than federal law and provides greater rights of access to PHI. § 160.202

Requests for Extra Privacy

California HIPAA training for small businesses

Some patients need extra protection for highly sensitive information. The HIPAA Privacy Rule provides two methods. § 164.522

First— a patient may request restriction of permissive disclosures of PHI. The provider is not required to agree to the patient's request unless the patient has fully paid for services rendered and the PHI pertains solely to those items or services. § 164.522(a)

Second— a patient may request confidential communications from the CE at alternative locations or alternative means. § 164.522(b)

For example; a patient may ask the doctor to call her at work instead of home; or a patient may ask the CE to send mail to a P.O. box instead of the home address. The CE must accommodate the patient's request for confidential communications if the request is reasonable.

Request for Amendment

yes we train our employees

Under HIPAA, patients have the right to request amendments to their PHI. The provider may deny the patient's request if the PHI was created by someone else, or if the PHI is not part of the CE's records, or if it is restricted, or if the provider believes it to be accurate and complete.  § 164.526(a) If the provider agrees to amend the PHI, he must append the new information and make the amended version available to future providers.

In California, a patient has an absolute right to provide an addendum that explains anything, provided the writing is no more than 200 words. Health & Safety Code § 123111

Responding to emails

yes we train our employees HIPAA has no technical specifications for securing email. However, the Security Rule intended safeguards to be "scalable" to fit all sizes and kinds of business structures. HIPAA Security Series 101

When standards are absent, the mini-security rule comes into play. The Privacy Rule requires the CE to "...reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure." § 164.530(c)

For example: An elderly patient wants to receive highly sensitive test results by email but the provider is not sure the patient's caregiver is reliable. The provider may communicate results by telephone instead of email. See OCR's FAQ

Denial of Requests

yes we train our employees Patients have no right to review psychotherapy notes or information compiled for legal reasons. Such denials are "unreviewable." § 164.526(a)(2) 

For all other PHI denials, the CE provider must be ready to provide a statement describing the patient's right to have an outside "reviewing official" (a licensed health care professional) evaluate the CE's denial.

Under California law, a patient may hire an attorney to present a signed authorization to inspect all of the records. If the provider refuses, he or she may be compelled by a court of law. Evidence § 1158. Patients also have the option of filing a complaint with OCR. OCR Complaint

Surrogate Access

yes we train our employeesHITECH modifications to HIPAA made it easier to obtain caregiver assistance with records. The patient can ask the provider to transmit copies of medical records to another person they designate.

The request "...must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information." § 164.524(c)(3)(ii)

The rule does not require the written request to be a HIPAA compliant authorization form. But the CE may use its authorization as the written request.


If you prefer a different size or shape, please ask. Contact

California HIPAA training for small businesses

Search Our Site

    © Darnall Law Office 2015