---

This Policy 6 is part of the HIPAA Policies for BU Health Plans Manual – Privacy and Security of Protected Health Information for BU Health Plans.

6.1 Right to Notice of Privacy Rights

Individuals have the right to be informed of the uses and disclosures of their PHI that may be made by the BU Health Plans, and of their rights and the BU Health Plans’ responsibilities under HIPAA. To this end, each BU Health Plan is required to have a Notice of Privacy Practices (“NPP” or “Notice”) approved by the BU HIPAA Privacy Officer.

Posting and Distribution of the Notice of Privacy Practices
The approved NPP is prominently posted on the BU Health Plans’ website.

The NPP will be distributed to all new BU employees.

The NPP will be available to anyone in a paper form by request and electronically on the BU Health Plans web site.

The BU Health Plans will distribute the NPP during the annual enrollment period electronically to employees with internal e-mail accounts and mail to Individuals without internal e-mail accounts.

Revisions to the Notice
Revisions to the BU Health Plans’ privacy practices will not be implemented prior to the effective date of the revised Notice. If material revisions are made to the Notice, the BU Health Plans will provide the revised Notice electronically to employees with internal e-mail accounts and by US mail to Individuals without internal e-mail accounts within 60 days of any material revision to the Notice along with instructions on obtaining it.

The HIPAA Privacy Officer will retain copies of the original Privacy Notice and any subsequent revisions for a period of six years from the date of its creation or when it was last in effect, whichever is later.

6.2 Right to Access and Copy Own Health Record

Except in limited circumstances described below, individuals have the right to access, inspect and receive a copy of PHI about them in the BU Health Plans’ Designated Record Set.

Use of Authorization Form
The BU Health Plans require participants to request copies of their records in writing.

Each BU Health Plan may make changes to the approved Authorization to Disclose PHI form with the approval of the BU HIPAA Privacy Officer.

The BU Health Plans should refer to its Designated Record Set procedure when a request for PHI is received to ensure disclosure of all documents subject to disclosure.

Time Period to Respond and Provide Access
Requests should be fulfilled as soon as practicable. If the BU Health Plan is not able to provide the requested records or respond to the request within 30 days, the BU Health Plans shall contact the BU HIPAA Privacy Officer and the BU HIPAA Privacy Officer may provide the Individual written notification of the reasons for the delay and the expected date of fulfilling the request.

Format of Records
The BU Health Plans shall provide the information requested in the format requested by the individual, if reasonably possible. The BU HIPAA Security Officer is available to advise on producing PHI in an electronic format. The BU Health Plans shall contact the BU HIPAA Privacy Officer in the event it is not able to accommodate the individual’s preferred format.

Inspection or Summary in Lieu of Copies
If the individual requests inspection of the records rather than a copy, the BU Health Plans shall arrange for a mutually convenient time and place for the individual to inspect the Designated Record Set.

The BU Health Plans may provide an individual with a summary or an explanation of the PHI requested, in lieu of providing access to the PHI, if the individual:

• agrees in advance to the summary; and
• agrees in advance to any fees imposed (if any) by the BU Health Plans for preparation of the summary.

Clarification of Request Permitted
The BU Health Plans may discuss the scope, format, and other aspects of the request for access with the individual, as necessary to facilitate the timely provision of access or copies.

Charges for copies

1. No fee may be charged to an individual who requests a record for the purpose of supporting a claim or appeal under any provision of the Social Security Act or any federal or state financial needs-based benefit program.
2. BU Health Plans will document in its procedures whether it will charge for other copies. Any charges must comply with the following:

Electronic copies: BU Health Plans may charge a flat fee of $6. If a BU Health Plan receives a request for electronic copy of a record which will entail an unusual amount of work, the HIPAA Contact shall contact the BU HIPAA Security Officer for guidance.

Paper copies: BU Health Plans may not charge a flat fee for paper copies. Any charges must be reasonable and based on the labor and supply costs of copying.

6.3 Right to Request Amendment

Individuals have the right to request in writing that PHI in a BU Health Plans’ Designated Record Set be amended. Note the individual does not have an unqualified right to amend, but has a right to request, and the BU Health Plans must consider the request as described below.

Procedure for Individual to Request Amendment
Individuals have the right to request in writing that PHI in a BU Health Plans’ Designated Record Set be amended. Note the individual does not have an unqualified right to amend, but has a right to request, and the BU Health Plans must consider the request as described below.

Procedure for Individual to Request Amendment
An individual who desires an amendment must provide the BU Health Plans a written statement identifying the portions of the record s/he considers inaccurate or incomplete, and the substitute or additional information s/he wishes to be added to the record. The individual may use BU’s approved form for this, or may provide a substantially similar written request.

BU Health Plans’ Response to Request
Upon receiving a Request to Amend, the BU Health Plans’ HIPAA Contact shall review it. If the request is to correct demographic information or any information that originally came from the individual and which the individual says was recorded inaccurately, the HIPAA Contact, in his/her judgment, may make the correction. Examples include correcting spellings, ethnicity, date of birth and similar matters.

Any requests to amend information provided by someone other than the individual may be denied if the original record is accurate.
The decision to grant or deny a request to amend should be made within 60 days of the request. If after 30 days the BU Health Plans has not been able to make a decision, it should contact the BU HIPAA Privacy Officer.

When the BU Health Plans Grants the Request to Amend
Within 60 days of receipt of the written request to amend, the BU Health Plans shall notify the individual that it has accepted the request, and shall make the change requested to the medical record, as follows:

Paper Record: Amendments will be made by drawing a single line through the original entry in such a way that the original entry remains legible. Where the entry has been changed the word “error” should be clearly printed at the incorrect entry, the correct information shall be entered, and the BU Health Plans staff person making the change should initial and date the correction.

Electronic Record: The BU Health Plans may make electronic corrections in such a way as to make it clear that an entry is being corrected, noting the person making the correction and the date of correction.

In addition to notifying the individual and making the change, the BU Health Plans should determine whether the information subject to the amendment has been disclosed to anyone outside of the BU Health Plans who may have had reason to rely on the amended information, and if so, shall forward the amended entry to those recipients.

When the BU Health Plans Denies the Request to Amend
Before denying a request to amend, the BU Health Plans must consult with the BU HIPAA Privacy Officer.

The request to amend may be denied when the information to be amended:

• is not part of The BU Health Plans’ Designated Record Set;
• is accurate and/or complete; or
• was not created by The BU Health Plans (unless the individual can provide reasonable evidence that the originator of the PHI is no longer available to act on the amendment request, in which case, the BU Health Plans may include the individual’s statement of Amendment in its record).

The BU Health Plans must notify the individual of its decision, in plain language, including the following:

• the reason for denial;
• the individual’s right to submit a statement disagreeing with the denial and how the individual may file such statement;
• the individual’s right to ask that the original amendment request and denial be attached to any future disclosures of the information; and
• how to file a complaint with the BU Health Plans and/or the Secretary of Health and Human Services about the denial.

Recordkeeping
The completed Request for Amendment in Medical Record Form, the BU Health Plans’ Response and any statement of disagreement will be filed in the individual’s record.

6.4 Right to an Accounting of Disclosures

Individuals have the right under HIPAA to request an Accounting of disclosures of their health information, and BU Health Plans have the obligation to fulfill such requests by following the procedures in this Policy.

BU Health Plans should contact the HIPAA Privacy Officer if any Request for Accounting is received.

What is in an Accounting?
The Accounting includes disclosures made without the individual’s Authorization within the 6-year period prior to the date of the request, or such shorter period as the Individual may request.

Example of disclosures included in an Accounting:

• Disclosures made for public health reporting.
• Disclosures made to government entities or law enforcement.
• Disclosure for Research purposes without individual Authorization.
  • If the research involves 50 or more individuals, the Accounting may provide only the following information:
    • Name of the research protocol;
    • Description of research activity;
    • Type of PHI disclosed;
    • Period of time during which disclosure was made; and
    • Contact information for the research sponsor and the researcher who received the information.

The following are excluded from an Accounting:

• Disclosures for treatment, payment or health care operations;
• Disclosures made to the individual (or authorized personal representative of the individual) who is the subject of the PHI;
• Disclosures made pursuant to a valid Authorization.
• “Incidental” disclosures, i.e., an unintended disclosure during the course of a permitted use or disclosure;
• Disclosures made to family members and friends involved in the individual’s care;
• Disclosures made for national security or intelligence purposes;
• Disclosures to correctional institutions, or custodial law enforcement officials;
• Disclosures made more than 6 years before the request for Accounting; and
• Disclosures made as part of a Limited Data Set in accordance with a Data Use Agreement when used solely to disclose a subset of information for research, public health or health care operations.

How the Individual Makes a Request for an Accounting
Requests for an Accounting of disclosures of PHI must be made in writing to the BU Health Plans. The Individual may use the “Request for an Accounting of Disclosures” form, or provide substantially the same information in another writing. The BU Health Plans should consult with the BU HIPAA Privacy Officer on any request for Accounting.

Time to Respond
The BU Health Plans must respond by providing the Individual an Accounting in writing within 60 days of the request. If after 30 days, it appears the Accounting may take longer, the BU HIPAA Privacy Officer may notify the individual in writing of the reason for the delay, and/or may extend time to provide the Accounting of disclosure by additional 30 days.

Information about Each Disclosure in Accounting
The following elements must be included for each disclosure listed on the Accounting of Disclosure:

1. Date of disclosure;
2. Receiving party, and address, if known;
3. Description of PHI disclosed;
4. A brief statement of the purpose of the disclosure;
5. If multiple disclosures were made to the same entity for the same purpose, the BU Health Plans must identify the number of times the disclosure was made and the date of the last such disclosure; and
6. Disclosures made by the BU Health Plans’ Business Associates, if made for purposes other than treatment, payment or health care operations (e.g., if a Business Associate responded to a subpoena for PHI of the Individual).

Accounting for disclosures made for research involving 50 or more individuals:
When disclosures are made for research involving 50 or more individuals, the Accounting of Disclosures may be limited to providing to the individual the following information:

The name of the research protocol or other research activity;

• A description of protocol or activity including purpose of research and criteria for selecting particular records;
• A brief description of the type of PHI that was disclosed;
• The date or time period during which disclosures occurred including date of last such disclosure;
• Information about the entity that sponsored the research and about the researcher to whom the information was disclosed; and
• A statement that the PHI may or may not have been disclosed for a particular protocol or other research activity.

Tracking Disclosures for Accounting Purposes
In order to be prepared to fulfill a request for Accounting, the BU Health Plans must track all disclosures of an individual’s PHI in the Designated Record Set that may be required in an Accounting.

Charge for Providing an Accounting of Disclosures
The BU Health Plans may not charge an individual requesting an Accounting of Disclosures for the first Accounting in a 12-month period. The BU Health Plans may charge a reasonable fee for subsequent requests in the same 12-month period.

Each BU Health Plans shall document its procedure on fees for an Accounting.

Denial Due to Special Circumstances
The BU Health Plans must temporarily suspend an individual’s right to receive an Accounting of disclosures to a health oversight agency or law enforcement official if such agency or official provides the BU Health Plans with a written statement that providing such an Accounting to the individual would impede the agency’s or official’s activities and specifying the time for which such suspension is required.

If the agency or official makes such a request orally, the BU Health Plans must document the statement including the name of the agency and official making the statement and must temporarily suspend the individual’s right to an Accounting of any disclosures made to such agency in accordance with the statement. Temporary suspensions may be allowed for a period not to exceed thirty (30) days from the date of an oral request; if the agency or official submits a written request for a suspension for a period longer than 30 days, the BU Health Plans shall comply.

6.5 Right to Request Restriction

Types of Restrictions Available
Individuals have the right to request a restriction on uses and disclosure of their PHI. Typical requests include asking the BU Health Plans to not share any or all information with a family member or friend of the Individual, which should be granted in most circumstances. The BU Health Plans should endeavor to accommodate all reasonable requests, but should not agree to a restriction if it is not feasible to comply with it.

All requests for restriction shall be forwarded to the BU Health Plans’ HIPAA Contact, who must consult the BU HIPAA Privacy Officer before denying. The BU Health Plans should inform the Individual in writing of its decision.

An Individual may make a request for a restriction either in writing or orally. If an oral request is made, the BU Health Plans should document the request in the medical record. A form is available for requesting the restriction, but its use is optional. The Individual does not need to explain the reason for the request.

The following uses and disclosures may not be restricted:

• Uses and disclosures for which an Authorization or opportunity to agree or object is not required; such as in the cases of national security, public health activities, law enforcement, victims of abuse, neglect or domestic violence and research (see Policy 2.13); and
• Disclosures required by the Secretary of the Department of Health and Human Services to investigate or determine compliance with HIPAA.

Terminating a restriction

The BU Health Plans may terminate a restriction in the following circumstances:

• If the Individual requests and agrees to the termination in writing;
• If the Individual agrees to the termination orally and the oral agreement is documented; or
• If the BU Health Plans inform the Individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to PHI created or received after the BU Health Plans notifies the Individual of the termination.

6.6 Right to Request Confidential and Alternate Modes of Communications

Individuals have the right to request that BU Health Plans communications with them by an alternative means (e.g., written, electronic or oral) or at an alternative location (e.g., work, school or home). Requests should be submitted by the Individual in writing. A form is available for this purpose. The Individual is not required to provide a reason for the request.

Non-Secure E-Mail/Text Requests
The BU Health Plans Workforce must use only the secure e-mail system when communicating electronically with participants, and may not initiate, suggest or recommend non-secure e-mail or text communications involving PHI.

If a Workforce member receives a non-secure e-mail or text from a patient, s/he should not respond by the same means, but may send an e mail response via Data Motion.

Accepting/Denying Other Requests
The BU Health Plans must consider any request to receive communications by an alternative means, and make reasonable attempts to accommodate the request. However, the BU Health Plans should not agree to any request it cannot reasonably implement. Before denying any such request, the BU Health Plans’ HIPAA Contact must consult with the BU HIPAA Privacy Officer.

Upon acceptance/denial of such a request, The BU Health Plans will inform the Individual of its decision. If any Business Associate of the BU Health Plans may communicate with the Individual requesting a restriction, the BU Health Plans must inform that Business Associate.

6.7 Right to Complain

BU Health Plans must provide a process for Individuals (participants of a Covered Health Plan) to make complaints if they believe their rights have been violated by a failure of the BU Health Plans’ policies and procedures to comply with the HIPAA Privacy Regulation, or a failure of the BU Health Plans to comply with its policies and procedures or the requirements of HIPAA. The BU Health Plans must refrain from retaliation against complainants.

BU EthicsPoint
Anyone wishing to make a confidential report may do so at BU’s confidential hotline, EthicsPoint. Alternatively, a report may be made by telephone at 866-294-8451.

Resolution of Complaint
The BU HIPAA Privacy Officer and HIPAA Contact will endeavor to satisfy the Individual’s concerns. If the BU HIPAA Privacy Officer finds no violation, s/he will notify the Individual in writing.

If the BU HIPAA Privacy Officer finds merit in the complaint after consultation with the BU Health Plans HIPAA Contact, s/he will notify the Individual of the findings and a proposed resolution to address harm, if any, to the Complainant. If investigation of the Complaint indicates a Workforce member has violated or contributed to a violation of these policies or of the law, disciplinary action under the HIPAA Sanctions policy.

---