1. The agency shall also comply with the provisions regarding access of HIPAA protected health information as set forth in 45 CFR 164.524, particularly the provision regarding grounds for denial, reviewability of denial, notice of denial, required review by a licensed health care professional, and notice and existence of a complaint procedure.
  2. Request procedure
    1. Requests must be in writing.
    2. You must act on the request in 30 days unless the information is not maintained or accessible on-site, in which case you may have one 15 day extension if you inform the person in writing giving the reason for delay (HIPAA allows a 30 day extension but FERPA only allows 15).
    3. If you deny access whether in whole or in part you must give the person a written denial.
  3. Denials requiring no review - You may deny access to certain information without offering review as, e.g.:
    1. Psychotherapy notes;
    2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding;
    3. Information created or obtained in the course of research if the individual has agreed to the denial of access when consenting to participate in the research;
    4. Certain PHI to which access is prohibited or not required by law (and which the CFC is highly unlikely to have);
    5. If the PHI was obtained from someone other than a healthcare provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information;
  4. Denials requiring review - You may deny access in some circumstances if you offer review, e.g.:
    1. If a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
    2. If the PHI makes reference to another person (unless the other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the other person (FERPA requires that a parent be granted access to only those records pertaining to his or her child); or
    3. If the request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that access to the personal representative is reasonably likely to cause substantial harm to the individual or another person.
  5. Review must be done by a professional - The review must by done by a licensed health care professional who did not participate in the original decision to deny.
  6. Denial procedure - If you deny access, in whole or in part, you must:
    1. To the extent possible, give the person access to any other requested protected health information, after excluding the denied information.
    2. Provide a timely, written denial containing:
      1. The basis for the denial;
      2. If applicable, a statement of the individual's review right and the place to direct the request for review (name or title and telephone number of contact person); and
      3. A description of how the individual may complain to the CFC or the Department pursuant to 45 CFR 164.530 and to the Secretary of the U.S Department of Health and Human Services pursuant to the procedures in 45 CFR 160.306. The description shall include the name, title and telephone number of the contact person or office designated.
    3. Inform the individual where to direct the request for access if the PHI that is requested is not maintained by the CFC and you know where it is maintained.
    4. Designate and promptly refer a request for review to a licensed health care professional who was not directly involved in the denial. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access based on the above review standards.
    5. Promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required above to carry out the designated reviewer's official determination.
  7. Who responds to requests - You must handle requests regarding records created and maintained by you in the course of providing EI services. If the request relates to records created and maintained by the Bureau of EI or the Central Billing Office (CBO), you should instruct the individual to contact the Bureau or the CBO directly to request access.
  8. CFCs must attach a log inside of the front cover of each new file for the purposes of logging all disclosures of PHI that are required by HIPAA, including possible disclosures due to lost or stolen equipment such as a laptop or any removable media such as floppy disks, CDs, DVDs, cassettes or flash drives. The log should include the name of the party that information was disclosed to, the date of disclosure, the information disclosed and the purpose for disclosure. A parent has a right to request and receive an accounting of any disclosures of a child's PHI made in the six years prior to the date on which the accounting is requested as required in 45 CFR 164.528 (exceptions are provided therein for various disclosures).
  9. If any record includes information on more than one child, the parents of those children shall have the right to inspect and review only the information relating to their child or to be informed of that specific information.
  10. CFCs shall provide on request a list of the types and locations of records collected, maintained, or used by the agency.
  11. CFCs may charge a fee for copies of records.
  12. Parents who believe that information in their child's record is inaccurate, misleading or violates the privacy or other rights of the child may request that CFCs amend the information. The agency shall also comply with the provisions regarding amendments of HIPAA protected health information as set forth in 45 CFR 164.526, particularly the provision regarding denial and regarding notice and provision of a complaint procedure.