HEALTH INFORMATION PRIVACY S.B. 465, 466, & 468: ENROLLED ANALYSIS
Senate Bill 465 (as enrolled) PUBLIC ACT 481 of 2006
Senate Bill 466 (as enrolled) PUBLIC ACT 575 of 2006
Senate Bill 468 (as enrolled) PUBLIC ACT 482 of 2006
Sponsor: Senator Gilda Z. Jacobs (S.B. 465)
Senator Bruce Patterson (S.B. 466)
Senator Deborah Cherry (S.B. 468)
Senate Committee: Health Policy
House Committee: Health Policy
Date Completed: 3-30-07
RATIONALE
Over the last several years, the privacy of individual health information has been of increasing concern. The Federal Health Insurance Portability and Accountability Act (HIPAA) was enacted to restrict who may view or receive a patient's health information and how that information may be used. For example, under HIPAA, a person's health information may not be disclosed to his or her employer or shared for marketing purposes without the patient's authorization. It may be used for the coordination of care or payment purposes, and shared with others identified by the patient. Despite the enactment of measures to increase protection, some people believe that privacy concerns remain with regard to medical records--particularly their maintenance and disposal--and the disclosure of some health information. It was suggested that State law should mandate the confidentiality of medical records and limit the disclosure of certain information, while ensuring that patients and their health care providers may gain access to records necessary to obtaining care.
CONTENT
Senate Bill 465 amended the Public Health Code to do the following:
-- Require an individual licensed under the Code to maintain a record for each patient (as required of a health facility or agency).
-- Require the records maintained by a licensee or a health facility or agency to be kept for at least seven years, or longer if required by law or generally accepted standards of medical practice.
-- Require a licensee or a health facility or agency that is unable to comply with the record maintenance requirements to contract with another provider or entity to do so.
-- Require a licensee, facility, or agency, upon ceasing to practice or operate, to notify patients and the Department of Community Health (DCH) and either transfer or destroy medical records as specified.
-- Allow a licensee, facility, or provider to destroy a record that is less than seven years old if the patient first is notified and given the opportunity to request a copy of the record, and authorizes the destruction.
-- Establish a maximum $10,000 administrative fine for a person who fails to comply with the record maintenance and disposal requirements if the failure is the result of gross negligence or willful and wanton misconduct.
-- Require a licensee and an applicant for licensure to give the DCH an affidavit concerning their maintenance of medical records.
Senate Bill 466 amended the Social Welfare Act to increase from six to
seven years the length of time a provider must retain the health care records of an individual enrolled in Medicaid; and prescribe standards for the disposal of a Medicaid patient's medical records.
Senate Bill 468 amended the Freedom of Information Act to allow a public body to exempt from disclosure as a public record protected health information.
Senate Bills 465 and 468 took effect on December 22, 2006. Senate Bill 466 took effect on January 3, 2007. The bills are described below in further detail.
Senate Bill 465
The Public Health Code requires a health facility or agency to keep and maintain a record for each patient, including a full and complete record of tests and examinations performed, observations made, treatments provided, and, in the case of a hospital, the purpose for hospitalization. A hospital that fails to comply with this requirement is subject to an administrative fine of $10,000.
The bill requires an individual licensed under Article 15 (Occupations) of the Code also to keep and maintain a record for each patient for whom he or she has provided medical services, including a full and complete record of tests and examinations performed, observations made, and treatments provided.
Under the bill, a health facility or agency, or a licensee, must keep and retain each record for at least seven years from the date of service to which the record pertains, or longer if otherwise required under Federal or State laws or regulations, or by generally accepted standards of medical practice. A licensee or health facility or agency may destroy a record that is less than seven years old if the licensee, facility, or agency sends a written notice to the patient at his or her last known address informing him or her that the record is about to be destroyed and offering him or her the opportunity to request a copy of it before it is destroyed, and the licensee, facility, or agency receives written authorization from the patient or his or her authorized representative agreeing to the destruction. The records must be maintained in a manner that protects their integrity, ensures their confidentiality and proper use, and ensures their accessibility and availability to each patient or his or her authorized representative as required by law.
Under the bill, if a licensee or a health facility or agency is unable to comply with the record-keeping requirements, the person, facility, or agency must employ or contract, arrange, or enter into an agreement with another health care provider, health facility or agency, or medical records company to protect, maintain, and provide access to the records.
If a licensee sells or closes his or her practice, or otherwise ceases to practice under Article 15, he or she or, if the licensee is deceased, his or her personal representative, may not abandon the required records. A health facility or agency that closes or otherwise ceases operation also may not abandon the records required to be maintained. The licensee or personal representative, or the health facility or agency, must send to the DCH a written notice that specifies who will have custody of the records and how a patient may request access to or copies of them.
The bill requires the licensee or personal representative, or the health facility or agency, also to do either of the following:
-- Transfer the records to a successor licensee, or successor health facility or agency; to the patient or a specific health facility or agency or other licensed health care provider, if requested or designated by the patient or his or her authorized representative; or to a health care provider, health care facility or agency, or medical records company with which the licensee or the health facility or agency has contracted or entered into an agreement to protect, maintain, and provide access to the records.
-- Destroy the records as long as the licensee or, if the licensee is deceased, his or her personal representative, or the health facility or agency, sends a written notice to the last known address of each patient for whom the licensee, facility, or agency has provided medical services.
The notice must give the patient 30 days to designate where he or she would like his or her records transferred in lieu of being destroyed. If the patient fails to request a transfer within the 30-day period, the licensee or his or her personal representative, or the health facility or agency, may destroy the records in accordance with the bill.
Except as otherwise provided under the bill or Federal or State laws and regulations, records required to be maintained under the Code or the bill may be destroyed or otherwise disposed of after being maintained for seven years. If the records subsequently are destroyed or otherwise disposed of, they must be shredded, incinerated, electronically deleted, or otherwise disposed of in a manner that ensures continued confidentiality of the patient's health care information and any other personal information.
If records are destroyed or otherwise disposed of in accordance with the bill, the DCH may take action, including contracting for or making other arrangements to ensure that the records and any other confidential identifying information related to the patient properly are destroyed or disposed of to protect the confidentiality of the patient's health care and personal information. Before taking action, the DCH, if able to identify the licensee or health facility or agency responsible for the improper disposal of the medical records at issue, must send a written notice to the licensee at his or her last known address or place of business on file with the Department, or to the facility or agency at its last known address on file, and give the licensee, facility, or agency an opportunity to destroy or dispose of the records properly, unless a delay in the proper destruction or disposal could compromise the patient's confidentiality. The DCH may assess the licensee or the health facility or agency with the costs the Department incurs to enforce these requirements.
A person who fails to comply with the requirements for record maintenance, transfer, or disposal is subject to a maximum $10,000 administrative fine if the failure is the result of gross negligence or willful and wanton misconduct.
The bill specifies that nothing in Section 16213 (concerning licensees' maintenance, disposal, and transfer of records) or Section 20175a (concerning health facilities' and agencies' transfer of records) may be construed to create or change the ownership rights to any medical records.
Additionally, an applicant for licensure, and, beginning with the license renewal cycle after the bill took effect, an applicant for a renewal license must give the DCH, on the application or the license renewal form, an affidavit stating that he or she has a written policy for protecting, maintaining, and providing access to his or her medical records in accordance with Section 16213 and for complying with that section in the event that the licensee sells or closes his or her practice, retires from practice, or otherwise ceases to practice. The applicant or licensee must make the written policy available to the DCH upon request.
The Code requires DCH employees and officers to respect the confidentiality of patient clinical records, and prohibits them from divulging or disclosing the contents of records in a manner that identifies an individual except pursuant to a court order. Under the bill, a DCH employee or officer also may divulge or disclose the contents of records as otherwise authorized by law.
(Under the bill, "medical record" or "record" means information, oral or recorded in any form or medium, that pertains to a patient's health care, medical history, diagnosis, prognosis, or medical condition and that is maintained by a licensee in the process of providing medical services.
"Medical records company" means a person who contracts for or agrees to protect, maintain, and provide access to medical records for a health care provider or health facility or agency in accordance with Section 16213 (which the bill added) or Section 20175 (which the bill amended).
The bill defines "patient" as an individual who receives or has received health care from a health care provider or health facility or agency. The term includes a guardian, if appointed; and a parent, guardian, or person acting in loco parentis, if the individual is a minor, unless the minor obtains health care lawfully without the consent or notification of a parent, guardian, or person acting in loco parentis. In that case, the minor has the exclusive right to exercise the rights of a patient under the bill with respect to his or her medical records relating to that care.)
Senate Bill 466
Under the Social Welfare Act, a Medicaid provider must maintain records necessary to document fully the extent and cost of services, supplies, or equipment provided to a medically indigent individual and to substantiate each claim and, in accordance with professionally accepted standards, the medical necessity, appropriateness, and quality of service rendered for which a claim is made. Previously, the provider had to retain each record for six years after the date of service. The bill increased that period to seven years.
Additionally, the bill requires a provider to maintain, retain, and dispose of patient medical records and other individually identifying information in accordance with the requirements described above, any other applicable State or Federal law, and the most recent provider agreement.
Under the bill, at a minimum, if a provider is authorized to dispose of patient records or other patient identifying information, including records described above, the provider must ensure that medical records that identify a patient and other individually identifying information sufficiently are deleted, shredded, incinerated, or disposed of in a fashion that protects the confidentiality of the patient's health care information and personal information. The Department of Human Services (DHS) may take action to enforce the record disposal provisions. If the DHS cannot enforce compliance, it may enter into a contract or make other arrangements to ensure that patient records and other individually identifying information are disposed of in a fashion that protects the confidentiality of the information. The DHS may assess costs associated with that disposal against the provider.
The provider's responsibilities with regard to maintenance, retention, and disposal of patient medical records and other individually identifying information will continue after the provider ceases to participate in the Medicaid program for the time period specified under the Act.
Senate Bill 468
Under the Freedom of Information Act, a person has a right to inspect, copy, or receive copies of a public record, upon making a request that describes the public record sufficiently to enable a public body to find it. A public body, however, may exempt certain information and documents from disclosure. These include medical, counseling, or psychological facts or evaluations concerning an individual if his or her identity would be revealed by a disclosure of those facts or evaluations. The bill also includes protected health information, as defined in 45 CFR 160.103.
(Under 45 CFR 160.103, "protected health information" means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. The term excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, records described in 20 USC 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.
"Covered entity" means a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with certain transactions.
Records described in 20 USC 1232g(a)(B)(4)(iv) are records on a student who is at least 18 years old, or is attending an institution of postsecondary education, that are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his or her professional or paraprofessional capacity, or assisting in that capacity, and that are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than the people providing such treatment, except that a physician or other appropriate professional of the student's choice may view them.
"Individually identifiable health information" refers to health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and either the information identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.)
MCL 333.16177 et al. (S.B. 465)
400.100b (S.B. 466)
15.243 (S.B. 468)
ARGUMENTS
(Please note: The arguments contained in this analysis originate from sources outside the Senate Fiscal Agency. The Senate Fiscal Agency neither supports nor opposes legislation.)
Supporting Argument
The bills will ensure that records vital to the provision of individual health care are maintained, and that the information contained in such records is protected. Complete, accurate medical records help health care professionals assess patients' conditions correctly and prescribe the appropriate course of action. For this reason, it is critical that records are accessible. There have been reports of several cases in which a medical office closed and the provider simply abandoned records instead of making arrangements for their continued maintenance. In some cases, patient health was seriously compromised because important information, such as mammograms and x-rays, could not be located, or the patients had to repeat painful, expensive tests. Reportedly, people sometimes call the DCH looking for records when their providers go out of business. Occasionally, the Department is able to track down the records; usually, however, the DCH cannot help patients at all. Senate Bills 465 and 466 specify that a provider's responsibility to maintain the records does not end when the provider ceases to practice, helping to ensure that the provision of care is more seamless.
It is also essential that medical records are maintained and disposed of in a manner that protects their confidentiality. Health records can provide unscrupulous actors with the information they need to commit identity theft, one of the nation's most quickly growing crimes. Reportedly, in 2005, a Grand Rapids news station found patient records discarded in unlocked, unguarded dumpsters near various medical offices. The records contained a wealth of personal data, such as names, addresses, birthdates, and Social Security numbers, as well as diagnoses and treatment information. Misuse of such information can lead to denial of credit or insurance coverage, the loss of employment opportunities, and a stigma that can be difficult to erase. Additionally, inadequate security measures can undermine patients' confidence in their health care providers, causing them to withhold information that might be critical to prescribing the proper treatment. The requirements for maintaining and disposing of records under Senate Bills 465 and 466 will enhance accessibility and patient privacy. The restrictions on the disclosure of health information under Senate Bill 468 also will augment privacy protections.
Legislative Analyst: Julie Cassidy
FISCAL IMPACT
Senate Bill 465
State-operated hospital facilities currently retain patient records for a period of 20 years after an individual is discharged, which makes it unlikely that the bill's record retention requirements will increase costs for State health facilities. Locally operated health facilities that previously did not retain patient information for seven years will see an increase in the cost of maintaining health records.
The Department of Community Health will see an increase in administrative cost associated with collecting and storing information from medical providers who end their practice on where patient information is transferred and how former patients may obtain this information. Also, the bill permits the DCH to take steps to ensure that medical records are destroyed in a fashion that protects patient confidentiality. The Department may impose fees on health facilities and professionals to cover the cost of overseeing this process. The DCH also may see an increase in revenue from the $10,000 fine that may be imposed on health providers who do not adhere to the new medical record requirements.
Senate Bill 466
The bill will have an indeterminate fiscal impact on the State. The DHS Office of Children and Adult Licensing Programs in 2005 regulated 3,573 adult foster care facilities with a capacity of 47,366 adults in care. When the facility is in violation of record retention requirements, the provider is required to submit a plan of correction in order to retain the facility license. Under the new enforcement provision, the DHS will have to contract for disposal services as well as institute new administrative billing procedures. The information needed to determine the cost of these administrative changes is not presently available.
Senate Bill 468
The bill will have no fiscal impact on State or local government.
Fiscal Analyst: Bill Bowerman
Constance Cole
David FosdickAnalysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent. sb465,466,468/0506