MEDICAL RECORD RELEASE H.B. 4606 (H-1): FIRST ANALYSIS
House Bill 4606 (Substitute H-1 as reported without amendment)
Sponsor: Representative Stephen F. Adamini
House Committee: Health Policy
Senate Committee: Health Policy
Date Completed: 2-10-06
RATIONALE
The Public Health Code requires a licensed health facility or agency that provides services directly to patients or residents to adopt a policy that describes the rights and responsibilities of patients and residents, and limits the release of an individual's medical records. Apparently, these provisions have been problematic in some areas of the State, such as the Upper Peninsula, in which a hospital serves a particularly broad geographic region. A patient might see a primary care provider relatively close to his or her home but be referred to a specialist at the hospital, which might be several hours away. Sometimes, in the course of an examination by a specialist, it becomes evident that a patient has undergone previous medical treatment or testing. If the patient did not bring a copy of his or her records, it can be impractical, and perhaps medically inadvisable, to ask the patient to reschedule the appointment and come back with the records. This lack of access potentially can interfere with the health care provider's ability to diagnose the patient's condition or prescribe appropriate treatment.
The Federal Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to implement new measures to protect individuals' personal health information, and to encourage electronic transactions. Individual states, however, may enact stricter regulations, such as the provisions of the Public Health Code regarding the release of an individual's health information. It has been suggested that incorporating in the Code references to HIPAA could facilitate the transfer of necessary information in situations like the one described above.
In another matter, the State's Medical Records Access Act, enacted in 2004, provides that a patient or his or her authorized representative has the right to obtain the patient's medical record, and prescribes the procedures and fees for obtaining access. It has been suggested that related provisions of the Public Health Code be updated to include references to that Act. (Both HIPAA and the Medical Records Access Act are described below, under BACKGROUND.)
CONTENT
The bill would amend the Public Health Code to require a health facility's or agency's policy describing patient or resident rights and responsibilities to include references to the Medical Records Access Act and the Health Insurance Portability and Accountability Act.
The Code requires a licensed health facility or agency that provides services directly to patients or residents to adopt a policy describing the rights and responsibilities of patients or residents admitted to the facility or agency. The policy must be posted in a public place in the facility or agency and provided to each staff member. Patients and residents must be treated in accordance with the policy.
The policy must provide that an individual who is or has been a patient or resident is
entitled to inspect, or receive for a reasonable fee, a copy of his or her medical record upon request; and that a third party may not be given a copy without the patient's or resident's prior authorization. Under the bill, the policy would have to specify that the person could inspect or receive a copy of the record in accordance with the Medical Records Access Act, and that a third party could not be given a copy without prior authorization except as otherwise permitted or required under HIPAA, or regulations promulgated under it (49 CFR Parts 160 (General Administrative Requirements) and 164 (Security and Privacy)).
The Code requires the policy also to provide that a patient or resident is entitled to confidential treatment of personal and medical records, and may refuse their release to a person outside the facility or agency except as required because of a transfer to another facility or as required by law or third-party payment contract. Under the bill, the policy also would have to provide that records could be released as permitted or required under HIPAA or regulations promulgated under it.
MCL 333.20201
BACKGROUND
Medical Records Access Act
Public Act 47 of 2004 created the "Medical Records Access Act" to do the following:
-- Specify that, except as otherwise provided by law or regulation, a patient or his or her authorized representative has the right to obtain his or her medical record.
-- Require a health care provider or health facility to take certain actions upon receiving a request from a patient or authorized representative to examine or obtain a copy of the patient's medical records.
-- Set deadlines for a provider or facility to act.
-- Establish the maximum fees that a provider, facility, or medical records company may charge for copies of medical records; and require the Department of Community Health to adjust these fees annually.
-- Require a provider, facility, or medical records company to waive fees for a medically indigent individual.
Under the Act, a health care provider or facility, or a medical records company, may charge the patient or an authorized representative an initial fee of up to $20 per request. Additionally, for a paper copy, the provider, facility, or company may charge a maximum of $1 per page for the first 20 pages, a maximum of fifty cents per page for pages 21 through 50, and up to twenty cents per page for pages 51 and over. If the record is in some form or medium other than paper, the provider, facility, or company may charge the actual cost of preparing the duplicate.
The provider, facility, or agency also may charge any postage or shipping costs, as well as any actual costs incurred in retrieving records that are at least seven years old and not maintained or accessible on-site.
Health Insurance Portability and Accountability Act
According to the U.S. Department of Health and Human Services (HHS), HIPAA was enacted in 1996 to encourage electronic transactions and require new safeguards for the security and confidentiality of individuals' personal health information. Under HIPAA, the HHS was required to issue a Privacy Rule for health plans, health clearinghouses, and health care providers. The regulations took effect on April 14, 2003.
Under these regulations, patients must be able to obtain copies of their records and request necessary corrections. Health plans and providers must give the patient access to the records within 30 days and may charge a fee. Health plans and providers also must give patients notice of their rights and how their personal medical information may be used.
Additionally, the Privacy Rule restricts the use of individually identifiable health information. In general, providers may not use personal health information for purposes unrelated to health care, and may use or share the minimum amount of information necessary to treat a patient. A patient must sign an authorization before a covered entity may release his or her information to a life insurer, bank, marketing firm, or a business for purposes unrelated to health care.
The Privacy Rule also allows patients to request that their doctors, health plans, and other covered entities take reasonable steps to keep their communications confidential.
The regulations permit a consumer to file a complaint regarding privacy practices, either with the provider or health plan, or with the HHS Department's Office for Civil Rights.
Health plans, pharmacies, doctors, and other entities to which the Privacy Rule applies must establish polices and procedures to protect the confidentiality of patients' protected health information. Covered entities must develop written privacy procedures that include a description of staff with access to information, and how the information may be used and disclosed. They also must train employees in the procedures and take disciplinary action against employees who do not follow the procedures.
The Privacy Rule allows covered entities to continue specified disclosures for specific public responsibilities, such as emergency circumstances, identification of a deceased person's body, identification of the cause of death, public health needs, certain research, oversight of the health care system, judicial and administrative proceedings, limited law enforcement activities, and national defense and security activities.
The Act also established criminal and civil penalties for violations of the standards and misuse of personal health information.
ARGUMENTS
(Please note: The arguments contained in this analysis originate from sources outside the Senate Fiscal Agency. The Senate Fiscal Agency neither supports nor opposes legislation.)
Supporting Argument
Currently, the Public Health Code precludes the release of medical records without the patient's prior authorization. Reportedly, this requirement can be cumbersome for health care providers, especially in rural areas where specialists and medical centers serve a large geographic area and patients must travel long distances to their appointments. By allowing the release of records as provided by HIPAA, the bill would maintain privacy protections while enabling a patient's various health care providers to transmit records quickly via electronic means. The facilitation of information-sharing among all the providers involved with the patient's care would result in more efficient treatment.
Legislative Analyst: Julie Koval
FISCAL IMPACT
The bill would have no fiscal impact on State or local government.
Fiscal Analyst: David FosdickAnalysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent. hb4606/0506