MEDICAL RECORD RELEASE H.B. 4606 (H-1): COMMITTEE SUMMARY








House Bill 4606 (Substitute H-1 as passed by the House)
Sponsor: Representative Stephen F. Adamini
House Committee: Health Policy
Senate Committee: Health Policy


Date Completed: 2-7-06

CONTENT The bill would amend the Public Health Code to require a health facility's or agency's policy describing patient or resident rights and responsibilities to include references to the Medical Records Access Act and the Federal Health Insurance Portability and Accountability Act (HIPAA).

The Code requires a licensed health facility or agency that provides services directly to patients or residents to adopt a policy describing the rights and responsibilities of patients or residents admitted to the facility or agency. The policy must be posted in a public place in the facility or agency and provided to each staff member. Patients and residents must be treated in accordance with the policy.


The policy must provide that an individual who is or has been a patient or resident is entitled to inspect, or receive for a reasonable fee, a copy of his or her medical record upon request; and that a third party may not be given a copy without the patient's or resident's prior authorization. Under the bill, the policy would have to specify that the person could inspect or receive a copy of the record in accordance with the Medical Records Access Act, and that a third party could not be given a copy without prior authorization except as otherwise permitted or required under HIPAA, or regulations promulgated under it (49 CFR Parts 160 (General Administrative Requirements) and 164 (Security and Privacy)).


The Code requires the policy also to provide that a patient or resident is entitled to confidential treatment of personal and medical records, and may refuse their release to a person outside the facility or agency except as required because of a transfer to another facility or as required by law or third-party payment contract. Under the bill, the policy also would have to provide that records could be released as permitted or required under HIPAA or regulations promulgated under it.


MCL 333.20201

BACKGROUND

Medical Records Access Act


Public Act 47 of 2004 created the "Medical Records Access Act" to do the following:

-- Specify that, except as otherwise provided by law or regulation, a patient or his or her authorized representative has the right to obtain his or her medical record.
-- Require a health care provider or health facility to take certain actions upon receiving a request from a patient or authorized representative to examine or obtain a copy of the patient's medical records.
-- Set deadlines for a provider or facility to act.
-- -- Establish the maximum fees that a provider, facility, or medical records company may charge for copies of medical records; and require the Department of Community Health to adjust these fees annually.
-- Require a provider, facility, or medical records company to waive fees for a medically indigent individual.


Health Insurance Portability and Accountability Act


According to the U.S. Department of Health and Human Services (HHS), HIPAA was enacted in 1996 to encourage electronic transactions and require new safeguards for the security and confidentiality of individuals' personal health information. Under HIPAA, HHS was required to issue a Privacy Rule for health plans, health clearinghouses, and health care providers. The regulations took effect on April 14, 2003.


Under these regulations, patients must be able to obtain copies of their records and request necessary corrections. Health plans and providers must give the patient access to the records within 30 days and may charge a fee. Health plans and providers also must give patients notice of their rights and how their personal medical information may be used.


Additionally, the Privacy Rule restricts the use of individually identifiable health information. In general, providers may not use personal health information for purposes unrelated to health care, and may use or share the minimum amount of information necessary to treat a patient. A patient must sign an authorization before a covered entity may release his or her information to a life insurer, bank, marketing firm, or a business for purposes unrelated to health care.


The Privacy Rule also allows patients to request that their doctors, health plans, and other covered entities take reasonable steps to keep their communications confidential.


The regulations permit a consumer to file a complaint regarding privacy practices, either with the provider or health plan, or with the HHS Department's Office for Civil Rights.


Health plans, pharmacies, doctors, and other entities to which the Privacy Rule applies must establish polices and procedures to protect the confidentiality of patients' protected health information. Covered entities must develop written privacy procedures that include a description of staff with access to information, and how the information may be used and disclosed. They also must train employees in the procedures and take disciplinary action against employees who do not follow the procedures.


The Privacy Rule allows covered entities to continue specified disclosures for specific public responsibilities, such as emergency circumstances, identification of a deceased person's body, identification of the cause of death, public health needs, certain research, oversight of the health care system, judicial and administrative proceedings, limited law enforcement activities, and national defense and security activities.


The HIPAA also established criminal and civil penalties for violations of the standards and misuse of personal health information.


Legislative Analyst: Julie Koval

FISCAL IMPACT
The bill would have no fiscal impact on State or local government.

Fiscal Analyst: David Fosdick

Analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent. hb4606/0506