Covered Entities: The final rules cover health plans, health clearinghouses (i.e., entities that process health information received from a covered entity), and healthcare providers, like KEI, that conduct certain financial and administrative transactions electronically (e.g., electronic billing and funds transfer).

Protected Information: The regulations cover all medical records and any other individually identifiable health information, whether communicated electronically, on paper, or orally. The rules do not apply to information that contains no identifying information, or information that has been altered so as not to identify the individual about whom the information applies.

Limits on Use and Release of Protected Information: Protected patient information generally can only be used or disclosed for purposes of healthcare treatment (e.g., documenting and referring to patient information in a medical record, sharing patient information with referring doctors, etc.), payment (i.e., submitting claims to Medicare/Medicaid or private insurance companies), and operations (i.e., internal accounting and record keeping) pursuant to a general advance consent from the patient, except for disclosures to the patient or the patient’s personal representative, emergencies, and other limited exceptions discussed below.

Privacy Officer: The regulations require that covered entities, like KEI, appoint a Privacy Officer. In keeping with this requirement, the KEI Board of Directors has appointed Kenneth E. Woodworth, Jr., COMT, COE in this capacity. He may be reached at 1401 Harrodsburg Road, Lexington, KY 40504, local 859-278-9393 or toll-free 800-432-9278, extension 105.

Permitted Uses and Disclosures: The privacy standard identifies certain permissible uses and disclosures, without the need to obtain written consent or authorization from a patient. The following are permissible uses and disclosures:

• Oversight of the healthcare system, including quality assurance activities.
• Public health.
• Research, generally limited to when a waiver of authorization is independently provided by a privacy board or institutional review board.
• Certain marketing and fund-raising activities, as long as individuals targeted by such activities are given the opportunity to opt out from receiving future communications.
• Judicial or administrative proceedings.
• Certain law enforcement activities.
• Information on abuse, neglect, or domestic violence victims.
• Decedent information.
• Cadaveric, organ, eye, or tissue donation purposes.
• To avert a serious threat to health or safety.
• For specialized government functions (such as military, national security, intelligence).
• Workers compensation (state law dictates disclosure requirements).

• Patients must be able to see and obtain copies of their records and to request changes. They are also entitled to receive an accounting of disclosures of their protected healthcare information (must be in writing) other than disclosures related to treatment, payment, and healthcare operations, and subject to certain other exceptions. Requests for access to records and accountings of disclosure will be acted upon within time frames allowed by HIPAA regulations. The patient may be charged for any copying and mailing costs up to the statutory limit.
  
  
• Patients have the right to request restrictions on the uses and disclosures of their information. KEI doctors will make the final determination as to whether or not to comply with such requests, but if they do, they must consistently comply with and document such restrictions.
  
  
• Patients have a right to request changes to their medical records. Such requests may be denied for the following reasons:
  
  
  • The information the patient wants amended was not created by someone in the practice;
  • The Individual/entity that created the information is no longer available to make the amendment;
  • The information is not part of the medical record kept by the practice;
  • The information is not part of the medical record that a patient is permitted to inspect and copy; or
  • The practice believes the information is correct and accurate as is.
    
    
  It is the treating KEI physician's prerogative to accept or deny the patient's request.
  
  
• Patients have the right to complain to KEI or to the Secretary of Health and Human Services about violations of the rules or the policies and procedures of KEI. Patients will not be penalized for filing such complaints.
  
  
• Patients have the right to request that KEI confidentially communicate health information to them by alternative means or at alternative locations. KEI must comply with such requests if they are reasonable.
  
  
• Patients have the right to revoke any consent or authorization previously provided to KEI. A request for this must be in writing and sent or given to KEI's privacy officer.