HIPAA Policy Section 4.1: Requests for PHI
System may make a request for PHI from another Covered Entity without first obtaining specific approval from the Privacy Officer only if the request constitutes a “routine request.” System shall obtain approval prior to making any other request for PHI.
4.1(1) Routine Requests for PHI by OEB.
OEB Workforce members may request PHI without prior approval from the Privacy Officer under any of the following circumstances, each of which shall be considered a routine request:
- OEB’s request for PHI is for the purpose of conducting Payment activities or Health Care Operations activities of the Group Health Plan.:
- The Member has provided an Authorization permitting the disclosure from the person from whom OEB intends to request the PHI; or
- OEB requests PHI in order to adequately respond to a Member’s request for access to the member’s PHI (in accordance w ith Section 7.2 of this Manual), amendment of the Member’s PHI (in accordance with Section 7.3, or an accounting of disclosures of the Member’s PHI (in accordance with Section 7.4 of this Manual).
Notwithstanding the above, a request for a Member’s entire medical record or any request for Psychotherapy Notes shall not be considered to be a routine request.
4.1(2) Non-routine Requests for PHI by OEB
Prior to making any request for PHI that is not identified in Section 4.1(1) as a routine request, OEB shall seek approval from the Privacy Officer of such request and shall refrain from making such request absent the Contact Person’s approval.
Upon notification of a request for PHI, the Privacy Officer shall determine whether the information to be requested is PHI. If the information is PHI the Privacy Officer shall approve a request only if the PHI sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made. Otherwise, the Privacy Officer shall inform the requestor either that the request should not be made or that, to make such request, an Authorization from each Individual who is a subject of the PHI must first be obtained.
4.1(3) Documentation of Requests for an Entire Medical Record by OEB
If the Privacy Officer approves a request for an Individual’s entire medical record, the Privacy Officer shall document the justification for such request in accordance with Section 9.2 of this Manual.
4.1(4) Documentation of Requests for Psychotherapy Notes by OEB
Requests for Psychotherapy Notes should generally not be made as Psychotherapy Notes are not required for Payment or Healthcare Operations. All requests to obtain Psychotherapy Notes require a Member’s Authorization and must be submitted to the Privacy Officer for approval in advance. All such advanced requests must be pre- approved by the Director or the Assistant Director of Benefits before the request goes to the Privacy Officer. Any requests granted by the Privacy Services shall be documented the justification for such request in accordance with Section 9.2 of this Manual. NOTE: the System NOPP does not permit System to request Psychotherapy Notes for Payment or Health Care Operations related to a Plan. Therefore, the NOPP may require amendment and redistribution prior to requesting a Member’s psychotherapy notes.
4.1(5) All Requests for PHI by System Offices acting as a Business Associate
System offices acting as a Covered Entity’s Business Associate may request PHI only as permitted by the terms of the Business Associate Agreement in place between the System office and the Covered Entity. Requests and documentation of such requests shall be handled in accordance with the Covered Entity’s applicable policies and NOPP, and the Business Associate Agreement in place, as applicable.
45 C.F.R. §§ 164.105(a)(2)(iii)(C), 164.502(b), 164.514(d)(4)-(5)
65 Fed. Reg. at 82,543-45, 82,712-16 (Dec. 28, 2000); 67 Fed. Reg. at 53,195-99 (Aug. 14, 2002)