Privacy and Security
Client Rights Policies, Rights of Clients
Current Effective Date:
Original Effective Date:
The purpose of this policy is to ensure the North Carolina Department of Health and Human Services (NC DHHS) agencies are aware of the rights given to clients by the Health Insurance Portability and Accountability Act (HIPAA), and to provide direction to those agencies for addressing such rights.
DHHS agencies shall establish and implement procedures that ensure the following rights of clients as delineated by the HIPAA privacy rule and other federal and state laws.
The rights that are included in this policy apply to individuals served by DHHS health care providers and health plan recipients, unless otherwise specified. For simplification purposes, this policy shall refer to all such individuals as `clients', unless there is a difference in policy requirements.
The personal representative of a client who is acting on behalf of that person is afforded the same rights as the client unless otherwise specified by state or federal law, in accordance with the DHHS Privacy Policies.
Documentation required by the HIPAA privacy rule throughout this policy shall be retained at least six (6) years from the date of its creation.
DHHS covered health care components and internal business associates shall negotiate the procedures for complying with this policy.
Right to Confidential Communications
Client Right - Each client of a DHHS agency has a right to request confidential communications by requesting that the agency contact him/her at a different location or by a different means when the agency needs to communicate with the client.
Agency Responsibility - Each DHHS covered health care provider must establish accommodations for their clients, whose privacy is not assured in their daily lives, to request alternative means of communication about their health information. Such accommodations may include an alternative location and/or method of contact such as mail, e-mail, fax, or telephone. Covered providers must develop procedures for making reasonable efforts to comply with such requests from their clients; however, providers may not require an explanation from their clients regarding the basis for such request.
Each DHHS covered health plan must permit plan recipients to request to receive communications regarding health information from the health plan by alternate means or at alternate locations when requested by a plan recipient. The health plan must accommodate such requests by plan recipients if the request is deemed reasonable. The health plan may require plan recipients to clearly state that the disclosure of all or part of their health information, using the current communication method or location, could endanger the plan recipient.
Each DHHS agency may determine whether or not to require such requests from clients to be in writing, or whether the agency will accept verbal requests. Verbal requests must be documented. The client must specify his/her preferred alternative means or location; and the agreement reached by the client and the agency must be documented.
Internal procedures must be developed so all workforce members who are engaging in communications with a client who has requested and received an agreement to use alternative means of communication are aware of the need to use other agreed upon channels in order to protect the client. An agency could face serious liability if a client was harmed due to failure of staff to follow the agency's agreement to use alternative communications.
DHHS agencies must develop procedures that address the following processes for processing confidential communication requests.
Right to Adequate Notice of Use and Disclosure of Individually Identifiable Health Information
Clients of DHHS agencies have a right to be informed about how the agency may use and/or disclose their health information, as well as their rights and the agency's legal duties with respect to protecting the privacy of health information in their possession.
Each DHHS covered health care component must make their notice of privacy practices available to their clients, which explains how the component may use and/or disclose their individually identifying health information. This notice also describes the rights of clients to take action and the component's legal duties, with regard to the use and/or disclosure of individually identifiable health information created and/or maintained by the agency. The following situations included in each agency's notice directly
In an emergency treatment situation, the client has a right for the notice to be provided as soon as practicable after the emergency;
DHHS agencies must establish procedures for ensuring clients' right to adequate notice of the agency's privacy practices. The required
Right to Obtain Paper Copy after Electronic Notice
Each client of a DHHS agency may be given the opportunity to receive the agency's notice of privacy practices electronically; however, the client further has the right to request that a paper notice also be provided.
Each agency may offer to provide its notice of privacy practices to agency clients by e-mail, if the client agrees. Any client who receives the notice electronically retains the right to obtain a paper copy upon request.
DHHS agencies must develop procedures that address providing clients with a paper copy of the agency's notice.
Right to Request Access to Individually Identifiable Health Information
Each client of a DHHS agency has the right to request access to inspect and obtain a copy of his/her health information for as long as the information is maintained by the agency in a designated record set. If the agency does not maintain the health information that is the subject of the client's request for access, but knows where the requested information is maintained, the agency must inform the client where to direct his/her request for access.
Each client's request for access to his/her personal health information must be in writing. DHHS agencies may require the requester to:
The client's right to request access to records applies only to those records that have been identified as a `designated record set'. If the same information requested by the client or personal representative is contained in multiple designated record sets, the agency can limit access to a single designated record set.
DHHS agencies must determine the process for addressing a client's request to access, inspect, and copy his/her records. All requests from clients or their personal representative must be in writing and forwarded to the agency's privacy official, or other designee, who is responsible for ensuring the request is processed in a timely manner, not to exceed 30 days (with a one-time 30 day extension if the record cannot be accessed within the original 30 days). The agency is required to notify the requester in writing of any extension outlining the reasons for the delay.
DHHS agencies must grant access to individually identifiable health information in designated record sets unless it is determined there may be grounds for denial. When access is granted, agencies may provide a summary of the client's record in lieu of the entire record, if that is agreeable with the client and the client agrees in advance to any fees imposed by the agency for producing the summary.
Note: DMH/DD/SAS General Statutes require that client access be determined by an attending physician. If there is not an attending physician, access must be determined by the agency director or his/her designee.
A licensed health care professional may deny access to information in certain circumstances:
If access to health information is denied in whole or in part, the licensed health care professional is required to comply with the requirements listed below.
If a client requests review of the denial to access individually identifiable health information, the agency must designate a different licensed health care professional who was not directly involved in the original denial, as a reviewing official to review, within a reasonable period of time, the decision to deny access. The agency must promptly provide written notice to the client of the determination made by the reviewing official. Agencies are required to respond to the request in accordance with the reviewing official's decision.
DHHS agencies may deny access to specific health information, as listed below, without providing a client an opportunity for review:
Each client who has been granted access to review his/her health information also has the right to request a copy of all or part of the health information to which access was granted.
If a client requests a copy of his/her health information or agrees to receive a summary or explanation of such information, DHHS agencies may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:
Note: DMH/DD/SAS agencies are bound by 10 NCAC 18D.0121 when determining fees for copying health information.
Right to Request Amendment to Individually Identifiable Health Information
Each client of a DHHS agency has the right to request amendment of his/her health information that is contained in a designated record set, for as long as the information is maintained in the designated record set. Amendments may include changing or adding information.
Each client's request for amendment to his/her personal health information must be in writing and must include the reason for requesting amendment. Agencies may require the requester to submit the request as follows:
DHHS agencies must document the titles of the persons or the offices responsible for receiving and processing requests for amendments by clients. Such documentation must be retained for at least six (6) years from the date of creation.
DHHS agencies must act on a client's request for amendment no later than 60 days after receipt of the request. If the agency grants the amendment in whole or in part, the following steps must be taken:
DHHS agencies may deny a request to amend a client's health information if it determines that the information:
DHHS agencies must provide a timely, written denial to a client that is written in plain language and contains the following elements:
DHHS agencies must permit a client to submit to the agency a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The agency may reasonably limit the length of a statement of disagreement.
DHHS agencies may prepare a written rebuttal to the client's statement of disagreement. Whenever such rebuttal is prepared, the agency must provide a copy to the client who submitted the statement of disagreement.
DHHS agencies must, as appropriate, identify the health information in the designated record set that is the subject of the disputed amendment and append or otherwise link the following to the designated record set:
If a client has submitted a statement of disagreement, the agency must include the appended material in the designated record set in accordance with the record keeping section above, or at the discretion of the agency, an accurate summary of such information, with any subsequent disclosure of the health information to which the disagreement relates.
If a client has not submitted a written statement of disagreement, the agency must include the client's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the health information only if the client has requested such action.
When a subsequent disclosure described above is made using a standard transaction that does not permit the additional material to be included with the disclosure, the agency may separately transmit the required material to the recipient of the standard transaction.
DHHS agencies that are informed by other agencies/components of an amendment to a client's health information must also amend the health information in its own designated record sets.
Documentation of requested amendments and the disposition of such requests shall be retained for at least six (6) years from the date of its creation or the date when it was last in effect, whichever is later. Documentation that is maintained in the client record shall be retained in accordance with the General Schedule for State Agency Records.
DHHS agencies must develop the following procedures to address when clients request amendments to their health information.
Right to Accounting of Disclosures of Individually Identifiable Health Information
Each client of a DHHS agency has a right to receive an accounting of disclosures of his/her health information made by the agency at any time during the previous six (6) years. Such requests may not include dates prior to April 14, 2003. This includes any disclosures made to or by any business associate of the agency. Disclosures made as follows do not have to be included on an accounting of disclosures:
Disclosures made to health oversight agencies or law enforcement officials may be temporarily excluded from an accounting if the covered agency has been notified by the oversight agency or law enforcement official that providing an accounting could impede the progress of their activities.
DHHS agencies shall require requests for accounting of disclosures to be in writing and forwarded to designated staff for action. Agencies are required to act on such requests within 60 days after receipt of the request, unless there is good reason to extend the time to reply by another 30 days. Any extension requires the agency to provide a written statement to the requester regarding the reason for the delay and the expected completion date. Only one (1) extension is permitted per request.
For purposes of this policy, agencies must be familiar with the following basic information for each disclosure that is required to be tracked and would therefore be available to a client upon request:
Each client of a DHHS agency has the right to object to, and request restrictions on, how his/her health information is used or to whom the information is disclosed. Clients can make such requests/objections even if the restriction affects the clients' treatment or payment for that treatment or other health care operation activities. Use and disclosure of health information for treatment, payment, or other health care operations is oftentimes permitted by state and/or federal law without the client's authorization or consent. The client may want to limit the health information that is included in any of the following:
DHHS agencies are not required to agree to any requested restrictions. However, if a restriction is agreed to, it is binding and agencies may not use or disclose information in violation of the agreement, unless otherwise allowed or required under other DHHS policies. For example, an agency may disclose restricted information to permit emergency treatment. An agency is also not bound by restrictions when a disclosure is required by law. DHHS agencies are encouraged to require client request for restrictions to be in writing.
DHHS agencies must establish procedures to address the following processes for ensuring clients' right to request privacy restrictions of their health information.
Agreement or Denial of a Request for Restriction
DHHS agencies must establish procedures for processing clients' requests for restricting the use and/or disclosure of their health information, including the agency's process when request is agreed to and when request is denied. Procedures must ensure client's request is processed within 60 days of the request and client is fully informed of the decision.
If the restriction is agreed to, the following procedure must be implemented:
If the request for restriction is denied, the following procedure must be implemented:
DHHS agencies may terminate an agreement to a restriction at any time. If the client agrees to the termination by the agency, previously restricted information may be used or disclosed as if a restriction never existed. If a client objects to the termination, the termination is still in effect, but only with respect to the health information created or received after the client is informed of the termination of the restriction.
DHHS agencies must develop procedures that address the following processes for terminating a client-requested privacy restriction.
If such health information is disclosed in an emergency situation, the agency must inform the health care provider to whom the information was disclosed not to further use or disclose that health information.
DHHS agencies must address the following processes when allowing clients to request restrictions on the use and/or disclosure of their health information.
Each client of a DHHS agency has the right to submit a complaint if he/she believes that an agency within DHHS has improperly used or disclosed his/her individually identifiable health information, or if a client has concerns about the privacy policies of DHHS or concerns about DHHS compliance with such policies.
Each agency is required to identify a person or office in the agency that clients may contact if they have questions or concerns about the agency's privacy policies and procedures, or if clients would like to submit a complaint regarding the use and disclosure of their health information.
DHHS agencies must provide a process for clients to submit a complaint for any of the following reasons:
Such process shall ensure no retaliation may be taken against a client for filing a complaint against the agency.
DHHS agencies are also required to inform clients of a contact in the U.S. Department of Health and Human Services should they wish to submit a complaint to that level. Agencies are required to include this information in their Notice of Privacy Practices.
DHHS agencies must develop procedures that address the following processes when ensuring clients' right to submit complaints about the agency's privacy policies and procedures or about the agency's use and disclosure of their health information.
Designating the person(s) or offices(s) responsible for receiving and processing complaints submitted by clients;
For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy and Security Office. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.