Openline August 1999

Posted on Aug 1, 1999 in Newsletter

New Model Forms for Record Requests and Responses 
Frequent Inquiries: Record Requests, Fees, Photocopies 
Act 87 Protects Privacy of Health Care Information


New Model Forms for Record Requests and Responses
The Office of Information Practices has published two new model forms for State and county government agencies entitled “Request to Access a Government Record” and “Notice to Requester.”

The forms were developed to assist agencies and members of the public with public record requests.

Smoothing the Way
The new forms, created with input from government agencies and the public, should make the processing of a record request smoother for both the requester and the agency that processes the request. Agencies are not required to use these forms and may create their own.

The forms feature check boxes to clarify and speed both the request and the agency’s response. They also give key information about the request procedure, the requester’s responsibilities, and the agency’s responsibilities.

Forms Available Online
The model forms are available at www.state.hi.us/oip, along with the text of the rules, the Uniform Information Practices Act (“UIPA”), the Openline newsletter, general guidance, and information about the Office of Information Practices.


Frequent Inquiries: Record Requests, Fees, Photocopies
Just the FAQs! Here are answers to frequently asked questions received by the OIP in recent days. The OIP’s Attorney of the Day service welcomes your inquiries.

Record Request Fee Waivers
Several callers have asked about the two fee waivers in the new OIP rules. The first waiver is mandatory and applies to agency charges for the search, review, and segregation of a record, up to a maximum of $30. There are no qualifications that must be met to receive this fee waiver.

The second fee waiver is one that a requester may apply for if the request is in the public interest. If the requester meets the requirements in section 2-71-32, Hawaii Administrative Rules, the requester will receive a total waiver of $60 for fees for search, review, and segregation.

Simple Record Requests
Callers have asked if they have discretion to charge fees under the OIP rules when the amount of the fee is less than $30. The answer is no: the first $30 is a mandatory waiver of fees for searching for, reviewing, and segregating a record.

The fees were meant to help the government recoup costs without placing significant barriers in the way of public access. Therefore, requests that take a small amount of time to process are subject to the mandatory waiver.

Agencies may elect not to charge fees for search, review, and segregation, but if they do charge they must follow the fees in the OIP rules.

Voluminous Record Requests
Callers from small agencies ask how they can process voluminous record requests without unreasonably disrupting their regular duties. Section 2-71-15, Hawaii Administrative Rules, lists several extenuating circumstances, one of which is when an agency requires additional time to respond to a request in order to avoid an unreasonable interference with its other statutory duties and functions.

When extenuating circumstances are present, and the requested records are voluminous, an agency may, in good faith, elect to make the records available in increments.

Private Information
Sometimes callers ask if they can give out the home address of employees upon request, or disclose social security numbers. In most cases disclosure of home addresses, home telephone numbers, and social security numbers would violate the privacy rights of individuals.

Section 92F-13 (1) of the Uniform Information Practices Act (“UIPA”) protects from disclosure government records “which, if disclosed, would constitute a clearly unwarranted invasion of personal privacy.”

Do Requesters Have to Give Their Names?
Sometimes those requesting public records do not want to give their names. Agencies may not ask for a requester’s name as a condition for disclosing a public record.

If a requester is applying for a waiver of search, review, and segregation fees in the public interest, however, the requester must then give their name.

Do Requesters Have to Give a Reason for Making the Request?
A person making a record request does not have to give a reason for the request. Agencies should not ask requesters why they are requesting a record.

Must a Record Request Be in Writing?
Callers have also asked if a record request must be in writing. The quick answer is no and yes. No written request is required for informal requests, but yes, a written request is required for formal requests.

Section 2-71-11, Hawaii Administrative Rules, covers informal requests for access to government records. Sections 2-71-12 and 2-71-13 cover formal requests.

The OIP encourages requesters to make written requests. The advantages include having a written record of the request and request date, and ensuring a written response or disclosure by the agency.

Can a Rule or Ordinance Override the UIPA?
Some callers ask what to follow when it appears that a rule or ordinance may conflict with the UIPA. Unless the Hawaii Revised Statutes provide otherwise, a statute (including the UIPA) prevails over rules, ordinances, or charters.

Recently the office of a county council member called about historical research that office had conducted. The council member’s office had just received an informal record request for that research from an attorney for an individual involved in a contested case hearing. Under that county’s rules, council members should not be giving out information to someone for that individual’s personal gain. The caller asked if the information was public.

The OIP advised the office that the information is presumed public unless a UIPA exception to disclosure applies. Any rule or ordinance that contradicts a statute would be “trumped” by the statute. Thus, if the UIPA made the information public, the UIPA would likely control access.

Photocopy Charges
Agencies and members of the public often call to find out what the new photocopy fees are under section 92-21, Hawaii Revised Statutes. Act 160 amended the fees, effective July 1, 1999, to five cents per page.

Several agencies have inquired about the procedures they should follow if they do not wish to charge photocopy fees, or if they want to charge more than the statutory five cents per page.

The OIP does not have jurisdiction to opine on copy fee issues under section 92-21, HRS, or other laws. Agencies should contact their Deputy Corporation Counsel, Deputy Attorney General, or in-house counsel if they seek advice in this area.


Act 87 Protects Privacy of Health Care Information
In the last issue Openline reported on the history of Act 87, the new Hawaii law regarding privacy of health care information. This issue features a special supplement with an in-depth analysis of the major provisions of Act 87.

Act 87 (HB 351, HD2, SD1, CD1), which takes effect July 1, 2000, regulates information practices in the health care industry, including patient access to the medical record and health care provider disclosure of protected health information. The new law’s stated objectives are to:

  • protect an individual’s right to privacy of medical information under the Hawaii Constitution,
  • protect individuals against the adverse effects of improper disclosure of medical information, 
    establish mechanisms to protect against unauthorized and inappropriate use of protected health information,
  • encourage the exchange of health care information in a manner that will ensure confidentiality of protected information without impeding high quality health care,
  • allow appropriate transfer of personal health information into nonidentifiable health information for legitimate purposes including research and promotion of public health,
  • discourage litigation by establishing procedures that will provide courts with strong evidence that medical information was properly handled and disclosed, and
  • establish remedies for violations of Act 87.

Patient’s Right to Access Protected Health Information
Protected health information is information identifiable to an individual including the: (1) physical or mental health or condition of a person including tissue and genetic information; (2) provision of health care to an individual; or (3) payment for the provision of health care to an individual.

Although health care providers own those medical records in their possession, patients have a right to inspect and copy the medical record within 30 days after their request is received by covered “entities” (including health care providers, health plans, employers, health care data organizations, insurers, or educational institutions).

When Access Is Not Required. Nonetheless, unless a court orders otherwise, an entity may be permitted to withhold patient access when:

  • the disclosure could endanger the life or physical safety of, or cause substantial mental harm to, the subject of the record;
  • the information identifies, or could reasonably lead to the identification of, a person who provided information under a promise of confidentiality, unless the confidential source can be protected by redaction or other means;
  • the information is protected from discovery under section 624-25-5, Hawaii Revised Statutes; or
  • the information was collected for or during a clinical trial monitored by an institutional review board, the trial is not complete, and the researcher reasonably believes that access would harm the conduct of the trial.

If the entity denies the patient access to the medical record it has a duty to inform the patient, in writing. The entity must tell the patient, within 30 days after the date the request was received, the reasons for the denial, procedures for further review of the denial and the patient’s right to file a statement with the entity, setting forth the request for inspection and copying.

Use and Disclosure of Protected Health Information
The law prohibits health care entities from improper use and disclosure of protected health information. Moreover, the law requires that these entities establish and maintain safeguards to protect the confidentiality, security, accuracy, and integrity of protected health information.

Under the law, a health care entity may use or disclose protected health information within that entity only if proper notice has been given to the patient.

If proper notice has been given, then an entity may use the protected health information within the entity for purposes of treatment and certain qualified health care operations. Otherwise, with the exception of certain public policy uses, all other uses and disclosures require a specific consent.

Patient “Opt-Out” Rights
If, after receiving the notice of confidentiality practices, the patient wishes to prohibit all disclosures required for purposes of a third-party payor contract, he or she may “opt-out” of the disclosures for those purposes. Instead, the patient may pay the provider directly for those services. The provider then has the duty to ensure that this “opt-out” portion of the protected health information is not disclosed without a proper consent.

Notice of Confidentiality Practices
The notice of confidentiality practices generally explains what a patient’s rights are and what confidentiality practices that entity follows. The law contains specific language that must be included in a notice. Entities that hold protected health information must give their notice of confidentiality practices in one of two different ways, depending upon the type of entity.

Health Plans must give notice to each individual eligible to receive care under the health plan 1) upon enrollment, 2) annually, and 3) whenever confidentiality practices are substantially amended. All other entities, including health care providers, health care data organizations, health oversight agencies, public health authorities, employers insurers, health researchers, and educational institutions, are required to post notice of their confidentiality practices in a conspicuous place.

Consent
The law requires that for all other disclosures, the patient must give his or her consent to disclose (called an “authorization” in the law). Each disclosure must have a separate consent, in writing, dated and signed by the patient (or if electronic, then authenticated by an unique identifier). The patient may revoke the consent at any time. The consent must:

  • identify the person who is authorized to disclose the protected health information; 
    identify the patient;
  • describe the nature of and time span of the protected health information to be disclosed; 
    identify to whom the protected health information is to be disclosed;
  • describe the purpose of the disclosure;
  • state that the consent is subject to revocation;
  • include the date upon which the consent to disclose ends. 

Disclosures Without Consent
For purposes of public policy, protected health information may be disclosed without consent:

  • to the coroner or medical examiner;
  • to a designated relative or representative, if certain conditions are met;
  • to assist in identification or safe handling of a deceased individual;
  • in emergency circumstances when it is necessary to protect the health or safety of the subject from serious, imminent harm;
  • to a health oversight agency for an oversight function authorized by law;
  • to a public health authority or other person authorized by law for use in legally authorized activities;
  • to entities for research purposes if certain conditions are met;
  • in judicial or administrative procedures; and
  • for civil or administrative law enforcement purposes. 

OIP’s Role
Act 87 gives the OIP two new functions:

Rulemaking Authority: The OIP is required to adopt rules to implement the establishment of 1) safeguards to protect confidentiality by entities and 2) standards for electronic disclosures.

Prevention and Deterrence: The OIP may provide advice, training, technical assistance, and guidance regarding ways to prevent improper disclosure of protected health information.

Sanctions
Criminal Penalties: The knowing or intentional disclosure of protected health information in violation of the law is a class C felony (five years in prison). The knowing or intentional sale, transfer, or use of protected health information for commercial advantage, personal gain, or malicious harm, in violation of Act 87, is a class B felony (ten years in prison).

Civil Penalties: Individuals whose rights under the law have been violated may bring a civil action. Available civil remedies include: injunctive relief, equitable relief, compensatory damages, punitive damages, costs of the action, attorneys’ fees, and any other relief the court finds appropriate. In addition, a court may serve a cease and desist order upon a person who has violated any provision of the law and impose fines.