Upholding Patient Rights

Purpose

TherapyAppointment operates solely as a Business Associate under HIPAA. This policy does not transfer or assume the obligations of a Covered Entity under the HIPAA Privacy Rule. Instead, it outlines how TherapyAppointment will support Covered Entities in meeting their responsibilities through the functions delegated in Business Associate Agreements (BAAs). All determinations regarding patient access, amendments, denials, fees, and other rights remain the responsibility of the Covered Entity.

Patients have rights under state and federal law, including the HIPAA Privacy Rule and the 21st Century Cures Act. While the HIPAA Privacy Rule places the responsibility for upholding these rights on Covered Entities, Business Associates have legal obligations under the HIPAA Rules and have legal obligations under the HIPAA Rules and Business Associate Agreements (BAAs) to support Covered Entities in meeting these obligations. The rights covered by the rule are summarized as follows: 

  1. Provide a mechanism for patients and other outside entities to submit complaints about privacy and related compliance issues and implement a process to track, investigate, and respond to all complaints. (45 CFR 160.306)
  2. Provide access, when requested by an authorized party, to an accounting of all PHI disclosures, including those made in the operation of its systems and initiated through the TherapyAppointment.com application. (45 CFR 164.528)
  3. Provide a means to facilitate amendments and/or corrections of PHI in medical records. (45 CFR 164.526)

In addition, the 21st Century Cures Act requires health care providers to respond to requests for records from patients promptly and without unnecessary delays. Untimely responses pose a risk and may be interpreted as information blocking. TherapyAppointment provides mechanisms within the application to assist Covered Entities in meeting these requirements. 

This policy defines how TherapyAppointment, as a Business Associate, upholds its responsibilities and provides the technical and operational support required by Covered Entities.

Scope

TherapyAppointment’s obligations are limited to the scope defined under HIPAA and the applicable BAAs. TherapyAppointment will only fulfill patient rights obligations to the extent delegated by a Covered Entity through a BAA. Covered Entities remain responsible for evaluating, approving, and responding directly to patient requests. 

Policy

TherapyAppointment must understand and abide by its responsibility to uphold patient rights as delegated by Covered Entities and defined in BAAs. These responsibilities apply to the PHI that TherapyAppointment creates, receives, maintains, or transmits in the course of providing services. 

Individual’s Right of Access

  • TherapyAppointment shall, upon request from and direction by a Covered Entity, make PHI in a designated record set available in accordance with the HIPAA Privacy Rule. 
  • If a patient or their authorized representative submits an access request directly to TherapyAppointment, the request will be promptly referred to the applicable Covered Entity. 
  • TherapyAppointment shall provide PHI to the Covered Entity in a form and timeframe that enables the Covered Entity to meet its legal obligations (generally 30 days with a one-time 30-day extension, per 45 CFR 164.524).
  • TherapyAppointment does not determine whether access is approved or denied. All determinations are the responsibility of the Covered Entity.

Patient Record Amendments

  • TherapyAppointment will, upon request and direction from a Covered Entity, facilitate the amendment, as necessary, of PHI maintained in TherapyAppointment’s systems.
  • If an amendment request is received directly from an individual or third party, TherapyAppointment shall promptly refer the request to the applicable Covered Entity.
  • Amendments must be non-destructive and retain record integrity (i.e., new entries supersede prior entries without erasing them).
  • The response window for completing amendments must be documented and shall not be any longer than 30 days. 

Accounting of Disclosures

  • TherapyAppointment will maintain a record of disclosures made of PHI in the course of system operation or as required under its BAAs, for a minimum of six (6) years from the date of disclosure. 
  • Upon request from a Covered Entity, TherapyAppointment shall provide an accounting of disclosures sufficient for the Covered Entity to meet its obligations under 45 CFR 164.528 when necessary.
  • If an accounting request is received directly from an individual or third party, TherapyAppointment will redirect the request to the Covered Entity.

Privacy and Compliance Complaints

  • TherapyAppointment shall maintain a clear and accessible process for handling privacy and compliance-related complaints related to its SaaS platform and Business Associate functions. 
  • The organization must create and publish a process for collecting and responding to complaints from outside entities on its public website. 
  • The company shall test the usability of the process to ensure that users of its software (e.g., clinicians and patients) and other parties can consistently identify and reach the applicable pages from the company’s home page and the TherapyAppointment application.  
  • All complaints shall be documented, investigated, and resolved in a timely manner by the Privacy Officer or their designee. 
  • Complaints related to clinical care, treatment decisions, retention of clinical records, or other Covered Entity functions will be referred to the applicable Covered Entity.

Forwarding Misrouted Requests

TherapyAppointment shall establish and maintain procedures for promptly forwarding any misrouted requests (e.g., access requests, amendments, complaints) to the appropriate Covered Entity.