This e-alert is Part IV in Jackson Kelly’s continuing series Breaking Down the HIPAA Final Omnibus Rule (Final Rule). The Final Rule released by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 and published in the Federal Register on January 25, 2013. The Final Rule is effective March 26, 2013, and provides a 180 day transition period allowing covered entities and business associates to come into compliance on most of the new requirements by September 23, 2013.
The Final Rule implements two provisions contained within the HITECH Act pertaining to individual rights: (1) an individual’s right to request restrictions on the disclosure of his or her protected health information (PHI) and (2) an individual’s right to access his or her PHI.
Requests for Restrictions
The Final Rule alters an individual’s right to request restrictions on uses and disclosures of PHI. In particular under the Final Rule, a covered entity must agree to an individual's request to restrict disclosures of PHI to a health plan if: (1) the disclosure is for purposes of payment or healthcare operations and is not otherwise required by law; and (2) the PHI pertains solely to healthcare items or services for which the individual, or another person on behalf of the individual (other than the health plan), has paid in full (Required Restrictions). Additionally, the Final Rule eliminates a covered entity’s ability to terminate its agreement to Required Restrictions.
In commentary to the Final Rule, HHS provides covered entities guidance on compliance with Required Restrictions.
- Records. Providers do not need to create separate medical records or segregate PHI subject to a Required Restriction. However, providers will need to flag or use some other method to identify portions of the record that contain PHI subject to a Required Restriction to ensure it is not inadvertently sent or made accessible to the health plan for payment or healthcare operations purposes (for example, PHI subject to a Required Restriction must be excluded from records made available to a health plan during performance of an audit).
- Bundled Services. To the extent a patient requests a restriction with respect to one of several items or services provided in a single patient encounter, the provider should counsel the patient on the ability or inability of the provider to unbundle the services and the consequences of doing so. If the provider cannot unbundle the items or services, the provider should inform the patient and give the patient the option to restrict and pay out of pocket for the entire bundle of items or services.
- Dishonored Payments. Providers need not abide by a restriction if a patient's payment is dishonored. However, HHS expects providers to make reasonable efforts to attempt to resolve payment issues with the patient prior to disclosing PHI to the health plan. To alleviate any payment issues, a provider may choose to require payment in full at the time the restriction is requested by a patient.
- Downstream Providers. Providers are not required to notify downstream providers of Required Restrictions. This remains the patient's responsibility. Providers are encouraged to counsel patients that for the restriction to apply to other providers, the patient must request a restriction and pay out of pocket for care rendered by other providers.
- Follow-up Care. If the patient does not request a restriction and pay out of pocket for follow-up treatment, the provider may include previously restricted PHI when billing the health plan for the follow-up treatment, if the information is necessary and consistent with the provider’s minimum necessary policies and procedures and the information is required to deem the service medically necessary or appropriate. No patient authorization is required to disclose the previously restricted PHI. HHS strongly encourages providers to engage in an open dialogue with patients to ensure that they are aware and understand that previously restricted PHI may be disclosed to the health plan, unless the patient makes a request and meets the requirements for a Required Restriction.
- Health Maintenance Organizations (HMOs). Providers may be prohibited by state or other laws from accepting payment from a patient above the patient’s cost-sharing amount. In such an instance, the provider may counsel the patient to use an out-of-network provider in order to restrict the disclosure of PHI to the HMO. If a Required Restriction is not inconsistent with applicable state law, contractual requirements for a provider to submit claims to an HMO do not exempt the provider from his or her obligations to honor a Required Restriction. Provider contracts with HMOs may need to be updated to be consistent with these new requirements.
- Mandatory Billing Rules. Generally, a provider may submit PHI to a government health plan as required by law (e.g., mandatory claim submission laws). However, there are various mechanisms that may allow a provider to avoid such legal mandates (e.g., if the patient refuses to authorize submission of a bill to Medicare). Providers must utilize such mechanisms in order to comply with the request for a Required Restriction.
Right to Access
Individuals currently have the right to review or obtain a copy of their PHI, provided that the PHI is maintained in the covered entity’s designated record. The HITECH Act expanded this right by giving patients the right to an electronic copy of PHI that is maintained in an electronic health record (EHR). The Final Rule adds an additional right to permit a patient to obtain an electronic copy of PHI in any designated record sets the covered entity maintains electronically.
HHS clarifies the following in its commentary to the Final Rule:
- File Format. The current provision outlining an individual’s right to access his or her PHI states that requested PHI must be provided in the form or format requested by the individual if it is readily available. If the requested format is not readily available, the covered entity must provide a hard copy or make some other agreement with the individual. The Final Rule establishes that, if electronic PHI is not readily producible in the requested format, the covered entity must provide a copy of the PHI in another “readable electronic form” (e.g., providing a disc with a PDF file, sending a secure e-mail or providing access through a secure web-based portal) rather than a hard copy.
- Designation to Third Parties. Under the HITECH Act, individuals have the right to instruct covered entities to transmit a copy of their PHI that is maintained in an EHR directly to a designated individual as long as the choice is “clear, conspicuous, and specific.” The Final Rule requires covered entities to transmit a copy of PHI to another person if requested by the individual, regardless of whether the PHI is maintained in an EHR. Such requests must “be in writing, signed by the individual, and clearly identify the designated person and where to send the copy” of the PHI. Note that this written designation request is distinct from a HIPAA authorization, which has additional required elements.
- Fees. The HITECH Act prohibits covered entities from charging more than their labor costs in responding to a request for a copy of PHI that is maintained in an EHR. The Final Rule adds factors that covered entities may consider in determining a reasonable cost-based fee. A covered entity may consider, “labor for copying the [PHI] requested by the individual, whether in paper or electronic form,” which may include skilled technical staff’s efforts to compile, extract, scan and burn electronic PHI onto digital media and distribute that media. Additionally, reasonable cost-based fees may account for (i) the cost of supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media; and (ii) the cost of postage if the individual requests that the portable media be sent by mail or courier. However, HHS clarifies that covered entities may not include: (i) cost for new technology, maintaining electronic systems for electronic PHI, data access and storage infrastructure; or (ii) a retrieval fee (whether standard or actual costs) for electronic copies. If any costs permitted by HIPAA exceed state law limits, the covered entity may not charge fees in greater than those allowed by state law.
- Timing. The Final Rule decreases the time within which a covered entity must respond to an individual’s request for access to PHI from 90 to 60 days by removing the provision allowing an additional 30 days to respond if the PHI is accessible only at an off-site location. Covered entities must now respond within 30 days of an individual’s request for PHI, but may request a one-time 30 day extension. Any extension request must be provided to the individual in writing and include the reason for delay and the expected date of completion. HHS declined to adopt different timelines for electronic versus paper copies and opted instead for a single timeline.