Follow by Email

Thursday, February 7, 2013

HIPAA-Hell is Privacy Addiction [and] Affliction. No, just kidding. HIPAA means Health Information Portability and Accountability Act.


The recent HIPAA rules updates and modifications stretch across most areas of HIPAA applicability. Many relate to civil enforcement and breach notification. These are the things that lawyers and consultants will pounce on, and probably rightly so.

The Author will try to hit on the more operational things. Much of his HIPAA work in Privacy, Security and Transaction Standards was in the trenches with the people that had to make the policies work.

A REQUEST TO RESTRICT DISCLOSURES THAT A COVERED ENTITY MUST AGREE TO

Under the new the Amended Rule, a covered entity must agree to an individual's request to restrict disclosures of PHI to a health plan if: (1) the disclosure is for purposes of payment or healthcare operations and is not otherwise required by law; and (2) the PHI pertains solely to healthcare items or services for which the individual, or another person on behalf of the individual (other than the health plan), has paid in full (Required Restrictions). The Final Rule also eliminates a covered entity's ability to terminate its agreement to any Required Restrictions.
 
Likely the thought is that if a patient pays out-of-pocket, the health plan does not need to know the reason and facts from the encounter.
 
The relevant HIPAA rule amendment is below:
 

 § 164.522 Rights to request privacy protection for protected health information.

(a)(1) * * *

(ii) Except as provided in paragraph (a)(1)(vi) of this section, a covered entity is

not required to agree to a restriction.

* * * * *
(vi) A covered entity must agree to the request of an individual to restrict

disclosure of protected health information about the individual to a health plan if:

(A) The disclosure is for the purpose of carrying out payment or health care

operations and is not otherwise required by law; and

(B) The protected health information pertains solely to a health care item or

service for which the individual, or person other than the health plan on behalf of the

individual, has paid the covered entity in full.


 

PROVIDING ACCESS TO RECORDS THAT ARE MAINTAINED ELECTRONICALLY

When the Author’s healthcare providers find out that he has a background in HIPAA, he gets a range of comments. Most allied healthcare practitioners say that HIPAA was long overdue and necessary.

Most physicians reply in a more negative manner. The Author’s cardiologist called HIPAA “A good idea run rampant.”  Perhaps his reaction demonstrates his detachment from the massive administrative and operational tasks to make healthcare work. Or maybe he resents being told what to do by anyone. But in either event, he completely missed the point of HIPAA, as did most everyone else.

Americans are innately change resistant. Despite our technological and economic breakthroughs which evince an entrepreneurial and mold-breaking mentality, Americans resist change with a feudal ferocity. Eliminate the costly and useless penny? (How could we ruin the fond memories of piggy banks and 1₵ gumball machines.) Remove an unpopular comic from the newspaper? (We can never forget Sunday mornings at Grandpa’s knee listening to him read “Nancy” and “Peanuts.” to us.)

The healthcare industry saw that electronic healthcare records, Health Information Exchanges (HIE), and on-line claims adjudication were on the horizon. To prepare Americans that saw old Doc Adams and Marcus Welby as the medical apex, would have to be dragged in to the 21st century world of electronic medical records (EMRS.) HIPAA did the dragging, while much of America kicked and screamed.

HAND OVER MY ELECTRONS*

Under the final rule, covered entities that maintain one or more designated record sets electronically are required to provide an individual with a copy of his or her medical record in the electronic form and format requested by the individual, if such format is readily producible. If the requested format is not readily producible, the covered entity must offer to produce the electronic PHI in at least one readable electronic format. Covered entities may use various methods to accomplish this, such as providing a disc with a PDF file, sending a secure email with a Word file, or providing access through a secure web-based portal. Although covered entities are not required to purchase software or hardware to accommodate requests for various specific formats, they must be able to provide some form of readable electronic copy, and HHS notes that it anticipates some covered entities may need to invest in order to meet this requirement. A hard copy may be provided if the requesting individual rejects any of the offered electronic formats. Commentary from HHS also clarifies the following:

·         The electronic copy provided must include all of the electronic PHI held by the covered entity in a designated record set, or appropriate subset if only specific information is requested, at the time the request is fulfilled.

·         If the electronic PHI contains a link to images or data, the images or other data must be included in the electronic copy provided.

·         If a medical record is in mixed media (e.g., some paper and some electronic PHI), the covered entity is not required to scan the paper documents to provide a single electronic copy. Although a covered entity would have this option, a combination of electronic and hard copies may be provided.

·         A covered entity is not required to use an individual's flash drive or other device to transfer the electronic PHI if the covered entity has security concerns regarding the external portable media.

·         If secure email is not available and an individual requests to receive the electronic copy via unencrypted email, the covered entity may send the electronic copy in this fashion, but only if the covered entity has advised the individual of the risk that the information could be read by a third party.

Third Parties
The final rule adopts the proposed rule's requirement that, if requested by an individual, a covered entity must transmit the electronic copy directly to another person designated by the individual. HHS clarified that covered entities may rely on information provided by the individual regarding the third-party recipient, but they must implement policies and procedures to verify the identity of any person requesting PHI and implement reasonable safeguards to protect the information disclosed.

Fees
The final rule adopts proposed amendments to include labor costs for copying PHI, whether in paper or electronic form, as one factor that may be included in the reasonable, cost-based fees that may be charged to individuals. HHS clarified that labor costs could include the technical staff time spent creating or copying electronic files, such as compiling, extracting, scanning, and burning PHI to media. Reasonable, cost-based fees also may include: (1) the costs of supplies for creating electronic media (e.g., discs, flash drives) if the individual requests the copy on portable media; and (2) postage if the individual requests mailing or delivery of electronic media. However, under the final rule, covered entities may not: (1) include costs of new technology, maintaining systems for electronic PHI, data access, and storage infrastructure; or (2) charge a retrieval fee (whether a standard fee or actual costs) for electronic copies. Finally, under the state law preemption provisions of HIPAA, a state law imposing lower costs limits would apply. Thus, if costs permitted under HIPAA exceed the state law limits, the covered entity may not charge more than the state law allows.

Timeliness
The final rule decreases the time within which covered entities must respond to requests for access from 90 to 60 days by removing the provision allowing an additional 30 days to respond if PHI is not maintained onsite. Covered entities now have 30 days to respond, but they may have a one-time extension of up to 30 days upon provision of written notice to the individual, including the reason for the delay and the expected date of completion. HHS considered, but declined to adopt, different timelines for electronic versus paper copies, opting instead for a single standard.

 
*Much of the foregoing analysis came from  Allen Killworth and Claire Turcotte (Bricker & Eckler LLP, Columbus and West Chester, OH), for providing this email alert to the American Health Lawyers Association.

Below are some of the relevant amendments to the regulation.

§ 164.524 Access of individuals to protected health information.

 

* * * * *

558

(b) * * *

(2)***

(ii) If the covered entity is unable to take an action required by paragraph

(b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this

section, as applicable, the covered entity may extend the time for such actions by no more

than 30 days, provided that:

(A) The covered entity, within the time limit set by paragraph (b)(2)(i) of this

section, as applicable, provides the individual with a written statement of the reasons for

the delay and the date by which the covered entity will complete its action on the request;

and

(B) The covered entity may have only one such extension of time for action on a

request for access.

(c) * * *

(2) Form of access requested. (i) The covered entity must provide the individual

with access to the protected health information in the form and format requested by the

individual, if it is readily producible in such form and format; or, if not, in a readable hard

copy form or such other form and format as agreed to by the covered entity and the

individual.

(ii) Notwithstanding paragraph (c)(2)(i) of this section, if the protected health

information that is the subject of a request for access is maintained in one or more

designated record sets electronically and if the individual requests an electronic copy of

such information, the covered entity must provide the individual with access to the

protected health information in the electronic form and format requested by the

559

individual, if it is readily producible in such form and format; or, if not, in a readable

electronic form and format as agreed to by the covered entity and the individual.

* * * * *

(3) Time and manner of access. (i) The covered entity must provide the access as

requested by the individual in a timely manner as required by paragraph (b)(2) of this

section, including arranging with the individual for a convenient time and place to inspect

or obtain a copy of the protected health information, or mailing the copy of the protected

health information at the individual’s request. The covered entity may discuss the scope,

format, and other aspects of the request for access with the individual as necessary to

facilitate the timely provision of access.

(ii) If an individual's request for access directs the covered entity to transmit the

copy of protected health information directly to another person designated by the

individual, the covered entity must provide the copy to the person designated by the

individual. The individual's request must be in writing, signed by the individual, and

clearly identify the designated person and where to send the copy of protected health

information.

(4) * * *

(i) Labor for copying the protected health information requested by the individual,

whether in paper or electronic form;

(ii) Supplies for creating the paper copy or electronic media if the individual

requests that the electronic copy be provided on port

No comments:

Post a Comment