The recent HIPAA rules updates and
modifications stretch across most areas of HIPAA applicability. Many relate to
civil enforcement and breach notification. These are the things that lawyers
and consultants will pounce on, and probably rightly so.
The Author will try to hit on the
more operational things. Much of his HIPAA work in Privacy, Security and
Transaction Standards was in the trenches with the people that had to make the
policies work.
A REQUEST TO RESTRICT DISCLOSURES THAT A COVERED ENTITY
MUST AGREE TO
Under
the new the Amended Rule, a covered entity must agree to an individual's
request to restrict disclosures of PHI to a health plan if: (1) the disclosure
is for purposes of payment or healthcare operations and is not otherwise
required by law; and (2) the PHI pertains solely to healthcare items or
services for which the individual, or another person on behalf of the
individual (other than the health plan), has paid in full (Required
Restrictions). The Final Rule also eliminates a covered entity's ability to
terminate its agreement to any Required Restrictions.
Likely
the thought is that if a patient pays out-of-pocket, the health plan does not
need to know the reason and facts from the encounter.
The relevant HIPAA rule amendment is below:
§ 164.522 Rights to request privacy protection
for protected health information.
(a)(1) * * *
(ii) Except as
provided in paragraph (a)(1)(vi) of this section, a covered entity is
not required to
agree to a restriction.
* * * * *
(vi) A covered entity must agree to the request of an individual to restrict
disclosure of protected health information about the individual to a health plan if:
(A) The disclosure is for the purpose of carrying out payment or health care
operations and is not otherwise required by law; and
(B) The protected health information pertains solely to a health care item or
service for which the individual, or person other than the health plan on behalf of the
individual, has paid the covered entity in full.
PROVIDING ACCESS TO RECORDS THAT ARE
MAINTAINED ELECTRONICALLY
When the Author’s healthcare
providers find out that he has a background in HIPAA, he gets a range of
comments. Most allied healthcare practitioners say that HIPAA was long overdue
and necessary.
Most physicians reply in a more negative manner. The Author’s
cardiologist called HIPAA “A good idea run rampant.” Perhaps his reaction demonstrates his
detachment from the massive administrative and operational tasks to make
healthcare work. Or maybe he resents being told what to do by anyone. But in
either event, he completely missed the point of HIPAA, as did most everyone else.
Americans are innately change resistant. Despite our technological and
economic breakthroughs which evince an entrepreneurial and mold-breaking
mentality, Americans resist change with a feudal ferocity. Eliminate the costly
and useless penny? (How could we ruin the fond memories of piggy banks and 1₵
gumball machines.) Remove an unpopular comic from the newspaper? (We can never
forget Sunday mornings at Grandpa’s knee listening to him read “Nancy” and “Peanuts.” to us.)
The healthcare industry saw that electronic healthcare records, Health
Information Exchanges (HIE), and on-line claims adjudication were on the
horizon. To prepare Americans that saw old Doc Adams and Marcus Welby as the medical apex,
would have to be dragged in to the 21st century world of electronic
medical records (EMRS.) HIPAA did the dragging, while much of America kicked
and screamed.
HAND OVER MY ELECTRONS*
Under the final
rule, covered entities that maintain one or more designated record sets
electronically are required to provide an individual with a copy of his or her
medical record in the electronic form and format requested by the individual,
if such format is readily producible. If the requested format is not readily
producible, the covered entity must offer to produce the electronic PHI in at
least one readable electronic format. Covered entities may use various methods
to accomplish this, such as providing a disc with a PDF file, sending a secure
email with a Word file, or providing access through a secure web-based portal.
Although covered entities are not required to purchase software or hardware to
accommodate requests for various specific formats, they must be able to provide
some form of readable electronic copy, and HHS notes that it anticipates some
covered entities may need to invest in order to meet this requirement. A hard
copy may be provided if the requesting individual rejects any of the offered
electronic formats. Commentary from HHS also clarifies the following:
·
The electronic copy provided must include all of the electronic
PHI held by the covered entity in a designated record set, or appropriate
subset if only specific information is requested, at the time the request is
fulfilled.
·
If the electronic PHI contains a link to images or data, the
images or other data must be included in the electronic copy provided.
·
If a medical record is in mixed media (e.g., some paper and some
electronic PHI), the covered entity is not required to scan the paper documents
to provide a single electronic copy. Although a covered entity would have this
option, a combination of electronic and hard copies may be provided.
·
A covered entity is not required to use an individual's flash
drive or other device to transfer the electronic PHI if the covered entity has
security concerns regarding the external portable media.
·
If secure email is not available and an individual requests to
receive the electronic copy via unencrypted email, the covered entity may send
the electronic copy in this fashion, but only if the covered entity has advised
the individual of the risk that the information could be read by a third party.
Third Parties
The final rule
adopts the proposed rule's requirement that, if requested by an individual, a
covered entity must transmit the electronic copy directly to another person
designated by the individual. HHS clarified that covered entities may rely on
information provided by the individual regarding the third-party recipient, but
they must implement policies and procedures to verify the identity of any
person requesting PHI and implement reasonable safeguards to protect the
information disclosed.
Fees
The final rule
adopts proposed amendments to include labor costs for copying PHI, whether in
paper or electronic form, as one factor that may be included in the reasonable,
cost-based fees that may be charged to individuals. HHS clarified that labor
costs could include the technical staff time spent creating or copying
electronic files, such as compiling, extracting, scanning, and burning PHI to
media. Reasonable, cost-based fees also may include: (1) the costs of supplies
for creating electronic media (e.g., discs, flash drives) if the individual
requests the copy on portable media; and (2) postage if the individual requests
mailing or delivery of electronic media. However, under the final rule, covered
entities may not: (1) include costs of new technology, maintaining systems for
electronic PHI, data access, and storage infrastructure; or (2) charge a
retrieval fee (whether a standard fee or actual costs) for electronic copies.
Finally, under the state law preemption provisions of HIPAA, a state law
imposing lower costs limits would apply. Thus, if costs permitted under HIPAA
exceed the state law limits, the covered entity may not charge more than the
state law allows.
Timeliness
The final rule decreases the time within which covered entities
must respond to requests for access from 90 to 60 days by removing the
provision allowing an additional 30 days to respond if PHI is not maintained
onsite. Covered entities now have 30 days to respond, but they may have a
one-time extension of up to 30 days upon provision of written notice to the
individual, including the reason for the delay and the expected date of
completion. HHS considered, but declined to adopt, different timelines for
electronic versus paper copies, opting instead for a single standard.
*Much of the foregoing analysis came from Allen Killworth and Claire Turcotte (Bricker & Eckler LLP, Columbus and West Chester, OH), for providing
this email alert to the American Health Lawyers Association.
Below are some of
the relevant amendments to the regulation.
§
164.524 Access of individuals to protected health information.
* * * * *
558
(b) * * *
(2)***
(ii) If the covered
entity is unable to take an action required by paragraph
(b)(2)(i)(A) or (B)
of this section within the time required by paragraph (b)(2)(i) of this
section, as
applicable, the covered entity may extend the time for such actions by no more
than 30 days,
provided that:
(A) The covered
entity, within the time limit set by paragraph (b)(2)(i) of this
section, as
applicable, provides the individual with a written statement of the reasons for
the delay and the
date by which the covered entity will complete its action on the request;
and
(B) The covered
entity may have only one such extension of time for action on a
request for access.
(c) * * *
(2) Form of access
requested. (i) The covered entity must provide the individual
with access to the
protected health information in the form and format requested by the
individual, if it
is readily producible in such form and format; or, if not, in a readable hard
copy form or such
other form and format as agreed to by the covered entity and the
individual.
(ii)
Notwithstanding paragraph (c)(2)(i) of this section, if the protected health
information that is
the subject of a request for access is maintained in one or more
designated record
sets electronically and if the individual requests an electronic copy of
such information,
the covered entity must provide the individual with access to the
protected health
information in the electronic form and format requested by the
559
individual, if it
is readily producible in such form and format; or, if not, in a readable
electronic form and
format as agreed to by the covered entity and the individual.
* * * * *
(3) Time and manner
of access. (i) The covered entity must provide the access as
requested by the
individual in a timely manner as required by paragraph (b)(2) of this
section, including
arranging with the individual for a convenient time and place to inspect
or obtain a copy of
the protected health information, or mailing the copy of the protected
health information
at the individual’s request. The covered entity may discuss the scope,
format, and other
aspects of the request for access with the individual as necessary to
facilitate the
timely provision of access.
(ii) If an
individual's request for access directs the covered entity to transmit the
copy of protected
health information directly to another person designated by the
individual, the
covered entity must provide the copy to the person designated by the
individual. The
individual's request must be in writing, signed by the individual, and
clearly identify
the designated person and where to send the copy of protected health
information.
(4) * * *
(i) Labor for
copying the protected health information requested by the individual,
whether in paper or
electronic form;
(ii) Supplies for
creating the paper copy or electronic media if the individual
requests that the electronic copy be provided on port
No comments:
Post a Comment