HIPAA Compliance: 3 Changes to Patient Rights

Practices were required to comply with most provisions of the Omnibus HIPAA Final Rule last year, but many may be struggling to satisfy all of the requirements.

That's according to Loretta Duncan, senior medical practice consultant with malpractice insurer the State Volunteer Mutual Insurance Company in Brentwood, Tenn., who presented a session entitled "HIPAA One Year Later - Are You Compliant?" at the 2014 Medical Group Management Association Conference on Mon., Oct. 27.

During her session, Duncan highlighted key elements of compliance that many practices may be overlooking. Many of them have to do with changes to patient rights.

1. Electronic access to protected health information (PHI)
If a patient requests an electronic copy of PHI (for instance, via e-mail or on a CD) practices must provide it in that manner.
If a patient requests that you transmit the PHI via e-mail and your practice is unable to e-mail it securely (e.g. by encrypting it), have the patient sign a statement that says while he understands the risk, he provides you permission to e-mail the file anyway, said Duncan.
If a patient requests you to transmit his PHI to a third party, obtain written permission from the patient prior to transmitting it.
Finally, create new policies and procedures covering electronic access to patient data, and train your staff appropriately, she said, adding that it's also a good idea to document any training you provide.
Tip: Do not use a free e-mail service (such as Yahoo) to e-mail information to patients, as the contents of the e-mail may be stored online, and therefore, you may need to have a business associate agreement with the free e-mail service, said Duncan. "The best way to deal with e-mail is to have your own e-mail server that's encrypted."

2. Charging for copies of records
Practices may charge a "reasonable" cost-based fee for providing patients with copies of their medical records, said Duncan. Practices may only charge for the cost of the staff time involved in copying the record, as well as the cost of supplies, she said.
Practices must also consider state laws related to these costs, as many have their own limits in place. If your cost of copying the record is lower than your state allows, you must charge for your lower cost, said Duncan.
Once you determine your process for providing patients with copies of their records make sure your staff knows the process, she said. Keep in mind that HIPAA requires that practices provide copies within 30 days of the request, though some states require even shorter time frames.
Also, update your policies and procedures to note costs, time frames, processes for copying records, and so on.
Tip: Be careful if a patient brings you a thumb drive on which they wish you to copy their PHI. The thumb drive may contain contents that could corrupt your system, said Duncan. For that reason, you may want to have your own thumb drives on hand to use when this type of situation occurs.

3. Restricting information disclosure to a health plan
Patients can now request a restriction on a disclosure of PHI to a health plan if they pay out of pocket in full for a service. Practices must agree to such a request unless they are required by law to bill that health plan (as is the case with most Medicaid plans), said Duncan.
If the service the patient does not want disclosed is bundled with something else, practices need to counsel the patient on that (for instance, by explaining that the patient will need to pay more out-of-pocket than expected).
Practices need to make sure that communication is tight between all of their staff members and departments regarding non-disclosure so that nothing slips through the cracks, said Duncan. Then, make sure you document your new policies and procedures regarding this.
Tip: Be careful e-prescribing if a patient asks you not to disclose information to a health plan, said Duncan. If you e-prescribe, the pharmacy may bill to the insurance plan before the patient has a chance to let the pharmacy know that the information should not be disclosed.

Other changes
Changes to patient rights are not the only area practices need to focus on to ensure compliance with the HIPAA Omnibus Final Rule.

Duncan also discussed changes related to Notices of Privacy Practices (NPPs), Business Associate Agreements (BAAs), and breach notifications. Here are a few resources to help your practice in these areas:

NPPs:Examples of NPPs You Can Modify for Your PracticeTwo Essentials for HIPAA Omnibus Final Rule ComplianceHIPAA Final Rule Necessitates Practice Document Changes

BAAs:Guidance on BAA Contracts and Sample ProvisionsUpdating HIPAA Business Associate Agreements: 3 StepsHIPAA Highlights: Business Associate Agreement Provisions

Breach Notification:HHS Guidance on the Breach Notification RulesMedical Practices Must Adjust to Comply with New HIPAA Rules