In the midst of Medicare cuts, consult-code farewells, healthcare reform bills, and all our other challenges, we need to prepare for new HIPAA Privacy and Security mandates that are effective February 18, 2010. These mandates were included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of last year’s American Recovery and Reinvestment Act (ARRA).
Here’s a synopsis of these changes, with present standards listed under “Today” and the new standards listed under “Tomorrow.”
An Individual’s Right to Access to PHI - 13405(e) of ARRA
- Patients have a right to access/receive a copy of their medical record.
- If a practice has an electronic health record (EHR), its patients have a right to receive an electronic copy of their records via CD-ROM, USB drive, Web site, or similar options. Further, a patient has a right to direct a practice to transmit an electronic copy of her record to another entity or person.
Patient-Directed Privacy Restrictions - 13405(a)
- Patients may request restrictions to the release of their Protected Health Information (PHI); however, practices are not required to agree to such restrictions.
- Practices cannot disclose self-pay (i.e., paid in full by patient) services to health plans if a patient objects to such.
Release of Minimum Necessary Data - 13405(b)
- Most releases of PHI beyond treatment purposes are restricted to the minimum necessary amount of PHI needed to satisfy the purpose for which the data is acquired, used, or disclosed.
- Covered entities may rely on the entity requesting the data to determine what constitutes the minimum necessary if such is reasonable and if the data has been requested by another covered entity.
- Limited data sets (essentially, those stripped of patient identifying information) can be used for research, public health, and healthcare operations purposes if used under a data use agreement.
- When possible, practices should use limited data sets or de-identified information to satisfy the minimum necessary standard.
- Covered entities may not rely solely on requesting entities to determine what constitutes minimum necessary. Instead, a practice must determine for itself what is the minimum necessary data it can release to satisfy the requesting entity’s needs.
- Clarifying guidance on what constitutes minimum necessary must be issued by the Secretary of Health and Human Services no later than August 18, 2010.
Business Associates - 13401, 13404, 13408
- No direct regulation of Business Associates
- Covered entities required to have agreements with Business Associates
- Business Associates must directly comply with applicable HIPAA law, regardless if present Business Associate agreements require such.
- Health Information Exchanges, e-Prescribing portals, and Regional Health Information Exchanges are classified as Business Associates.
- Business Associates subject to enforcement, civil, and criminal penalties.
Marketing/Sale of PHI - 13405(d), 13406(a)
- Practices have been able to use or share patient PHI, without patient authorization, in certain marketing efforts.
- Practices are prohibited from receiving direct or indirect remuneration in exchange for a patient’s PHI without the patient’s authorization.
- Practices are prohibited from selling PHI for marketing purposes.
- There are exceptions to these prohibitions that may be found under Section 13405(d) and 13406(a).
Opt-Out for Fundraising Communications - 13406(b)
- Practices can use patient demographic data to send fundraising communications.
- Practices must present patients with clear and conspicuous opportunities to opt out of receiving fundraising communications.
Criminal Penalties - 13409
- Only covered entities are subject to criminal penalties.
- Individuals - including employees of covered entities - also are subject to criminal penalties.
Civil Monetary Payments and Settlements - 13410(c)
- Civil penalties and settlements go to the general treasury.
- Civil penalties and settlements will go to the Office of Civil Rights and be allocated to enforcement of HIPAA.
Further “clarification” of HIPAA is scheduled in August 2010 and - I can feel your excitement - 2011, 2012, 2013, and 2014. I’m just wishing they had gotten it right the first time.
Lucien W. Roberts, III, MHA, FACMPE, is Vice President of Marketing and Business Development for Seredor Corporation. He also consults with medical groups and health systems in areas such as compliance, physician compensation, negotiation, strategic planning, and billing/collections. He may be reached at email@example.com.