A Little is Not Enough

The final HITECH rule became effective yesterday.  Many people in the healthcare industry are scrambling to get into compliance.

Yet, recently, I had a conversation with a small practice manager who wanted to execute a business associate agreement with a consultant.  While I commended him for getting that item into place, I asked about the practice's overall HIPAA/HITECH and state law compliance in general.  Needless to say, there was no privacy officer, a few (old) policies, an outdated Notice of Privacy, no training and no system of reviewing or auditing access to their newly installed electronic record system. There was absolutely no knowledge of the breach notification mandates. The manager nevertheless seemed satisfied with his efforts in this area.   

I often find that, in the midst of all the regulatory noise, there still remains a real lack of awareness of many basic requirements of HIPAA under the new HITECH updates, and of privacy and security compliance in general. Whether the lack of knowledge comes from sheer overwhelm or denial, it is hard to say.

But doing nothing will get you into far greater trouble than taking step-by-step action.  The Office of Civil Rights will now be acting both on complaints and on audit findings. Failure to be in compliance could cost a practice a 6-7 figure civil monetary penalty.  This is nothing to ignore.

Doing just a little is not enough. Both a culture and a system of compliance are required.

So, contact a knowledge expert, bring in a compliance educator, learn your requirements and put them into place. Your practice, regardless of size, needs someone dedicated to ensuring and efforcing these protections and safeguards, with internal sanctions for violations of your policy standards. 

Just as you focus on healthcare treatment and services, you also must care for and secure your patient’s, client’s or resident’s protected health information and be prepared to honor your patient’s information privacy rights.  Go on, get to it!

Honoring Requests for Restrictions - An Overview

Since the early days of HIPAA, covered entities have been required to alert patients to their right to request restrictions on the use or disclosure of their protected health information (PHI) in their Notice of Privacy Practices, yet covered entities have not been required to honor the request.  Now, under the HITECH Omnibus Final Rule, a covered entity must agree to an individual's request to restrict disclosures of PHI to a health plan if:

• (1) the disclosure is for purposes of payment or healthcare operations and is not otherwise required by law; and
• (2) the PHI pertains solely to healthcare items or services for which the individual, or another person on behalf of the individual, has paid in full. 

Certain providers, and certain states, already have been accommodating patient requests to withhold sensitive information from health plans, either by law or custom, permitting the patient to pay out of pocket for treatment or services. 

There is a fair amount of patient education inherent in this new right. Under HITECH, providers are encouraged to engage in a dialogue with patients to ensure they understand that previously restricted PHI may still be disclosed to the health plan in follow up care unless the patient makes another formal request and pays out of pocket in full (assuming the disclosure is not required by law.) A patient will need to be made aware that s/he will need to make that same request, and pay in full, with other providers as well.

The HITECH guidance discusses that where a provider is able to "unbundle" a group of items of service to honor the request for restriction, it should do so. However, if the provider is unable to unbundle a group of items or services, the provider must inform the patient, and allow the patient to restrict and pay out of pocket for the entire "bundle."

The HITECH guidance also informs us that where the patient is covered by a government payor like Medicaid, and both a) the submission of a claim is required and b) there is no exception or procedure that allows the patient to pay for the service, then the submission of the claim is considered "required by law" and the restriction does not apply. The guidance suggests that under Medicare, the patient/beneficiary is permitted to pay out of pocket, subject to the Medicare limitations noted in Section 40 of the Medicare Benefit Policy (Internet) Manual.

Finally, for now, the HITECH Final Rule eliminates a covered entity’s ability to terminate its agreement to this type of required restriction.

This requirement is effective on March 26, 2013.  The compliance enforcement date is September 23, 2013. 

So, it is time to develop or update your process, and educate appropriate staff members on this new federal mandate. If there is no system yet in place for honoring this type of request for restrictions, providers will need to create one. Additionally, the system will somehow need to flag the restricted PHI to ensure that it is not made available to the health plan for business operations purposes (e.g., if the plan comes in for an audit or review.)

Just one item on your HITECH to-do list, but one that you can certain accomplish.  Don't forget to put this updated patient right into your Notice of Privacy Practices, (another HITECH mandate)!