From the Desk of the Compliance and Privacy Officer:
This past January, the Department of Health and Human Services (HHS) issued a final rule – “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act.”
This newsletter will focus on aspects of the Privacy rules as promulgated in the HITECH final rule.
The final rule added “subsidized communications” to the marketing definition. “Subsidized communications” means UNTHSC receives financial remuneration for making marketing communications from a third party that markets a health related product or service that encourages recipients of the communication to use or purchase the product or service.
Another new element to marketing is obtaining an authorization. An authorization must be obtained from the patient prior to any subsidized communication. The authorization must clearly state that we are receiving money for making this communication; and, the authorization must allow the patient to opt-out from receiving further marketing communication.
Communications to patients about refill reminders, adherence to medications, communications about drug delivery systems (like insulin pumps), generic equivalent of a drug; remains unchanged – it is not considered marketing because the financial remuneration is ‘reasonable in amount’ – just enough to cover the costs for making the communication.
In the interim final rule, we were required to protect a deceased person’s PHI in the same manner and to the same extent that is required for the protection of a living person’s PHI. So, if an authorization is required for a particular use or disclosure, then we had to obtain an authorization from the personal representative of the deceased individual. The Department of Health and Human Services received numerous concerns that it may be difficult to locate the personal representative, particularly after an estate is closed.
In the final rule, we are required to protect a deceased individual’s PHI for 50 years. However, the 50 years protection does not over-ride State law or health profession obligations to protect sensitive PHI; if such state laws or health profession obligations provide greater protection of such information.
The final rule will also permit us to disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that UNTHSC may know. UNTHSC just needs to have reasonable assurance that the person is a family member of the decedent or other person who was involved in the individual’s care or payment for care prior to death.
Disclosure of Student Immunizations to Schools
The final rule allows UNTHSC to disclose proof of immunizations to a school where State or other law requires the school to have such information prior to admitting the student. Written authorizations are no longer required; however, UNTHSC will be required to obtain an agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual or if the patient is an emancipated minor, from the individual himself.
UNTHSC must document the agreement. The final rule does not prescribe how to document nor require parental signature. The final rule gives us flexibility by allowing us to determine the appropriate documentation of such agreement.
In the interim final rule, we were permitted to use and disclose the following types of PHI: () demographic information relating to the individual; and (2) the dates of health care provided to an individual.
In addition to disclosing an individual’s demographic information and the dates of health care provided, the final rule enhanced what is permitted to be used and disclosed:
a. An individual’s health insurance status;
b. Department of Service information – for example cardiology;
c. Treating physician information; and
d. Outcome information
Additionally, individuals must be given the opportunity to opt-out from receiving fundraising communications and if the individual opts out, UNTHSC must not send fundraising communications to the individual. The final rule also allows the individual to opt back in to start receiving fundraising communications.
Right to Request a Restriction to Uses and Disclosures of PHI
In the interim rule, this section stated that UNTHSC must allow an individual to request a restriction to uses or disclosures of PHI for treatment, payment and health care operations purposes, as well as for disclosures to family members and certain other individuals. We were not required to agree to such a request.
In the final rule, we must agree to a request of an individual to restrict disclosure of PHI to a health plan if:
- The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
- The PHI pertains solely to a health care item or service for which the individual, or person acting on behalf of the individual (other than health plan), has paid UNTHSC in full.
As such, UNTHSC is not allowed to require individuals to restrict disclosures of PHI regarding all health care to the health plan. Hence, if UNTHSC is able to unbundle the items or services and accommodate the individual’s wishes, it should do so. Likewise, if UNTHSC is not able to unbundle a group of items or services, UNTHSC should inform the individual and give the individual the opportunity to restrict and pay out of pocket for the entire bundle of items or services.
The final rule states it is the patient’s obligation to request restrictions from subsequent providers. The notification of restriction of certain PHI is not the provider’s responsibility.
If an individual has a restriction in place with respect to a health care service but does not pay out of pocket and request a restriction with regard to follow-up treatment, and the provider needs to include information that was previously restricted in the bill to the health plan in order to have the service deemed medically necessary or appropriate, then the provider is permitted to disclose such information as long as the minimum necessary standard is used (we have a policy on minimum necessary standards).
Within an HMO context, if a provider is prohibited from accepting payment from accepting an out of pocket payment from the individual for services, the provider may counsel the individual that he will have to use an out-of-network provider for the health care item or service in order to restrict the disclosure of PHI to the HMO. HHS will not consider a contractual requirement to submit a claim or otherwise disclose PHI to an HMO exempt for the provider’s obligation to honor the individual’s request for restriction. HHS notes that the compliance date for compliance with the regulations is 180 days from the effective date (3/26/13); during which provider contracts with HMOs can be updated as needed to be consistent with this requirement. The compliance date is 9/23/13.
Access of Individuals to Protected Health Information
The final rule strengthens the individual’s right of access to their PHI by expanding the form and format requirements. If the PHI requested is maintained electronically in one or more designated record sets, we must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by us and the individual. If the individual declines to receive their PHI information in an electronic format available to us, then we must provide them a paper copy.
If the designated record set includes electronic links to images or other data, the images or other data that is linked to the designated record set must also be included in the electronic coy provided to the individual. The electronic copy must contain all PHI electronically maintained in the designated record set at the time the request is fulfilled. If an individual requests only a portion of their PHI, we are only required to provide only the portion of PHI requested.
Further, if requested by an individual, we must transmit the copy of PHI directly to another person designated by the individual. The request must be made in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the PHI.
Another big change is the timeliness of fulfilling the right to access of an individual’s PHI when records are not maintained on site or is not accessible on site. Previously, the timeframe was 60 days. This was removed in the final rule because HHS states that access is instantaneous with PHI maintained in electronic format. However, the final rule does maintain the one time extension of 30 days and maintains the further stipulations of providing the individual with a written notice of the reasons for the delay and the date by which we will complete our action on the request.
The final rule has not addressed accounting of disclosure standard which allows the individual to request information on whom accessed their PHI. There was much anticipation this would be addressed in the final rule; however, the Department of Health and Human Services (HHS) said further guidance will be coming at a future date from the Office of Civil Rights – the agency responsible for overseeing Privacy and Security Regulations.
This page was last modified on