On January 25, 2013, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”). Because the Final Rule covers a broad range of topics, we will be issuing a series of alerts in our HIPAA Impact Series to provide further analysis on these topics. This alert focuses on an individual’s right to request restrictions on uses and disclosures of the individual’s protected health information (“PHI”).
The Right to Request Restrictions When Paying Out-of-Pocket
Under the Final Rule, a covered entity must agree to an individual’s request to restrict disclosures of PHI to a health plan if: (i) the disclosure is for purposes of payment or health care operations and is not otherwise required by law, and (ii) the PHI pertains solely to health care items or services for which the individual, or another person on behalf of the individual (other than the health plan), has paid in full (“Required Restrictions”). Covered entities are prohibited from unilaterally terminating their agreements to any Required Restrictions. Covered entities must comply with requests for Required Restrictions as of September 23, 2013.
In the commentary accompanying the Final Rule, HHS provided guidance addressing some of the issues that commenters raised during the rulemaking process. Some of the key issues that HHS addresses in the Final Rule include the following:
- Medical Records. Providers do not need to create separate medical records or segregate PHI subject to a Required Restriction. However, they will need to use some method to identify portions of the record that contain PHI subject to a Required Restriction to ensure it is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes.
- Bundled Services. If a patient requests a restriction with respect to one of several items or services provided in a single patient encounter, the provider should counsel the patient on the ability or inability to unbundle the services and the consequences of doing so (i.e., the health plan may still be able to identify the services performed based on the context). If the provider cannot unbundle the items or services, the provider should give the patient the option to restrict and pay out-of-pocket for the entire bundle of items or services.
- Dishonored Payments. Providers do not need to abide by a restriction if a patient’s payment is dishonored. However, HHS expects providers to make reasonable attempts to resolve payment issues with the patient prior to disclosing PHI to the health plan. Providers may require payment in full at the time the restriction is requested to avoid payment issues.
- Downstream Providers. Providers are not required to notify downstream providers of Required Restrictions. This is the responsibility of the patient. Providers should counsel patients that for the restriction to apply to other providers, the patient must pay out-of-pocket and request a restriction when care is rendered by other providers.
- Follow-Up Care. Providers may include previously restricted PHI when billing the health plan for the follow-up treatment if the patient does not request a restriction and pay out-of-pocket for the follow-up treatment and if it is necessary to have the follow-up treatment deemed medically necessary.
- HMOs. Contractual requirements for a provider to submit claims to an HMO do not exempt the provider from obligations regarding Required Restrictions. Provider contracts should be updated to be consistent with these new requirements.
- Mandatory Billing Rules. A provider may submit PHI to a government health plan as required by law (i.e., mandatory claim submission laws). However, there are various mechanisms that allow a provider to avoid such legal mandates (i.e., if the patient refuses to authorize submission of a bill to Medicare). Providers must utilize such mechanisms in order to comply with the request for a Required Restriction.
Practical Takeaways
In response to the Final Rule, it is recommended covered entities do the following:
- Review and revise policies and procedures to comply with the Final Rule;
- Identify personnel whose job functions will be affected by the Final Rule, and ensure they are properly trained in implementing Required Restrictions and protecting restricted PHI;
- Revise Notices of Privacy Practices to accurately reflect this change; and
- Consider whether electronic systems need to be updated to allow them to communicate with each other and ensure that information is not disclosed to, and health plans are not billed for, items or services subject to a Required Restriction.
If you have any questions, please contact:
- Monica Hocum at mhocum@wp.hallrender.com or 414-721-0454;
- Leia Olsen at lolsen@wp.hallrender.com or 414-721-0466;
- Stephane Fabus at sfabus@wp.hallrender.com or 414-721-0904; or
- Your regular Hall Render attorney.
