(October 3, 2013): The HIPAA Omnibus Rule (Omnibus Rule) is well over 100 pages long. When considered in the context of existing HIPAA and HITECH, health care providers are often it difficult to apply the provisions of the Omnibus Rule to privacy situations that are commonly arising in a physician's practice. One such situation is outlined below where a patient has asked that the practice restrict the submission of protected health information (PHI) to the patient's insurance carrier.
Question: What do you suggest regarding the patient problem list? For example, if a patient comes in for evaluation of a breast lump and doesn't want that submitted to her insurance company, I would normally put the diagnosis of breast lump on her problem list since that is what I am medically evaluating. Let's say she needs a breast biopsy and I need to send a summary of care note to the surgeon doing the biopsy - it has to list the diagnosis of breast lump on it. Is this a breach? Or for another example - patient comes in for cholesterol testing and doesn't want it reported to their insurance company. Turns out the cholesterol is too high and they need ongoing medication. I need to keep diagnosis of hyperlipidemia on their problem list. What about then when I send their summary of care record to the orthopedist who is treating their knee pain and it lists hyperlipidemia as one of their diagnoses. Is that a breach?
Answer: In short, “it depends”. As many healthcare providers are aware, the Department of Health and Human Services (HHS) recently made modifications to strengthen the HIPAA Privacy Rule under the aptly-named HIPAA Omnibus Rule. Guidance to these questions may be found in Section 164.522(a) of the HIPAA Privacy Rule, “The Right to Request a Restriction of Uses and Disclosures”, as well as in the many comments and responses found in that Final Rule.
I. Patient Requests to Restrict the Submission of PHI to Insurance:
Under Section 164.522(a), a covered entity must permit individuals to request that it restrict uses or disclosures of the patient’s protected health information (PHI) for treatment, payment, and health care operations purposes, as well as for disclosures to family members and certain others permitted under § 164.510(b) of the Privacy Rule. While covered entities are not required to agree to these requests for restrictions, if a covered entity does agree to restrict the use or disclosure of a patient’s PHI, it must abide by that restriction. The only exception to this requirement is in emergency circumstances when the information is required for the treatment of the individual. Section 164.522 also includes provisions for the termination of such a restriction and requires that covered entities that have agreed to a restriction document the restriction in writing.
Complimenting §164.522(a) is § 13405(a) of the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”). Section 13405(a) outlines circumstances in which a covered entity now must comply with an individual’s request to restrict a disclosure of her protected health information. In essence, § 13405(a) requires that when an individual requests a restriction on disclosure pursuant to § 164.522 of the Privacy Rule, the covered entity must agree to the requested restriction if the request for restriction is on disclosures of PHI to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to PHI that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full. The only exception to this requirement is if the disclosure is otherwise “required by law.”
II. Complying with the New Restriction Request Requirements
HHS has provided significant guidance on how to effectively comply with these requirements. From the outset, during the Notice of Proposed Rulemaking (NPRM) period to the Final Omnibus Rule, commenters raised questions and concerns regarding how they could operationalize these requirements. As the questions above reflect, there are several problems that may arise when providers must restrict certain pieces of PHI while ensuring that the entire healthcare process – including subsequent care processes as well as billing and notification procedures – is effectively administered. HHS believes that it has provided thorough answers to these concerns.
From the outset, covered health care providers do not have to create separate medical records or otherwise segregate PHI subject to a restricted health care item or service. Nevertheless, these providers must still utilize some method to either flag or annotate the restricted PHI in the patient’s medical record. This will ensure that the restricted information is not inadvertently sent to or made accessible to a health plan for payment or health care operations purposes, such as when the health plan performs an audit. In fact, providers should already have in place minimum compliance policies and procedures that require them to limit PHI that may be disclosed to a health plan to only the amount reasonably necessary to achieve the purpose of the disclosure. As a result, covered entities should have familiar mechanisms in place to effectively limit any PHI that may be disclosed to a health plan.
III. Disclosures Mandated by Law
Covered entities are excepted from abiding by a patient’s request to restrict uses or disclosures of PHI when that use or disclosure is mandated by law. Under the HIPAA Privacy Rule, while ‘‘required by law’’ compels a covered entity to make a use or disclosure of PHI, that use or disclosure is enforceable in a court of law. These circumstances generally arise in conditions of participation for health care providers participating in federal healthcare programs, as well as under statutes and regulations that require the production of information if payment is sought under a government program providing public benefits. For example, a covered entity may have to disclose PHI to Medicare and Medicaid in response to an audit required by those programs. HHS has ensured covered entities that, if they are required by law to submit PHI to a federal health plan or other government program, it may continue to do so as necessary to comply with its legal obligations.
IV. Practical Problems Health Care Providers are Encountering
As the questions above indicate, providers are encountering situations where a patient requests a restriction with respect to only one of several health care items or services provided during a single patient encounter. Nevertheless, the provider may be either prohibited from unbundling or unbundling is more costly and yet must still include the services for purposes of billing a health plan. In these situations, HHS has made it clear that providers should counsel patients on the ability of the provider to unbundle the items or services and the impact of doing so (e.g., the health plan still may be able to determine that the restricted item or service was performed based on the context). If a provider is able to unbundle the items or services and accommodate the patient’s wishes after counseling on the impact of unbundling, it should do so. However, if a provider cannot unbundle a group of items or services, the provider should inform the individual and give him or her the opportunity to restrict and pay out of pocket for the entire bundle of items or services.
Where a provider is unable to unbundle a group of bundled items or services, HHS considers that group as one item or service for the purpose of applying § 164.522(a)(1)(v). However, HHS still expects a provider to accommodate an individual’s request for a restriction for separable and unbundled health care items or services, even if part of the same treatment encounter. For example, this situation could occur where a patient receives treatment for both asthma and diabetes, two completely separable and unbundled services. Unfortunately at this time, HHS has not provided health care providers with a general rule on whether an individual patient may only restrict either all or none of the health care items or services that are part of one treatment encounter.
Other concerns have centered on how to electronically (such as through an e-prescribing tool) notify a pharmacist or subsequent provider of an individual’s restriction request. Currently, there is not a widely available method for electronically notifying a pharmacy that a patient has requested a restriction. In fact, it is often costly, burdensome, and unworkable for a provider to attempt to notify all subsequent providers of an individual’s restriction request, particularly given the lack of automated tools to make such notifications. Whose responsibility should it be to protect against potential breaches?
Due to these concerns, providers contend that the obligation to notify downstream providers should remain with the individual patient if that person wants to restrict PHI to a health plan. Given the lack of automated technologies to support such a requirement, HHS essentially agrees that it would be unworkable at this time to require health care providers to notify downstream providers of the fact that a patient has requested a restriction to a health plan. However, HHS still encourages providers to counsel patients on the need to request a restriction and pay out of pocket with other providers for the restriction to apply to the disclosures by such providers. Moreover, if an individual wants to restrict disclosures to a health plan concerning a prescribed medication, the prescribing provider can provide the patient with a paper prescription to allow the individual an opportunity to request a restriction and pay for the prescription with the pharmacy before the pharmacy has submitted a bill to the health plan. Nevertheless, while HHS does not require providers to assist individuals in alerting downstream providers of the individual’s desire to request a restriction and pay out of pocket for a particular health care item or service if feasible, providers are permitted to do so. In fact, HHS highly encourages this assistance.
For example, consider an individual who is meeting with her primary care physician (PCP) and requests a restriction on tests that are being administered to determine if she has a heart condition. If, after conducting the tests, the patient’s PCP refers the patient to a cardiologist, it is the patient’s obligation to request a restriction from the subsequent provider, the cardiologist, if she wishes to pay out of pocket rather than have her health plan billed for the visit. In this example, although the PCP in would not be required to alert the cardiologist of the patient’s potential desire to request a restriction, HHS encourages providers to do so if feasible. Or, at the very least, HHS encourages providers to engage in a dialogue with the patient to ensure that the individual is aware that it is the patient’s obligation to request restrictions from subsequent providers. Even where a Health Information Exchange is involved, HHS still notes that it is the responsibility of the individual – and not the provider – to notify downstream providers of a restriction request.
V. HMO Issues
Similar rules apply to health care providers participating under an HMO setting. For these types of contracts, HHS explains that a HMO provider should abide by a patient’s requested restriction unless doing so would be inconsistent with State or other law. Therefore, if a provider operating under an HMO context is legally prohibited from accepting payment from an individual above the individual’s cost-sharing amount (i.e., the provider cannot accept an out of pocket payment from the individual for the service), then the provider should counsel the patient that he or she will have to use an out- of-network provider for the health care item or service in order to restrict the disclosure of protected health information to the HMO for the health care. In addition, HMO providers who are legally able to treat the health care services to which the restriction would apply as out-of-network services should do so in order to abide by the requested restriction. HHS does not consider a contractual requirement to submit a claim or otherwise disclose PHI to an HMO to exempt the provider from his or her obligations under this provision. Providers under this agreement should be reminded that the Final Rule includes a 180- day compliance period beyond the effective date of these revisions to the Privacy Rule. During this period, providers and HMOs should update their contracts as needed so that they will be consistent with these new requirements.
VI. Issues with Follow-Up Visits
Other providers have continued to express concern for situations dealing with restrictions and follow-up care. For example, an individual may have a restriction in place with respect to a health care service that he does not pay for out of pocket but requests a restriction with regard to follow-up treatment. Furthermore, the provider may need to include information that was previously restricted in the bill to the health plan in order to have the service deemed medically necessary or appropriate. Under HHS’s guidance, the provider is permitted to disclose this information so long as doing so is consistent with the provider’s minimum necessary policies and procedures. HHS clarifies that this form of disclosure would continue to be permitted for payment purposes and thus, would not require the individual’s written authorization. However, HHS highly encourages covered entities to engage in open dialogue with patients to ensure that they are aware that previously restricted PHI may be disclosed to the health plan unless they request an additional restriction and pay out of pocket for the follow-up care.
HHS has also been asked to clarify whether a patient’s restriction request prohibits providers from giving PHI to health plans solely for payment or health care operations purposes in such cases or all entities that may receive PHI for payment or health care operations. In response to concerns regarding disclosure for payment or health care operations purposes to entities other than the health plan, HHS contends that Section 164.522(a) does not affect disclosures to these other entities as permitted by the Privacy Rule. Finally, providers should be reminded of the penalties that may be incurred. In particular, a provider who discloses restricted PHI to a health plan is making a disclosure in violation of both the Privacy Rule and the HITECH Act. Thus, as with other impermissible disclosures, the provider would then be subject to the imposition of possible criminal penalties, civil money penalties, or corrective action.
VII. Conclusion
Whether the circumstances above reflect situations of a “breach” of a patient’s privacy will depend on the particular situation. As this article summarizes, covered entities must allow individuals to request that the entity restrict uses or disclosures of the patient’s PHI for any treatment, payment, and health care operations purposes. Providers are not required to agree to restrict this information, but if it does so, the provider must ensure that the restriction is protected.
Robert L. Saltaformaggio is a rising Associate Attorney at Liles Parker, PLLC. He is also a Certified Medical Compliance Officer (CMCO). Robert represents and assists health care providers around the country in connection with Medicare and private payor audits, pre-payment reviews and overpayment appeals. He also assists clients with HIPAA privacy and health care compliance projects. Liles Parker has offices in Washington, DC; Houston, TX; San Antonio, TX; and Baton Rouge, LA. Should you have a questions regarding this article or another health care legal or regulatory issue, please call us for a free consultation. We can be reached at: 1 (800) 475-1906.