The HIPAA Privacy Rule has always provided an individual patient the right to request special, confidential treatment of his or her protected health information (PHI). That right is not absolute, however. Covered entities were free to decline such a request. While covered entities should have protocols in place to implement requests that are granted, the HITECH Act changed the right of individuals in one situation. If a service is paid for entirely out of pocket by an individual, a covered entity must agree to a request that such individual’s PHI relating solely to that service not be disclosed to a health plan for purposes of payment or health care operations, unless the disclosure is required by law. See 42 C.F.R. § 164.522(a)(1)(vi). (Health Plans are not viewed by the Department of Health and Human Services (HHS) as providing treatment for purposes of HIPAA.) A close reading of HHS’s comments on this right provides some answers and the basis for a reasoned approach to other questions.
Who Requests the Restriction?
First and in many ways foremost, it is clear that it is the individual’s, not the covered entity’s, responsibility to “inform” downstream providers of a restriction, including without limitation, in the context of a Health Information Exchange. Notwithstanding, HHS does encourage covered entities to take it upon themselves to communicate the requested restriction to downstream providers. At the very least, covered entities should counsel patients on their obligation to separately submit such request to every subsequent provider. HHS used the example of a prescription submitted using an e-prescribing technology as the result of an encounter for which the individual pays out-of-pocket. The pharmacy will have submitted the prescription to the health plan before the individual arrives at the pharmacy to pick the prescription up. At least under the current state of e-prescribing technology, no notice of the patient’s restriction from the prescriber to the pharmacy is required. However, HHS would encourage providers to offer a paper prescription to the patient. This, of course, may run counter to current incentives to providers to use e-prescribing.
HHS’s comments provided helpful reminders as to the scope of this provision. While the regulatory text speaks in terms of a covered entity’s obligation related to requested restriction, it only applies to covered health care providers. In addition, the provision only applies to disclosures to health plans and a health plan’s business associates, not to other entities, e.g., collection agencies, courts, and law enforcement agencies.
Need to Segregate? Keep the Bundle?
Covered entities are not required to create separate medical records or segregate the restricted information. Notwithstanding, they will need to create a process for flagging such information in the record to ensure the restricted information is not inadvertently disclosed or made accessible to the health plan.
For many covered health care providers “bundled services” are viewed as a significant hurdle in complying with this provision. Under these circumstances, a covered entity should advise individuals as to the limitations in restricting information within a “bundle” and/or their inability to unbundle a service for purposes of restricting its disclosure. For example, even if a provider could unbundle a service and restrict its disclosure, payors may still be clued into the nature of such restricted information by the nature of the other related (formerly bundled) service and items disclosed. However, if a covered entity can proceed with unbundling a service to restrict its disclosure, it should do so. If a covered entity cannot unbundle a service, it should offer the individual the option of restricting the disclosure by paying for, out of pocket, the entire bundle. This however, could be quite costly for the individual. If they cannot pay for the entire bundle, HHS views the bundle as one service and therefore, because the full service was not paid for out of pocket, it can be disclosed to health plans for payment and/or operations.
Required by Law, or Is It?
Regardless of an individual’s request, covered entities may still make disclosures to health plans as required by law. For example, disclosures for purposes of Medicare or Medicaid audits or as required by the Medicare conditions of participation are all “required by law.” Often, state laws require providers to submit a claim to a health plan for a covered service provided to an individual, but provide no process for those services paid for out of pocket. In this case, the disclosure is required by law, but would be subject to the minimum necessary parameters, as are all disclosures. Similarly, while a provider is required by law to submit a claim to Medicare for any covered service provided to a beneficiary in exchange for payment,, the provider is not required to do so where the beneficiary refuses to authorize the submission of the bill, such as when the individual pays for it out of pocket and requests restrictions on disclosure of the related PHI. In this case, the submission of the claim to Medicare is no longer required by law. Contrast to that a contractual obligation to submit certain information, for example in the context of a covered entity’s relationship with an HMO. Such obligation does not arise to that “required by law” and therefore would not excuse a covered entity’s failure to honor an individual’s request to restrict information shared with such HMO related to items or services the individual paid for out of pocket.
Who Must Make the Out-of-pocket Expenditure?
A covered entity, and downstream providers, must honor the restriction not only where the individual pays for the item or service in full, but also where an individual’s family member pays for the item or service on the individual’s behalf. If the payment issued by either the individual or family member is dishonored (check bounces) the covered entity is required to make reasonable efforts to obtain payment before removing the restriction and disclosing the subject information to payors, though such efforts need not go as far as engaging a collection agency. To avoid this additional burden, HHS suggests requiring payment in full at the time of the request. On a related note, covered entities should require individuals to submit their requests prior to the commencement of treatment, particularly in situations where preauthorization is required and therefore information must be disclosed to the health plans prior to delivery of items or services.
HHS also addressed the need for separate requests for restrictions on follow-up treatment. Covered entities may disclose previously restricted information as necessary to support (i.e., demonstrate medical necessity) the related and unrestricted follow-up care provided to the individual. As with other instances where previously restricted information may be disclosed, HHS strongly encourages the covered entity to institute a process for counseling individuals as to the potential disclosures under these circumstances.
The Restriction Does Not Follow the Record
While not specifically stated by HHS, it seems clear that a restriction on health plan disclosure does not bind other providers who may receive a record of the service. For example, if a primary care provider furnishes a service which is paid for in full, the primary care provider may furnish a record to a specialist provider for the specialist’s treatment purposes. The specialist may disclose the primary care provider’s service to the individual’s health plan if necessary to document the basis for the specialist’s services, unless the patient requests a restriction on such a disclosure from the specialist. Moreover, it would appear that unless the individual paid for the specialist’s service entirely out of pocket, the request for such a restriction would be one that the specialist could agree to or not, under the longstanding rule.
Providers will likely find the biggest challenge in comply with this provision to be the creation of doable and effective policies and procedures to monitor the proper restriction of information and the identification of the appropriate people to shepherd such process. Technology may help, to the extent electronic medical records systems permit “flagging” of records and barring of such records from specific disclosures. However, even with that technical capability, covered entities need a process for training work force members to identify and flag appropriate records. Existing processes for complying with requests for restrictions on disclosures will need to be reviewed and amended to reflect this new right of individuals. It is also possible that, to the extent that insurance companies are barred from declining coverage based on preexisting conditions and most health plans are barred from using genetic information for underwriting purposes, the perceived need for individuals to pay out of pocket for medical services may lessen. However, compliant processes still will need to be in place.