Slide 1 HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort
Slide 2 Electronic Copy of PHI Form and Format requested, if readily producible electronically (patients can receive their information in a more convenient and accessible format) If not readily producible and maintained in paper, then readable hard copy
Slide 3 ACTION/Discussion: Educate staff and train for appropriate response to the individuals request. In HITECH, Congress made it clear that when a patient s information is stored electronically, patients have the right to obtain an electronic copy and to have that copy sent at their request to another person, entity, or personal health record or mobile health application.
Slide 4 Patient may make request for their health information in a specific form or format, but only if: Provider or plan is capable of producing in requested format, for example: MS Word Excel Text HTML PDF
Slide 5 Questions/Discussion: The provider or plan and patient are expected to come to an agreement on an acceptable, machine-readable format? Can a patient demand a specific machine-readable format?
Slide 6 Copy of PHI to Third Parties Individual may designate third party to receive copy Must be in writing Clearly identify the designated person Clearly identify where to send the copy Request VS Authorization: Who is making the request?
Slide 7 ACTION/Discussion: Note that a request letter is a separate document from an authorization Assure that the patient requests clearly indicate that the records are to be sent to someone else Update or Introduce new patient request form Be sure to obtain the mailing address of the third party for shipping
Slide 8 Question/Discussion: Providers or plans are required to take steps to verify the identity of the patient or implement safeguards to protect the information in transit? A patient does have the right to ask a provider or plan to send information to a them unencrypted?
Slide 9 If the patient opts out of secure transmission/e-mail The covered entity or plan must notify the patient that there is some level of risk that the information in the e-mail could be read by a third party Suggest that you maintain notification with the patient s indication to opt out New form may need to be introduced and location for documentation to be maintained
Slide 10 Fees for all Costs, or State law s per page rate WHICH EVER IS LESS
Slide 11 Question/Discussion: How do you determine cost-based fee for copies of information, covering the cost of both the labor and supplies?
Slide 12 Question/discussion: Can a patient be charged for digital copies of their health data?
Slide 13 Response Time Expectations The final rule shortens the turnaround time for producing records (i) to a patient or (ii) by patient request to be sent to someone else to 60 days. Previously the law allowed a total of 90 days to produce records when a patient requested them 30 days if the records were on-site at the facility, plus 60 days if the record was stored off-site. The new law still allows (no change) 30 days if the records are on-site, but shortens the time for producing records that are off-site to 30 additional days, for a total of 60 days.
Slide 14 ACTION/Discussion: As always with HIPAA, state law governs if it produces a better result for the patient, so be sure you know your state s requirement for producing records. If the state law does not specify such a time period, the default becomes HIPAA rule 30 + 30 standard.
Slide 15 Question/Discussion: Facilities should prioritize all patient requests so that response is not forthcoming before the required 30 day response time? With the Meaningful Use Stage 2 requirements for patient access, does the Omnibus rule become non-relevant on the timeline topic?
Slide 16 Restriction for Out-of Pocket Payments Covered entity must agree to individual s request to restrict disclosure to health plan For payment or health care operations Unless disclosure is required by law If individual (or third party) pays for item or service out of pocket in full
Slide 17 ACTION/Discussion: How will you facility manage such information, both in its paper form and electronically? Perhaps this provides an opportune time to move to centralized/enterprise focused release of information services.
Slide 18 Health Information of Deceased Individuals Standard 164.502 (f) A covered entity must comply with the requirements of the HIPAA privacy rule with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual
Slide 19 No longer PHI 50 years after death - EXCEPTIONS The Rule does not override or interfere with State or other laws that provide greater protection of such information or the professional responsibilities of mental health or other providers. This is not a record retention requirement..covered entities may choose to destroy decedent information although other applicable law may prescribe or limit such destruction.
Slide 20 Exception Disclosures permitted under other provisions of the Privacy Rule For example: Research.. 45 CFR 164.512 (i) (l) (iii) Uses and disclosures for which an authorization or opportunity to agree or object is not required, without regard to how long the individual has been deceased.
Slide 21 The challenges in interpretation Determining the date of death of an individual One cannot merely assume based on age of the patient s health record Accounting of disclosures remain as long as the records are maintained
Slide 22 Decedent Information to family member or other involved in care Covered entity may disclose PHI to persons involved in decedent s care or payment unless prior expressed preference of the individual is known to the covered entity 164.501 (b) (5) and provided the information released is relevant to such person s involvement
Slide 23 Questions/Discussion: A covered entity may disclose to a close personal friend who was identified by the individual, the protected health information relevant to said person s involvement with the individual s health care or payment related to the individual s health care? A covered entity may not use or disclose protected health information to locate a family member regarding an individual s location?
Slide 24 Questions/Discussion: A covered entity or health care provider could describe the circumstances that led to an individual s passing with the decedent s sister who is asking about her sibling s death? A distant relative calls to inquire about billing information to determine if assistance should be offered to the family?
Slide 25 Questions/Discussion: A decedent s brother is asking about medical history of his brother? May a facility elect not to provide information to a family member even if they present legitimate need for relevant information?
Slide 26 Student Covered entity may release student immunization records to school without authorization If state law requires school to have immunization record (state where school is located) Written or oral agreement (must be documented)
Slide 27 Questions/Discussion: Does the regulation require that verbal consent be documented within the medical record of the child? If a parent emails the practice to release immunization information to the school, will this serve as sufficient documentation? May a parent call the practice to request immunization information be released to a school? Any provision to the above types of requests?
Slide 28 Questions/Discussion: May you release information directly to the school, if the school contacts the covered entity requesting immunization records of a child? May a covered entity continue to disclose protected health information to State immunization registries? If the immunization information is contained on the same form with medical history, may this be released as well?
Slide 29 Disclosure and Sale of PHI New restriction on disclosures that describe item or service when covered entity receives financial remuneration from third party whose item or service is described.
Slide 30 Sale of PHI Covered entities may not receive remuneration in exchange for PHI (45 CFR 164.502 (1)(): (ii) 78 Fed. Reg. 5696-5697) EXCEPTIONS Treatment Payment Public Health Sale of Covered Entity and related due diligence Required by Law
Slide 31 Questions/Discussion: Would research purposes be considered an exception? Would PHI to or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in case of a subcontractor be consider remuneration? What about providing an accounting of disclosures to an individual?
Slide 32 Questions/Discussion: Communication about a product or service and encourage use or purchase? Payment for refill reminders about drug that is currently prescribed with remuneration reasonably related to cost of communication? A covered entity is offered computers for data collection purposes/research, but they are allowed to keep the computers after the research is completed. Is this acceptable?
Slide 33 Types of Cost: May include both direct and indirect costs including: Labor and supplies to ensure the PHI is disclosed in a permissible manner Related capital and overhead costs Excluded are: Fees charged to incur a profit from the disclosure of PHI (profit margin is not allowed via HITECT Act section 13405)
Slide 34 Genetic Information Nondiscrimination Act (GINA) Signed into law in 2008 Employers and Health Insurers can no longer discriminate against individuals based upon their genetic information. Encouraged patients to seek out medical care that is specifically tailored to his or her genetic makeup
Slide 35 GINA Sets a minimum standard of protection that must be met across the country. It does not weaken the protections by any state law that may be more stringent. The law did not cover life insurance, disability insurance or long-term care insurance.
Slide 36 Genetic Information Clarification that genetic information is health information Health plan (other than long-term care plan) may not sue or disclose genetic information for underwriting purposes
Slide 37 Omnibus rule impact to GINA Prohibits use and disclosures of genetic information for underwriting purposes 78 Federal Register 6596-45 CFR 164.502 (a) (5) A health plan, excluding an issuer of a long-term care policy falling within paragraph (1) (viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes.
Slide 38 Omnibus/Gina exceptions As provided in paragraph (a) (5) (i) (B) of section 164.502 Rules for, or determination of, eligibility for, or determination of, benefits under the plan, coverage, or policy.(including deductibles, other cost sharing, risk assessments or participating in a wellness program); The computation of premium or contribution amounts under the plan, coverage, or policy
Slide 39 This prohibition does not limit Ability of a health plan to adjust premiums or contribution amounts Ability of establishing rules for eligibility of an individual to enroll in coverage Ability to adjust premium or contribution amounts for an individual based on the manifestation of a disease or disorder
Slide 40 Example/Question: If a health insurance issuer, with respect to an employer-sponsored group health plan, uses an individual s family medical history or the results of genetic tests maintained in the group health plan s claims experience information to adjust the plan s blended, aggregate premium rate for the upcoming year Is this a violation?
Slide 41 Answer/response YES The issuer would be using protected health information that is genetic information for underwriting purposes in violation of 45 CFR 164.502(1)(5)(i)
Slide 42 Example/Question: A group health plan uses family medical history provided by an individual incidental to the collection of other information on a health risk assessment to grant a premium reduction to the individual.. Is this a violation?
Slide 43 Answer/Response Yes The group health plan would be using genetic information for underwriting purposes in violation of 164.502 (1)(5) (i)
Slide 44 Example/Question: A health care provider uses or discloses genetic information as it sees fit for treatment of an individual is this a violation?
Slide 45 Answer/Response: NO The prohibition is limited to health plans. A health care provider may use or disclose genetic information.
Slide 46 Example/Question An Health Maintenance Organization (HMO), acts as both a health plan and health care provider is it a violation if they use genetic information?
Slide 47 Answer/Response: NO and YES NO If used for purposes of treatment, to determine the medical appropriateness of a benefit, and as otherwise permitted by the Privacy Rule YES If using the genetic information for underwriting purposes
Slide 48 Operationally Covered Entities (HMOs) that may serve also has a health plan.. And other organizations of this nature should ensure that appropriate staff members are trained on the permissible and impermissible uses of genetic information Refer to: 78 Federal Register 5666-5667
Slide 49 Questions