The Rest of the Story: Other Changes Required by the HIPAA Omnibus Rule
On January 17, 2013, the Department of Health and Human Services (HHS) released its Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule, making significant modifications to the Act’s Privacy, Security, Enforcement, and Breach Notification Rules. Troutman Sanders has analyzed these changes to HIPAA and is providing a series of summaries to help our clients understand how these changes will affect them and what they need to do to comply.
This is our fifth e-alert in the series, which highlights several changes in the HIPAA Omnibus Rule, including those to the requirements for communications, authorization and disclosure of data, and individuals’ rights with regard to their own Protected Health Information (PHI). For other e-alerts published by Troutman Sanders on the HIPAA Omnibus Rule, visit our webpage.
In its over 500 pages, the HIPAA Omnibus Rule makes some major changes to several HIPAA Rules by, for example, altering the nature of liability for business associates, changing the definition of “breach” for breach notification, and securing increased penalties for HIPAA violations. Beyond these broad, sweeping changes, the Rule alters other, narrower provisions that will affect the way covered entities send communications, handle individuals’ demands, and make judgments on the use and disclosure of PHI on a day-to-day basis.
Right to Request a Restriction of Uses and Disclosures
The HIPAA Omnibus Rule affirms an individual’s right to restrict the disclosure of his information to a health plan where (1) the disclosure is for health care operations or payment and disclosure is not otherwise required by law, and (2) the PHI relates solely to a product or service for which the individual or a third party paid in full, out of pocket. Upon such a request, covered entities must comply with such a restriction and must not disclose the restricted information to the individual’s health plans. Business associates of a health plan are equally prohibited from receiving the restricted PHI.
The Rule gives covered entities guidance on how to comply with this provision. Covered entities are not required to take the time to separate the restricted records, but HHS does require them to flag or make notes to records to identify restricted PHI. Covered entities should understand how this flag works within their own Electronic Health Records. Additionally, where covered entities cannot “unbundle” their services, covered entities must explain this to the individual, and if there is no way to restrict the PHI for just one service or product, all services or products in the bundle must be restricted. However, HHS emphasizes that it is the mandatory duty of covered entities to unbundle and restrict the PHI where they can.
As a protection for the covered entity, where a payment to the covered entity fails, such as for a bounced check, the covered entity can proceed to contact and disclose all relevant information to the health plan to secure payment, but only after the covered entity tries to remedy the situation with the individual, such as by a phone call seeking an alternative form of payment. Covered entities are also allowed to disregard the restriction where the provider needs to justify follow-up care that was not paid out of pocket.
Access of Individuals to PHI
The Privacy Rule has always emphasized the importance of allowing individuals to have access to their own PHI. The HIPAA Omnibus Rule requires that covered entities provide individuals with a copy of the PHI that is maintained in a designated record set in the form and format requested by the individual, and if that is not possible, to reach an agreement with the individual for the provision of that information electronically. The requested information must be provided within 30 days. Covered entities are, however, allowed one 30-day extension if circumstances warrant a delay.
Individuals may designate third parties to receive their information, and the covered entity is required by the HIPAA Omnibus Rule to send the information to that person upon a signed written request. Covered entities are not required to investigate each request to ensure the third party seeking the records is doing so honestly. The Rule does, however, require the covered entity to have policies and procedures in place to verify the third party’s identity when they request access to the PHI, as well as to protect the PHI as it is shared.
Covered entities may charge fees for their efforts in response to a request for information, but the fee must be based on the actual costs incurred to provide the information. For paper records, the fee can only include the costs of supplies and labor, postage, and preparation of a summary of the contents. For electronic records, the fee can include labor costs, and, where requested by the individual, the costs for the electronic media on which the records are transferred (such as a CD or a USB drive), postage (where the electronic media is mailed), and a summary of the contents. The covered entity cannot allocate computer costs or data storage costs to the fee.
Fundraising
The HIPAA Omnibus Rule changes the requirements for fundraising communications. These changes are both more permissive and more restrictive than the previous standards. The Rule is more permissive in that covered entities have significant flexibility in both how they fundraise and how they offer individuals the opportunity to opt out. A covered entity is allowed to decide what method of opt-out the entity uses, provided the method is not unduly burdensome or costly and a statement that the individual may opt out is included in the Notice of Privacy Practices (NPP). It may also choose whether it wants the individual to opt-out of all fundraising communications or only those directed at a specific fundraising campaign. The Rule is more restrictive in that it absolutely prohibits a covered entity from sending fundraising communications once the individual has opted-out of receiving such communications.
The Rule creates new categories of PHI that can be used by covered entities for targeted fundraising communications. These categories include (1) department of service (general department of treatment); (2) treating physician information; and (3) outcome information (including information on death and sub-optimum outcome). These categories join demographic statistics and health insurance status on the list of items the Privacy Rule allows to be used for fundraising. The effect of these new categories is to allow covered entities to use PHI to develop more focused fundraising programs.
Marketing
Marketing communications are those made to entice a recipient to use or purchase a service or product. Historically, HIPAA required an authorization to make marketing communications, with a few exceptions for certain health-related communications.
The HIPAA Omnibus Rule makes changes to this area. If the covered entity is receiving payment from a third party for making the communication, a “subsidized communication,” then the covered entity must obtain authorizations – there are no longer any exceptions in this case. Because an authorization for each “subsidized communication” is now required, covered entities no longer have to include information about these communications in their NPPs. Likewise, covered entities do not have to include information in their NPPs about appointment reminders, treatment alternatives, and other services, which are for treatment and operations.
The authorization is valid where it meets the general requirements for all HIPAA authorizations and tells the individual he or she may revoke the permission at any time. The authorization must also notify the individual that a third party is paying the covered entity to make the communication. Such notice may be either general or situation- or product-specific, but must at least give the individual an idea of the intended purpose of the use or disclosure.
The HIPAA Omnibus Rule contains an exception for refill reminders, adherence reminders, and delivery system instructions. As long as the remuneration received by the covered entity is reasonably related to the cost of making the communication, and the covered entity does not make a profit, such reminders are not considered marketing communications.
Sale of PHI
Pursuant to the HITECH Act, a covered entity cannot “sell” an individual’s PHI without the individual’s authorization. The HIPAA Omnibus Rule clarifies that the “sale of PHI” includes a covered entity or business associate receiving, directly or indirectly, financial or non-financial remuneration in exchange for PHI. Importantly, a change in ownership of the PHI is not required, and a lease, license, or even access might trigger the protections in this provision. While this prohibition seems very broad, there are several exceptions that will protect many legitimate arrangements. For instance, the “sale of PHI” does not include disclosures for public health purposes, treatment, or operations. Perhaps the largest exception is for disclosures by a covered entity or a business associate, in accordance with the Privacy Rule, for a reasonable, cost-based fee.
If a covered entity or business associate will be receiving remuneration in exchange for PHI, they should evaluate the arrangement to ensure it meets an exception. If it does not, then the covered entity will have to secure the individual’s authorization before proceeding.
Decedents, 50-Year Release
While we all expect to have our protected health information kept private, we give little thought to what happens to that PHI after death. The current HIPAA Privacy Rule requires covered entities to continue protecting the privacy of PHI indefinitely after an individual’s death. This causes hardship for historians and other researchers who could not access records due to HIPAA protections. The HIPAA Omnibus Rule modifies the requirement so that the privacy protections only apply for 50 years after the date of death. HHS emphasizes that this change does not displace stricter state or other laws, or the professional responsibility of medical providers. Additionally, the change is not a mandate that entities keep their records for that long - HIPAA does not have record retention requirements.
Decedents, Disclosures to a Family Member/Others Involved in Care
Changes to this section of the Privacy Rule arose from frustrations of family members of decedents who were unable to access information related to the death of their loved one. The HIPAA Omnibus Rule remedies that situation by allowing covered entities to disclose the decedent’s PHI to a family member or other person involved in the decedent’s care or treatment, but only to the extent the PHI is relevant to the role the family member or other person played in the decedent’s treatment. No release is permissible where the individual expressly stated before death that he preferred the PHI not be released. Importantly this is not a requirement but a permission, which means that if the covered entity doubts the identity or explanation of the person seeking the information, it may deny the request.
Student Immunization in Schools
The HIPAA Omnibus Rule adopts a new provision that allows covered entities in states that have compulsory vaccination laws to disclose immunization records to schools without obtaining formal parental authorization. All that is required is that a covered entity obtains permission, which can be oral or written so long as such permission is documented in the covered entity’s records. This Rule does not change the fact that disclosures to immunization databases are considered to be public health disclosures, so no authorization is required.
HHS emphasizes that this part of the Rule does not affect any state laws. If state law requires authorization for this type of disclosure, HIPAA does not preempt that state law.
If you have any questions regarding the changes to these provisions or any other aspect of the HIPAA Omnibus Rule, please do not hesitate to contact any member of Troutman Sanders’ Health Care practice group.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result. Follow Troutman Sanders on Twitter.