The September 23, 2013 Omnibus Rule deadline came and went over three years ago, but no worries because many of you have filled in the blanks of your new set of templates and are good to go. Right? Wrong!
First, it is likely that many of you don't understand the templates that you have carefully modified with your organization's "name, rank, and serial number." Second, the vast majority of you probably don't have any organizational processes in place to underpin your policies (i.e. your templates). And finally, almost no one has effective tracking mechanisms in place to track process results. In short, your organization may be a long ways from being able to show visible, demonstrable, evidence of compliance.
Perhaps if we were still living in the old HIPAA universe where HIPAA was a paper tiger and the dirty little secret in the healthcare industry was that everyone knew that it wasn't enforced; perhaps then you would be just fine with a new set of templates. That world was shattered when the HITECH Act was signed into law in February 2009. It completely exploded and became unrecognizable on September 23, 2013. For those of you that are just now joining us, I have a news flash for you: this ain't your daddy's HIPAA anymore!
Of course, you old timers already know that HIPAA 2.0 is "a horse of a different color" and that is why many of you have continued to read these compliance rants over the last six years. So this article will be a short walk down memory lane, and then a discussion about where we are headed.
Going forward we assume that you understand that the status quo will only lead to a finding of willful neglect, and that you want to avoid that at all cost. Therefore, we are going to cover specific topics in detail that help you "jumpstart" a compliance program that has a reasonable chance of succeeding.
Ground Already Covered?
There are many reasons to review our Newsletter Archives but here we will highlight just a few:
- Omnibus Rule articles can be found here, here and here;
- Breach Notification articles can be found here, here, here, and here;
- Business Associate articles can be found here, here, here, here and here;
- Security Rule articles can be found here, here, here and here;
- Privacy Rule articles can be found here, here, and here; and
- Governance and thematic articles can be found here, here, here, here, here, here, here, here, here, and here.
This is not an exhaustive list of articles, we simply wanted to provide a "quick index" if you are trying to get caught up.
Further Down the Road?
Going forward we will focus on a more detailed "birds eye" view of the HIPAA regulations as most of you continue to build a good compliance story. We will usually write about topics that our Webinars indicate our audience is struggling with. In this week's article we look at the "out of pocket" restriction that is now mandatory under the Omnibus Rule.
§164.522 Rights to request privacy protection for protected health information.
Section 164.522(a) of the "Privacy Rule's Patient's Bill of Rights" (i.e. sections 164.520 - 164.528) controls a patient's right to ask for restrictions regarding how a his or hers PHI is to be used and disclosed, the process by which restrictions should be requested, and whether or not a covered entity is required to honor the restriction.
Under the "old HIPAA," a covered entity had to provide a process by which a patient could request a restriction, but was NOT required to honor any such restriction. That remains true under HIPAA 2.0 with one important exception mandated by the HITECH Act and clarified under the Omnibus Rule. That is the so called "out of pocket paid in full" restriction.
HITECH Act 13405(a) states that if a patient requests a restriction regarding PHI potentially shareable with a health plan AND the patient (or anyone else on behalf of the patient) has "paid in full" for the provider's particular "item or service" then that restriction request must be honored by the covered entity.
The Omnibus Rule also clarified that the covered entity must cooperate with the patient to prevent "downstream covered entities" from providing the PHI to a health plan. The example given in the Omnibus Rule was that if a patiert requested a paper prescription, instead of an electronic one, presumably so that the patient could notify the pharmacy of the restriction, then the covered entity had to honor that request. However, the Omnibus Rule also made it clear that the burden was on the patient to notify downstream covered entities and NOT on the covered entity who provided the service.
Just to be clear, if this use case applies and the patient asks for the restriction (e.g. does not want to notify a health plan that they tested positive for HIV) then the covered entity must honor it and modify its systems accordingly. You don't have to be a health information technologist to understand that this type of restriction may have implications for a number of the covered entity's applications and will likely require custom programming, training, and/or a redefined workflow process to implement.
Most covered entities do not have ANY rigorous process in place for dealing with a patient's right to request a restriction, let alone how they will handle this complex issue from both a technology and organizational process perspective. In short, there is still much work to be done in order to comply with HITECH/Omnibus Rule requirements. Just having your "fill in the blanks" policies in place is not only simplistic, it is likely to produce a finding of willful neglect when something inevitably goes wrong (e.g. a breach, a patient complaint, an audit or a lawsuit).