ASK THE LEGAL ADVISORY BOARD—How Does HITECH Affect HIPAA?
Question: Recently, the following questions were raised during one of our AAPC chapter meetings:
A patient presents to the office with, for instance, Kaiser insurance, but asks the office not to file the claim to Kaiser. He wants to do self pay at the time of service. Is the provider obligated to file the claim if they are contracted with Kaiser? Does a patient have the right to decide which visits they want to submit to insurance? Is there anything in writing that would explain this in simple terms?
The questions prompted much discussion, with one chapter member responding:
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act Section 13405(a), effective Feb. 17 a covered entity must grant a request for a restriction if:
(1) the disclosure is to a health plan for purposes of either payment or health care operations, and
(2) the personal health information (PHI) pertains to a service for which the patient paid in full, out-of-pocket.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule currently permits an individual to ask a covered entity to restrict the usual manner in which the covered entity makes disclosures for treatment, payment and health care operations. However, the covered entity is not required to agree to the request. HITECH now requires a covered entity to grant an individual’s request not to disclose PHI to a health plan for a health care item or service where the individual has paid in full, out-of-pocket.
If this is true, would the HITECH act override anything in our payer contract? Does the HITECH rule apply to Medicare and/or Medicaid?
Deb Lewis, CPC
President, Pikes Peak AAPC Chapter
Answer: This is an excellent question, and not an uncommon one. These are the assumptions I am drawing from the question:
1. The Kaiser plan is a state regulated commercial insurance plan and the provider is a contracted provider.
2. The provider contract requires the provider to bill covered services on behalf of the beneficiary.
In response to your inquiries, as a general matter:
Is the provider required to bill if the patient asks the provider not to?
Absent an express contractual requirement to the contrary, the answer is no. These provisions in the contract are designed to protection the subscriber/patient. I have never seen a carrier complain that a service was not billed to them as long as the patient was not charged. This provision is raised generally only as a result of complaints by the patient.
Understand that the patient always has the right not to use their insurance benefit. If he or she does not want a covered service billed, he or she can direct the provider not to. Where this occurs, the provider is alleviated from the contractual burden they have to submit covered services on the patient’s behalf. “On the patient’s behalf” implies the patient wants the services billed in the first place.
Does the HITECH Act impact the analysis and effectively trump the contractual provision?
In short: The answer is yes to both counts.
Because billing creates the potential for disclosure of health information and the patient’s autonomy over whom his or her records may be disclosed, directing the provider not to bill where the patient is willing to pay out-of-pocket for the service creates a question as to whether the provider is able to refuse the request and submit the charges anyway. Under the prior HIPAA regulations, I would have advised against it—but it would technically be permissible. HITECH prevents the ability to bill in this circumstance.
The HITECH provision you cite is an interesting one. I have long held the belief under HIPAA that a provider could not disclose records for services not billed to a carrier under a temporary protection order (TPO) request without violating HIPAA. HITECH supports this conclusion, especially where the patient makes a request restricting disclosure. Asking you not to bill could be construed as such a request.
Although HITECH does not address the billing issue directly, the effect of the patient paying for the service out-of-pocket and directing that records not be disclosed would be to prevent you from billing because PHI is disclosed as a result of submitting a claim. If you did bill it, it would be an unauthorized disclosure constituting a breach subjecting the provider to a penalty; which, if recklessness is found, could be quite substantial. As such, you could say that when the patient makes such a request, HITECH trumps your contractual duty to file a claim because you could not do so without violating a federal law. A contractual provision that requires you to violate a law is unenforceable.
The difference between the old regulations and the new one is that, in the past, you could ignore the patient’s request not to file the claim. Under HITECH, you cannot.
My practical advice is: If a patient pays for service and does not want it billed, be sure to have the patient sign a request that information relative to that service not be disclosed. That would absolutely preclude the provider from being able to bill and protect the provider from any allegation regarding provider contract breach for not billing by the patient—although it is not likely that such a complaint would ever be made by the carrier. Just remember, you must flag these records somehow so they are not disclosed to the health plan should the health plan make a request. Be certain also, if sending the records to another provider (which is permissible), to flag the records so the other provider knows that they cannot be sent to the health plan due to patient request. A big red “stamp” on the record would probably suffice.
Finally: Does the HITECH rule apply to Medicare and/or Medicaid?
HITECH applies universally. The carrier that services are being billed to (Medicare, Medicaid, TriCare, state commercial insurance plans, Employee Retirement Income Security Act (ERISA) regulated plans), or the lack of a carrier, has nothing to do with your obligation under HIPAA, as amended by HITECH to protect the integrity of protected health information.
Michael D. Miscoe, JD, CPC, CASCC, CUC, CHCC, is president of Practice Masters, Inc. and the founding partner of Miscoe Health Law, LLC. He is a past member of the AAPC National Advisory Board (NAB) and current member of the Legal Advisory Board (LAB). He is admitted to the Bar in the state of California as well as to the practice of law before the U.S. District Courts in the Southern District of California and the Western District of Pennsylvania. Mr. Miscoe has nearly 20 years of experience in health care coding and over 13 years as a compliance expert testifying in civil and criminal cases.