HITECH in a Nutshell

HIPAA Privacy Rules grant individuals the right to request additional restrictions on the uses and disclosures of their protected health information (PHI). Until Feb. 17, it was entirely at the discretion of the health care provider whether to grant this request. This is no longer the case.
The HITECH Act, part of the American Reinvestment and Recovery Act (ARRA) passed in February 2009, implemented funding for development of electronic record systems and added new breach notification requirements to HIPAA, triggering a wealth of discussion in the health care community. In a more subtle development, the act also restricted covered entity’s discretion related to the granting of patients requests for additional restrictions.
If an individual requests that a covered entity restrict disclosures to a health plan for purposes of payment or health care operations, the covered entity must grant the request if the individual pays for the item or service out-of-pocket, in full. This requirement does not apply to disclosures for treatment.
Consider the following example:
Patient Jane Smith has been a patient of your organization for a number of years. Her visits have always been covered by her private insurance. Jane was seen in the clinic on Feb. 20, March 1, and March 15. Without providing explanation, Jane requested that the clinic refrain from submitting any information regarding the March 1 visit to her insurance company for payment or health care operations. She paid in full for the visit. At the March 15 visit, the physician referred Jane to a specialist and requested records transferred. In May, the clinic receives a request from the insurance company for records on all visits for Jane in February and March for a utilization review.
Jane’s March 1 visit is a part of the medical record for your organization. Because of her request, a claim cannot be submitted to her insurance company for the March 1 visit. The medical record documentation for the March 1 visit can be included in the disclosure to the specialist, but not to the insurance company.
The new restriction of provider discretion requires covered entities to implement policies and procedures to ensure compliance. Procedures need to be created to identify these requests and ensure the information is available to your billing and medical records staff. These policies and procedures include:

• Revision of the policy and procedure for patients to request additional restrictions to incorporate the new language, and clearly providing that requests will be granted in these situations.
• Steps to ensure a request to restrict disclosure to the insurance company is forwarded in a timely manner to the billing office, so charges are entered appropriately and no claim is submitted to the insurance company.
• A notification procedure to alert workforce members that a particular visit or service cannot be disclosed to the health insurer if a later request is made related to health care operations.

When policies and procedures have been developed or revised, it is imperative they be communicated adequately to the staff. After a request for additional restrictions on disclosures has been granted, a failure to comply with the request is an unauthorized disclosure and violation of the Privacy Rules, and potentially is subject to penalties. Further, as an unauthorized disclosure, the inadvertent response to a request for records by a workforce member who is not aware of the restriction may amount to a breach, triggering the notification requirements.
As in all areas of HIPAA, the best approach is a proactive one. Implementing policies, procedures, and workforce education is the only way to identify these requests properly, and to prepare staff for the interruption of their normal workflow.
Stacy N. Harper, JD, MHSA, CPC, is an attorney with Forbes Law Group, LLC in Overland Park, Kan. Ms. Harper’s practice focuses on assisting health care providers with regulatory compliance and reimbursement issues.