Health Information Compliance Alert

Published on Thu Aug 08, 2013 PDF

What’s the true impact of this new patient right?

For a decade now, patients have had the right to request restrictions of disclosures when it comes to their own protected health information (PHI) — and providers have had the discretion as to whether they would honor such requests. But for at least one instance in particular, you no longer have a choice.

Background: Under the HIPAA Omnibus Act, you now must honor virtually all disclosure-restriction requests when a patient wants to pay for services in full and does not want you to disclose the services to her insurer. According to a recent OMW Health Law blog post by Carrie Soli, Seattle-based attorney with Ogden Murphy Wallace Attorneys, you must agree to a patient’s request to restrict disclosure of PHI if:

a) The disclosure is for payment or health care operations and is not otherwise required by law; and

b) The PHI pertains solely to a health care item or service for which the individual or other person on behalf of the patient (other than a health plan) has paid the covered entity in full.

Of course, there is certain information that you must report by law — for instance, if this is a Medicaid or Medicare patient, according to Jim Sheldon-Dean, founder and director of compliance services at Charlotte, VT-based Lewis Creek Systems, LLC. But for the most part, you’ll need to honor requests to restrict disclosures to insurers.

Devise a Plan: Who Needs to Be Involved

Issue: “Operationalizing this new provision may be one of the toughest challenges that providers may face,” noted Bruce Davidson, RN, MS, MM, LNHA, a health care consulting manager with Eide Bailly, in a recent analysis. Read the full analysis at the Eide Bailly website: www.eidebailly.com/industries/health-care/critical-access-hospitals/requesting-a-restriction-of-uses-and-disclosures.

“One of the principal players in this equation, and there are many, is the billing department,” Davidson says. Your IT department also plays a crucial role.

But you also need to think about your internal processes and how information flows through your organization, Davidson explains (see story on page 58 for more information on evaluating internal processes). Think about who in your organization will handle the PHI — from billing to clinicians to office staff. And what about your Business Associates (BAs)?

What Are the Nuts & Bolts Solutions?

The Omnibus final rule doesn’t dictate exactly how you must comply with this provision, nor does it require you to create separate medical records or segregate PHI, Davidson notes. But you do need to come up with a way to “flag” these items and services.

You need to have “some kind of policy and procedure and a process to handle this,” Sheldon-Dean says. And you at least need to have the capability to flag such services in your electronic health record (EHR).

Some organizations use an alternate patient method, “sort of like a shadow patient,” Sheldon-Dean notes. “But I don’t like that way so much because you can lose information connections and you wind up with information that gets lost and disconnected from your patient record.”

Better: But other organizations are creating separate procedure codes for items or services that are “non-billable” to insurers, Sheldon-Dean states. You would create a separate digit in the code that would identify it as something that doesn’t get processed for insurance purposes.

Solve the Bundling Problem

And what about when a patient wants to pay for one service but not others in a group of services that are typically “bundled” in the billing process? Well, if you can “unbundle” the group of services, you should do so, Davidson says. Of course, you should first counsel the patient on the impact of unbundling.

“For example, even if an item or service is unbundled, providers should warn the patient that it is possible that the context may allow the health plan to determine the service performed and that unbundling the service may cost the patient more,” Soli explains.

“If a provider is not able to unbundle a group of items or services, the provider should inform the individual and give the individual the opportunity to restrict and pay out-of-pocket for the entire bundle of items or services,” Davidson advises.

Don’t Fret Over ‘Downstream’ Effects (Or Should You?)

But what about the pass-through effects of restricting disclosures to insurers? For example, Sheldon-Dean explains, what happens if a patient wants to get a prescription related to the service that she’s paying out-of-pocket for and you send the prescription off to the pharmacy, which fills the prescription and sends the claim on to the insurance company?

“And now, the insurance company knows about it, which is what [the patient] didn’t want to have happen,” Sheldon-Dean points out. Fortunately, the Omnibus rule’s preamble makes clear that you’re not responsible for everything that happens downstream.

Keep in mind: “HHS fell short of requiring providers to notify downstream providers of the fact that an individual has requested a restriction to a health plan,” Soli notes. “However it encouraged providers to counsel patients that it is the patient’s obligation to request a restriction and to pay out-of-pocket with other providers in order for the restriction to apply to the disclosures by such providers.”

So in the example above, instead of just shrugging your shoulders and deciding that what the pharmacy does isn’t your problem, you need to make an effort to inform the patient of what could happen downstream. Perhaps you could suggest to the patient that you write a paper prescription to make sure the pharmacy doesn’t process it electronically and automatically send it off to the insurer, Sheldon-Dean recommends.

Don’t forget: Remember to update your BA Agreement and your Notice of Privacy Practices to reflect this new patient right to restrict insurer disclosures of PHI relating to services paid out-of-pocket.