Home Health & Hospice Week

What’s the true impact of this new patient right under HIPAA?

For a decade now, patients have had the right to request restrictions of disclosures when it comes to their own protected health information (PHI) — and providers have had the discretion as to whether they would honor such requests. But for at least one instance in particular, you no longer have a choice.

Background: Under HIPAA Omnibus Act provisions that became effective in September, you now must honor virtually all disclosure-restriction requests when a patient wants to pay for services in full and does not want you to disclose the services to her insurer. According to a recent OMW Health Law blog post by Carrie Soli, Seattle-based attorney with Ogden Murphy Wallace Attorneys, you must agree to a patient’s request to restrict disclosure of PHI when:

a) The disclosure is for payment or health care operations and is not otherwise required by law; and

b) The PHI pertains solely to a health care item or service for which the individual or other person on behalf of the patient (other than a health plan) has paid the covered entity in full.

Of course, there is certain information that you must report by law — for instance, if this is a Medicaid or Medicare patient, according to Jim Sheldon-Dean, founder and director of compliance services at Charlotte, Vt.-based Lewis Creek Systems. But for the most part, you’ll need to honor requests to restrict disclosures to insurers.

Devise a Plan: Who Needs To Be Involved

Issue: "Operationalizing this new provision may be one of the toughest challenges that providers may face," notes Bruce Davidson, a health care consulting manager with Eide Bailly, in a recent analysis. "One of the principal players in this equation, and there are many, is the billing department," Davidson says. Your IT department also plays a crucial role.

But you also need to think about your internal processes and how information flows through your organization, Davidson explains. Think about who in your organization will handle the PHI — from billing to clinicians to office staff. And what about your Business Associates (BAs)?

What Are The Nuts & Bolts Solutions?

The Omnibus final rule doesn’t dictate exactly how you must comply with this provision, nor does it require you to create separate medical records or segregate PHI, Davidson notes. But you do need to come up with a way to "flag" these items and services.

You need to have "some kind of policy and procedure and a process to handle this," Sheldon-Dean says. And you at least need to have the capability to flag such services in your electronic health record (EHR).

Some organizations use an alternate patient method, "sort of like a shadow patient," Sheldon-Dean notes. "But I don’t like that way so much because you can lose information connections and you wind up with information that gets lost and disconnected from your patient record."

Better: But other organizations are creating separate procedure codes for items or services that are "non-billable" to insurers, Sheldon-Dean states. You would create a separate digit in the code that would identify it as something that doesn’t get processed for insurance purposes.

Solve the Bundling Problem

And what about when a patient wants to pay for one service but not others in a group of services that are typically "bundled" in the billing process? Well, if you can "unbundle" the group of services, you should do so, Davidson says. Of course, you should first counsel the patient on the impact of unbundling.

"For example, even if an item or service is unbundled, providers should warn the patient that it is possible that the context may allow the health plan to determine the service performed and that unbundling the service may cost the patient more," Soli explains.

"If a provider is not able to unbundle a group of items or services, the provider should inform the individual and give the individual the opportunity to restrict and pay out-of-pocket for the entire bundle of items or services," Davidson advises.

Don’t Fret Over ‘Downstream’ Effects (Or Should You?)

But what about the pass-through effects of restricting disclosures to insurers? For example, what happens if a patient wants to get medical equipment related to the service that she’s paying out-of-pocket for and the supplier sends the claim on to the insurance company?

"And now, the insurance company knows about it, which is what [the patient] didn’t want to have happen," Sheldon-Dean points out. Fortunate-ly, the Omnibus rule’s preamble makes clear that you’re not responsible for everything that happens downstream.

Keep in mind: The Department of Health and Human Services "fell short of requiring providers to notify downstream providers of the fact that an individual has requested a restriction to a health plan," Soli notes. "However it encouraged providers to counsel patients that it is the patient’s obligation to request a restriction and to pay out-of-pocket with other providers in order for the restriction to apply to the disclosures by such providers."

So in that scenario, instead of just shrugging your shoulders and deciding that what the supplier does isn’t your problem, you need to make an effort to inform the patient of what could happen downstream.

Don’t forget: Remember to update your BA Agreement and your Notice of Privacy Practices to reflect this new patient right to restrict insurer disclosures of PHI relating to services paid out-of-pocket.

Note: Read the full analysis at the Eide Bailly website: www.eidebailly.com/industries/health-care/critical-access-hospitals/requesting-a-restriction-of-uses-and-disclosures.