Among the privacy and security provisions mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act included in the new proposed rules issued last week by the Office of the National Coordinator is a new circumstance under which individuals may request that a HIPAA-covered entity not disclose their personal health information. Under the HIPAA Privacy Rule, individuals already have the right to request that covered entities restrict the use or disclosure of personal health information for purposes including treatment, payment, or health care operations, but covered entities are not required to comply with such requests (45 CFR §164.522). The new provision, contained in §13405(a) of the HITECH Act's Title D, says that covered entities are required to comply with restrictions on disclosures if requested, but this mandatory compliance is only for disclosure to a health care plan for purposes of payment or health care operations, and only applies to health care products or services that the individual has paid for out of pocket. In simplest terms, if you pay for health care services yourself, you can request (and your provider must honor that request) that your provider not share information about those services with a health care plan.
Such a provision seems intended to allow individuals to manage information about them that health care plans have available, to avoid perceived or actual negative consequences (higher premiums, impact on coverage, etc.) that might result if certain types of treatment were disclosed to them. While the recently enacted Affordable Care Act of 2010 will, by 2014, prevent health insurers from denying coverage due to pre-existing conditions, individuals seeking treatment for certain conditions may have concerns about information related to those conditions being used against them for employment or other contexts, or being forced into high-risk insurance pools with greater costs for coverage. Whether those concerns are valid or not, the new rule regarding restrictions on disclosures to health care plans (which ONC also interprets to apply to business associates of health care plans) clearly provides individuals with discretionary authority to have specific information withheld from health insurers, at least if they have the financial means to pay out of pocket. The existence of this provision in the law also suggests that Congress believes that consumers need the ability to withhold certain information from health care plans in order to maintain favorable relationships between insurer and insured. Where similar issues about consent and partial vs. full medical record information disclosure have been raised in the context of treatment and quality of care, here the logically justifiable complaint from the insurance industry is likely to be that if insurers have incomplete information about the individuals they insure, their risk calculations will be inaccurate — presumably on the low side if people are more likely to withhold information about conditions associated with higher risks and therefore higher premiums.
Implementing such a provision raises practical challenges for health care providers and, to some extent, from health IT vendors offering electronic health records or other tools to support providers in delivering care. One challenge is recording requests for disclosure within medical records to help ensure that such requests are honored. As the ONC Privacy and Security Tiger Team heard during the Consumer Choice Technology Hearing it held on June 29, it is not always a straightforward task to identify all the elements within a health record that may relate to an encounter about which a patient has requested disclosure to be restricted. In particular, not all EHR systems offer the ability to "flag" subsets of a health record with consumer preferences such as consent directives or requests to restrict disclosure. Some health information sharing that occurs to support treatment may result in disclosure contrary to the patient's wishes if information about the disclosure restriction is not communicated to all providers or other parties that might routinely share information with health care plans. ONC uses an example in the Notice of Proposed Rulemaking (pp. 127-128) of a patient who seeks treatment for a condition, pays out of pocket for treatment, and requests that the provider not disclose information about the condition to the patient's health care plan. In this case if the course of treatment for the condition includes a prescribe medication, there is a risk that the pharmacy, upon receiving the prescription (electronically or on paper), will contact the health care plan seeking payment, unless the provider's transmission of the prescription to the pharmacy includes the restriction on disclosure requested by the patient, and the pharmacy has the processes and mechanisms in place to 1) recognize the restricted disclosure request and 2) honor that request. This scenario presumes that the patient intends to pay out of pocket for the prescription medication too.
Bejtlich Teaching at Black Hat USA 2014
1 day ago