Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

HITECH Update #9: Omnibus Rule Revises Individual Rights to Request Restrictions, Access to Protected Health Information

Posted in Health Privacy, United States

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule implements provisions in the HITECH Act pertaining to two individual rights: an individual’s right to request a restriction on the disclosure of his or her protected health information (“PHI”) and an individual’s right to access his or her PHI.

Right to Restrict Uses and Disclosures of PHI

The current Privacy Rule grants individuals the right to request restrictions on the use or disclosure of their PHI, but covered entities are not required to agree to such restrictions.  The HITECH Act strengthens the right to request restrictions on disclosures by requiring covered entities to accept a restriction on disclosing PHI to a health plan where the disclosure is for payment or health care operations purposes and the PHI “pertains solely to a health care item or service for which the health care provider involved as been paid out of pocket.”  The omnibus rule amends the Privacy Rule to account for this provision.  Under this new requirement, if a patient pays her physician in full for a specific blood test and requests that the physician not disclose PHI that pertains solely to that blood test to the health plan, the physician must agree to this restriction unless the disclosure is otherwise required by law.  In these circumstances, the health care provider also may not disclose the relevant PHI to a business associate of the health plan.  The restriction applies only where the service or item has been paid in full out of pocket; it does not apply to follow-up visits if they are not paid for in full out of pocket.

The Statement of Basis and Purpose discussed more specific applications of the rule and examines various issues, including the following:

  • Recordkeeping.  Health care providers are not required to keep separate records to implement requested restrictions on disclosures, but covered entities will “need to employ some method to flag or make a notation in the record with respect to the” PHI that has been restricted in order to comply with the new requirement.
  • Bundled Services.  A potential complication arises where multiple services are billed as a single item, but the patient requests a restriction on and pays for only a specific procedure or service.  HHS advised that, where possible, health care providers should “unbundle” services and apply the requested restriction to the appropriate item or service. HHS suggested that, if unbundling is not feasible, health care providers should counsel patients accordingly and provide the opportunity to pay for the entire bundle of services.
  • HMOs.  Some state laws prohibit providers participating in HMOs “from accepting payment from an individual above the individual’s cost sharing amount.”  In these cases, providers should determine whether they are permitted to treat the service as out-of-network, in which case payment in full would be legal.  If the provider is permitted to accept payment in full consistent with applicable laws, it should be willing to do so and abide by any restriction accordingly.
  • Downstream Providers.  HHS declined to adopt a proposal that would have required health care providers to notify “downstream providers” (e.g., specialists and pharmacies) of a requested restriction to a health plan.  If HHS had adopted such a provision, a physician would have been required to notify a pharmacy or specialist of any applicable restrictions on disclosing information to the individual’s health plan.  HHS declined to adopt such a requirement because it considered it “unworkable at this point, given the lack of automated technologies to support such a requirement.”  In the absence of such a requirement, HHS encouraged providers to inform patients that it will be the patient’s responsibility to inform these downstream providers.
  • Dishonored Payments.  If an individual pays for services, but the payment is subsequently dishonored, HHS suggests that the provider should make a reasonable effort to obtain payment before billing the health plan.

Right of Access to PHI

The omnibus rule also revises the section of the Privacy Rule pertaining to an individual’s right to access his or her PHI that is maintained in a designated record set.  The HITECH Act establishes that individuals have a right to obtain a copy of their PHI in electronic format where it is maintained in an Electronic Health Record (“EHR”).  In the Statement of Basis and Purpose, HHS expressed concern that applying these requirements only to EHRs and not accounting for other PHI stored electronically could lead to confusion.  Consequently, under the final omnibus rule, individuals have a right to obtain an electronic copy of their PHI if the PHI is “maintained in one or more designated record sets electronically.”

  • File Format.  The current provision outlining an individual’s right to access his or her PHI states that requested PHI must be provided in the form or format requested by the individual if it is readily available.  If the requested format is not readily available, the covered entity must provide a hard copy or make some other agreement with the individual. The omnibus rule establishes that, if electronic PHI is not readily producible in the requested format, the covered entity must provide a copy of the PHI in another “readable electronic form” (e.g., a PDF) rather than a hard copy.
  • Third Parties.  Under the HITECH Act, individuals have the right to instruct covered entities to transmit a copy of their PHI that is maintained in an EHR directly to a designated individual as long as the choice is “clear, conspicuous, and specific.”  The final rule requires covered entities to transmit a copy of PHI to another person if requested by the individual, regardless of whether the PHI is maintained in an EHR.  Such requests must “be in writing, signed by the individual, and clearly identify the designated person and where to send the copy” of the PHI.
  • Fees.  The HITECH Act prohibits covered entities from charging more than their labor costs in responding to a request for a copy of PHI that is maintained in an EHR.  The final rule adds two factors that covered entities may consider in determining a reasonable cost-based fee.  First, covered entities may consider, “labor for copying the [PHI] requested by the individual, whether in paper or electronic form,” which may include skilled technical staff’s efforts to compile, extract, scan and burn electronic PHI onto digital media and distribute that media.  However, HHS clarified that such labor may not include a “retrieval fee” for simply locating the data.  In addition, a reasonable cost may account for “Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media.”
  • Timing.  Under the existing Privacy Rule, covered entities must respond to an individual’s request for access to PHI within 30 days of the individual’s request, unless the PHI is accessible only at an off-site location, in which case the covered entity has 60 days to respond to the request. In addition, the rule provides for a one-time 30-day extension in extenuating circumstances.  The omnibus rule revises the timing requirements to remove the provision that gives covered entities 60 days to respond where the requested PHI is at an off-site facility.  Consequently, covered entities must respond to all requests within 30 days, regardless of where the PHI is stored, unless they are granted the one-time 30-day extension.

Covered entities should, prior to the omnibus rule’s compliance date, ensure that their policies and procedures afford individuals the access and disclosure restriction rights established by the new rule.