It seems that every new iteration of HIPAA expands patients’ rights and privacy protection — and the Omnibus HIPAA Rule is no exception. In the new Rule, HHS gives patients and their rights central priority.

This should not be a surprise, given the federal goals to replace our current physician centered system with one that revolves around the patient.  In this patient-centered model, effective care will be defined by patients,  in consultation with physicians, “meaningfully using” healthcare information  systems.

HHS wants patients to actively participate in their own healthcare.  This is not about asking the orthopedist for a Celebrex prescription; we’re talking about  patients being active participants in their personal care, and making choices among treatment plans based on their individual needs and preferences, in addition to the advice of health professionals. In today’s disease-centered model, physicians make almost all treatment decisions based largely on clinical experience and test data.

Several provisions of the new Rule focus on enhancing security of “protected health information” (PHI), increasing patient privacy, and expanding patients’ access to, and control of, their personal health records. Initially, compliance will create some significant burdens on covered entities and business associates.

Patient Requests

The new Rule requires healthcare providers to provide patients an electronic copy of their health information (PHI) – assuming it is maintained in an electronic record — if requested by the patient or designee.  This clearly follows HITECH’s mandate for Meaningful Use / MIPS of electronic health records.

Healthcare providers also must meet patient requests to not disclose to a health plan (or a health plan’s business associate) any PHI that is related to items or services for which the patient has fully paid out of pocket.

As many electronic systems currently aren’t able to single out areas of a record and restrict access to specific individuals, providers will need to work with their vendors to make necessary systems and procedural changes to comply with patients’ access restriction requests.

Marketing and Sale

The Omnibus Rule requires individual authorizations for any treatment communications if the covered entity (or a business associate) receives any financial remuneration for the subject product or service. The original Privacy Rule required patient authorization to use or disclose PHI for marketing purposes, but excluded such uses and disclosures when they were part of “healthcare operations.”  HHS makes minor exceptions regarding prescriptions. Sale of PHI is prohibited, with limited exceptions, such as public health, research, and treatment and payment purposes.

Fundraising

Some good news for not-for-profits: HHS has expanded the information that organizations may use in fund-raising, to include certain PHI. In the past, covered entities were limited to using demographic and certain insurance data.  HHS has acknowledgied that use of more substantive data could enhance the value of fundraising efforts, but this information is limited to disclosures of the department that served the patient, his or her physician’s identity, and general information about treatment outcomes. The fundraising value is significant: individuals can be targeted because of their experiences in specific clinical situations or departments, and fundraising appeals can be sent in the name of a former patient’s physician.

Patients must be given a “clear and conspicuous” notice of their right to opt out of future fundraising communications, and offer a reasonably convenient way to do so.

Research

The Omnibus Rule now permits researchers to combine conditioned and unconditioned authorizations to use PHI into one form. In the past separate individual authorizations were required for each research project, which created  prohibitive paperwork. Researchers now may combine conditioned and unconditioned authorizations into one form, though they must offer individuals the option to opt in to the unconditioned authorization.

PHI of Decedents

The original Privacy Rule allowed covered entities to disclose information about a deceased person only to his or her personal representative. The Omnibus Rule expands such disclosures to family members and others who were involved in the care or payment for care of the decedent before death — unless the patient had  previously stated otherwise.

The debate on how long covered entities were required to protect deceased individuals’ PHI has been resolved in the new Rule.  HHS has acknowledged permanent protection become impractical over time. The new Rule limits the period PHI must be protected to 50 years, suggesting that this is sufficient to protect the privacy interests of most living relatives.

Immunization Records

The Omnibus Rule makes it easier for schools to receive proof of students’ immunizations. Covered entities now may disclose immunization records of students or prospective students to schools, if required by law. However, they must obtain and document the parent or guardian’s agreement.

Genetic Information

HHS has expanded HIPAA privacy protections to include genetic information within the definition of PHI.  Health plans may not use or disclose genetic information for underwriting purposes.

Notice of Privacy Practices

As a result of various changes in the Rule, covered entities must update and redistribute their Notices of Privacy Practices. Notices should reflect the Rule’s provisions, including but not limited to:

• Certain individual rights regarding uses and disclosures that require authorization, such as marketing, sale of PHI, fundraising, and research
• For providers only, the individual’s right to restrict disclosures to health plans, when he or she has paid out of pocket for an item or service
• An affected individual’s right to be notified of a breach of PHI
• Other uses and disclosures not described in the NPP that require authorization
• For health plans only, the prohibition against considering genetic information in underwriting