HIPAA Omnibus: Consumer ProtectionsAdvocates Say Rule Bolsters Patient Rights
Key provisions they cite include: Patients have the right to obtain electronic copies of their records, even if they are stored in multiple systems; business associates and their subcontractors must comply with HIPAA and can face penalties for non-compliance, which can threaten patient privacy (see Breach List: Business Associate Update; and healthcare organizations must obtain patient authorization to use, sell or disclose their health information for marketing communications by third parties.
Mark Savage, senior attorney at Consumers Union, a non-profit consumer advocacy group, says that the provision giving patients rights to obtain electronic copies of their information stored in one or more designated records sets is a boost for consumer rights. "This means patients can obtain data from an electronic health record and beyond," he says. That's important because a complete set of a patient's health information may not be contained in just an electronic health record system, especially if it was rolled out recently or is not integrated with other systems used to capture patient data, he says.
"Patients understandably want a complete set of their information," says Savage. "People move around, they change jobs, they change payers," he says. "There is a basic need for them to have a complete set of their health information," he says.
One hospital technology leader also is pleased by the clarity surrounding patient access to records. John Halamka, MD, the CIO at Beth Israel Deaconess Medical Center in Boston, and a well-known blogger on security and other issues, notes: "In the past, some patients have been told they do not have access to their own records because of HIPAA. The regulations make it very clear that the patient is in control of their own healthcare information."
The omnibus rule's provision clarifying that business associates and their subcontractors must comply with HIPAA will also help bolster data protections for patients, consumer advocates and others say.
"The new penalties and accountability for protecting data will require all subcontractors to improve their processes and procedures to support independent audits of their security practices," Halamka says. "The result will be a stronger ecosystem for storage and exchange of healthcare data."
Savage also is pleased by the new focus on business associates. "Extending this rule for business associates and subcontractors, and making them subject to the privacy rule is a really good thing for patients," he says. "It helps to create a culture of enforcement."
While Deborah Peel, M.D., founder of the advocacy group Patient Privacy Rights, is pleased with the business associate requirements, she sees a number of weaknesses in the rule.
For instance, the rule doesn't require business associates to disclose all their subcontractors to covered entities or patients. "This means there is no transparency or accountability for protected health information downstream, despite the Department of Health and Human Services' attempt to ensure that data protections do not lapse," she contends.
Peel also laments that HIPAA generally does not apply to companies in the financial sector, because, in most cases, banks are not considered business associates. "Banks are not required to comply with HIPAA, despite having PHI [protected health information], including names of your doctors and hospitals written on checks and names of medications on credit card charges," she says.
HIPAA omnibus provisions requiring covered entities to get patient authorization to disclose or sell their information to third parties for marketing is a welcome change, says Christine Bechtel, vice president at National Partnership for Women & Families, a consumer advocacy group.
"We're delighted to have this omnibus final rule because it addresses many issues that patients and families are concerned about," she says. "Gone will be the days of receiving unsolicited paid marketing materials based on patient-specific health data, And now a much broader range of actors will be directly covered by HIPAA. These and the other changes included in the rule are good news for consumers."
Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, another consumer advocacy group, portrays the new marketing restrictions as "a positive development for consumers." She adds: "Under the final rule, patients have to opt in and provide authorization in writing for their PHI to be used for paid marketing."
Disclosures to Insurers
Although another HIPAA omnibus provision allows patients to instruct healthcare providers not to disclose to their health insurer information about treatment paid for in cash, the rule has loopholes that will make implementation difficult, Peel contends.
"HHS did not require segmentation technologies so that PHI can be protected and selectively shared," Peel says. So there's no defined way to ensure that information is protected, she contends.