HIPAA Omnibus' Trickiest ProvisionMaking Sure Certain Information Doesn't Go to Insurers
As they prepare to meet the Sept. 23 compliance deadline for the HIPAA Omnibus Rule, security leaders at healthcare organizations are finding one requirement particularly challenging.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The rule requires organizations to accommodate patients' requests to not disclose to their health insurer information about a product or service that they paid for out of their own pockets.
Carrying out this requirement could prove difficult, in large part, because many electronic health record, e-prescribing and other information systems lack features that easily allow segments of data to be flagged or withheld from electronic transmission.
For example, while a provider might note in an EHR that a patient doesn't want information disclosed, or indicate in the billing system that a patient paid in full for a service, there's no easy way to ensure that the pharmacy that receives an e-prescription related to the treatment will be made aware - in a timely way - not to bill the patient's health plan for the drug.
"Flagging the billing system not to file the claim is the easy part," says Dena Boggan, HIPAA privacy and security officer at St. Dominic Jackson Memorial Hospital in Jackson, Miss. "Figuring out how to flag the entire record so that no one releases to the health plan information related to the date of service, for which the restriction applies - that will be the problem."
John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston, writes in a blog: "If an inpatient hospitalization is paid in cash, how do we prevent a nurse case manager working for a payer from seeing any data related to that care episode?"
Halamka continues: "Such data segmentation needs metadata around each data element so that data flows can be selectively restricted. [That's] a great goal, but definitely a work in process for which no products, nor standards exist," says Halamka, who is co-chair of the HIT Standards Committee that advises the Office of National Coordinator for Health IT.
As standards for data segmentation evolve, Judi Hofman, privacy and security officer of St. Charles Health System in Bend, Ore., suggests that communication with software vendors is critical.
"If you have an EHR vendor, turn to the vendor and ask what capabilities are available and what's out there to help," Hofman says.
Boggan notes: "I'm sure we'll all be talking to our vendors about this issue, in hopes they can provide a solution that covers all bases before September. If not, we'll have to figure out a way to cover this until the vendors can get this resolved."
Easier Than it Sounds?
Not everyone anticipates that the task of withholding specific information from health plans at the request of patients who are paying cash will prove problematic.
"I don't agree that the 'out of pocket' requests for non-disclosure will be tricky," says Christopher Paidhrin, information security and technology administrator at PeaceHealth, a delivery system in the Pacific Northwest.
"The focus of the non-disclosure is a patient's desire to prevent a payer or health plan from learning of a service, procedure or prescription. The final rule makes it clear that covered entities don't need to craft separate records, redact information, or exercise unreasonable measures to meet the patient's request," he says. "The final rule is explicit in stating that all disclosures required by law supersede the patient's request for non-disclosure."
Nonetheless, the rule states that providers will be held accountable for mess-ups.
"A provider who discloses restricted protected health information to the health plan is making a disclosure in violation of the Privacy Rule and the HITECH Act, which, as with other impermissible disclosures, is subject to the imposition of possible criminal penalties, civil money penalties, or corrective action," the rule states.
To make matters even trickier, the rule also states that a healthcare provider must also keep that restricted health information from being disclosed to a business associate of the health plan. And it's up to the provider to figure out who is a business associate of the insurer.
In the preamble of the HIPAA Omnibus Rule, the Department of Health and Human Services acknowledges the current technological challenges involved in managing patient non-disclosure requests "downstream," and it says the onus is on patients to communicate their restrictions.
"We agree that it would be unworkable at this point, given the lack of automated technologies to support such a requirement, to require healthcare providers to notify downstream providers of the fact that an individual has requested a restriction to a health plan," the rule states. "However, we do encourage providers to counsel patients that they would need to request a restriction and pay out of pocket with other providers for the restriction to apply to the disclosures by such providers."
Help on the Way?
The Department of Veterans Affairs and the Department of Health and Human Services, as well as some private sector organizations, have been working on technological issues that could help healthcare providers eventually manage at least some of the perplexing challenges of the out-of-pocket non-disclosure provision (see: Segmenting EHRs to Protect Privacy).
For instance, data segmentation projects under way at HHS and the VA involve metadata tagging of information in patients' electronic health records to indicate sensitive information - such as substance abuse or mental health treatments - that individuals don't want shared.
Last September, in a demonstration project, the VA and HHS' Substance Abuse and Mental Health Services Administration showed how they could use various standards to securely transmit a mock patient's substance abuse treatment records tagged with privacy metadata from one EHR to a different EHR system after electronically verifying that the mock patient had consented to the transmission. While that demonstration involved "pushing" data, upcoming demonstrations this year will show "pull" scenarios involving tagged data.
"We are working on some technology capabilities this year to [manage] privacy restrictions in a standardized way," says an ONC official, who asked not to be named.
A 2010 report from the President's Council of Advisors on Science and Technology called for adoption of a "universal exchange language" that allows for the transfer of health data while maximizing privacy.
However, ONC pulled back on the notion of including metadata requirements in Stage 2 of the HITECH Act electronic health record incentive program, as PCAST proposed, in response to industry concerns that mandating even limited use of metadata tagging in EHRs was premature (see: Feedback on EHR Metadata: Go Slow).
The VA and SAMHSA demonstration projects use standards supported by the Data Segmentation for Privacy (DS4P) Initiative, the ONC effort that was created in response to the 2010 PCAST report.