The Omnibus rule, also known as the “Final” rule changed HIPAA in many ways. It gave HIPAA teeth and included business associates as being liable under the HIPAA rules. I thought most medical providers had been made aware of the many changes, but it has come to my attention that many are not.
This article we will discuss one of the confusing segments of the Omnibus rule, which is the restriction on disclosures for payments out of pocket by a patient.
Under the Omnibus rule, individuals have the right to obtain restrictions on the disclosure of their protected health information (PHI) in electronic or any other form to a health plan for payment or healthcare operations for specific items and services that the individual has paid out of pocket and in full. Such requests for restrictions must be granted by the practice unless disclosure is “required by law.” More on this later in this article.
Medical practices should consider various methods for segmenting restricted PHI such as “flags,” subfolders within the chart, special notations in the record, or other ways to ensure the restricted PHI is not inadvertently disclosed to the health plan in the event of an audit.
Under the HIPAA Omnibus Rule, providers must ensure that patients are notified of this right in their notice of privacy practices. There are other rights under the Omnibus rule that also must be included, but we are not covering that in this article. Notice of Privacy Practices must be placed in a prominent and accessible location (check in/out window or waiting room) and posted to the practice’s website if they have one.
More about the restriction requirements…
HHS states that the provider should notify downstream providers of the fact that an individual has requested a restriction to a health plan. However, some practices utilize forms that state that this restriction is for this date of service, for this specific appointment, you cannot guarantee others will abide by this restriction and that they should contact the other providers.
Here is one example, a patient that is meeting with their primary physician and requests a restriction on tests that will determine if they have a heart condition. If the primary physician refers the patient to a cardiologist, it is the patient’s responsibility to request a restriction from the cardiologist, if they wish to pay out of pocket. Although the primary physician would not be required to alert the cardiologist of the patient’s potential request to a restriction, it is recommended to do so if possible. Another option would be to advise the patient to ensure that they are aware that it is the patient’s obligation to request restrictions from subsequent providers.
With technology that has progressed, the patient requests for other restrictions should be reviewed to see if it is available within the EHR.
Restrictions and follow-up care…
If a patient has a restriction in place for a health care service but does not pay out of pocket and requests a restriction with regard to the follow-up treatment, and the provider needs to include information that was previously restricted in the bill to the health plan in order to have the service deemed medically necessary or appropriate, then the provider is permitted to disclose such information so long as doing so is consistent with the provider’s minimum necessary policies and procedures. We also clarify that such a disclosure would continue to be permitted for payment purposes and would not require the individual’s written authorization. However, it is encouraged to discuss this with the patient to ensure that they are aware that previously restricted protected health information may be disclosed to the health plan unless they request an additional restriction and pay out of pocket for the follow-up care.
A patient may use their FSA or HSA to pay for the health care items or services that they request to have restricted from another plan. However, the patient may not restrict a disclosure to the FSA or HAS necessary to carry out that payment.
Under Medicare rules, medical practices are required to produce medical records if audited. This is a condition for participation in Medicare and practices are subject to the mandatory claim submission provisions of the Social Security Act (which requires that if a physician attempts to charge a patient any remuneration for a service that is covered by Medicare, then the physician or supplier must submit a claim to Medicare). The Omnibus Final Rule states that there is an exception to the requirement when the patient (or the patient’s legal representative) refuses of their own free will to authorize the submission of a bill to Medicare. In these such cases, a Medicare provider is not required to submit a claim to Medicare for the covered service and may accept an out-of-pocket payment for the service from the patient. The limits on what the provider may collect from the patient continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare.Thenthe provider must restrict the disclosure of protected health information regarding the service to Medicare.
Medical providers will need to discuss the provider’s ability to unbundle items or services and the impact of doing so since the health plan may still be able to determine the restricted item or service. If the medical provider is able to unbundle the items or services, they should do so. If the provider is not able to unbundle the group of items or services, they should inform the patient and give them the opportunity to pay out of pocket for the entire group and be able to restrict the disclosure.
Although HIPAA does not require a patient to complete a restriction form, it is recommended to utilize a Do-Not-File-Insurance or Self-Pay form. This will inform patients of their rights and responsibilities and remind staff of this restriction. This form also would notify the patient that the medical practice will ensure that the information is not inadvertently disclosed to a health plan for payment or other health care operations purposes, such as audits by the health plan, unless the disclosure is required by law.
Medical practices may also consider including in the form that the restriction is void if payment for the services is not received in full or if the payment is dishonored due to an invalid credit card or check. It is recommended in these cases to reach out to the patient directly to seek payment before disclosing the information. If payment in full is not received, the practice is not required to abide by this disclosure restriction request and may file a claim with the patient’s health plan.
Impermissible disclosure consequences…
A practice who discloses restricted protected health information to the health plan is making a disclosure in violation of the Privacy Rule and the HITECH Act, which, as with other impermissible disclosures is subject to possible criminal penalties, civil monetary penalties, or corrective action.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”