Search This Blog

Friday, February 1, 2013

Cash is King, HIPAA’s 2013 Changes

HHS (Health and Human Services) announces, January 17, 2013, “New Rule Protects Patient Privacy, Secures Health Information.” The full text of the new rule, (effective March 2013 with a 180-day grace period after the effective date), appears in the “Federal Register.” Links on the HHS website go to the actual text of the rule.

Before you run out and pay cash to avoid insurance company knowledge of your health conditions, please read what you might or might NOT get for your money when the rules go into effect. My commentary is based on the reading of these new rules. Text is cited where appropriate.

There are four new rules, but here I address what I call the Cash is King Provision and what the new rules call, “Right to Request a Restriction of Uses and Disclosures.”

This right requires A) that a request be made AND B) that the protected health information pertains to a health care item or service for which the individual (or someone on behalf of the individual other than a health insurance plan) has paid in full.

Your NPP: When you visit a healthcare provider you will receive your NPP, notice of patient privacy. In that document, providers will inform you of the new rules and such documents will include the provider’s own variation on the rules. These NPPs will vary from provider to provider depending on the health care services received AND depending on whether a provider chooses to provide greater privacy protections than the basics required by the rules.

Read the fine print in your NPP. Paying cash does NOT mean that the provisions of NPPs will be uniform, entities and business associates are provided with “flexibility and discretion to determine how to draft and prepare their NPPs.” READ THEM CAREFULLY.


Ask and you shall receive: The increased level of privacy must be REQUESTED by YOU before you receive services. You must be willing to pay cash (or someone else besides an insurance plan must agree to pay cash) for services in order to make the request. Simply paying cash will not get you more privacy without your request.

The new rule summary emphasizes that, “When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.”

Request and Request Again: You must REQUEST the restriction of disclosure. If you get a referral to “downstream” providers, such as other physicians or entities like pharmacies, you must also inform them of your desire for restriction of disclosure. Your physician may help but is not liable for a failure to inform a downstream provider.

Electronic Health Records and Your Election of Restriction of Disclosures: While healthcare providers don’t have to design a separate system for handling the paid-for privacy, your health records MUST indicate that you’ve made the election for increased privacy by paying cash through some notation on your file.

What’s Good for the Goose is not Good for the Gander: While health care provider responsibilities in terms of notifying HHS and patients is expanded by removing a judgment call as to whether “harm” occurred from breaches of privacy, the protection is still pretty bad for individuals because serious liability is hinged to WILLFUL breach rather than the sloppy neglect that typifies most breaches.

So, entities and business associates can argue the reasonableness of their approaches and their best intentions when it comes to the rules and avoiding serious negative consequences. On the other hand, individuals who want to use the same claim that they “meant to” notify all providers about their requests won’t have a leg to stand on. You must make SURE your documentation covers every aspect of the restriction you believe you’re getting by paying cash.

HHS Giveth, HSS Taketh Away: Paying cash will not protect the disclosure of your health information in MANY circumstances:

First, you cannot pay for privacy of health information that is required to be disclosed under other laws. For instance, your request for restriction will not protect disclosure of your personal health information in the case of requirements proposed for expanding reporting and background checks for guns, subpoenas or other court proceedings, and cases where public health interests of government require reporting.

Second, you cannot restrict the use of genetic testing information for long-term care contracts where your premiums might be higher based on such testing. The rules make clear that for health insurance, not long-term care, GINA (Genetic Information Nondiscrimination Act) prohibits adding costs to you based on genetic testing.

Third, you cannot pay your health care provider with a check that bounces because they’ll likely go to your insurer for payment.

Fourth, each item or service can be requested by you, the patient to be restricted but where items are bundled, providers can note that they will not unbundle services and items so that your election is all or nothing. In the case of bundled services, therefore your choice will be all or nothing, meaning that you’ll have to choose to restrict everything done in a specific office visit or none of it. This will greatly impact the amount of money you’ll have to pay in order to purchase privacy.

Fifth: If you decide to pay cash for services, you cannot use those amounts as part of your out-of-pocket or deductible expenses for meeting thresholds to obtain insurance coverage from your health insurance company.

Sixth: Remedies for individuals whose personal health records are breached are NOT helped by the rules. Such remedies still require you hiring of a lawyer and proving damages from the breach.

Seventh: If you have an HSA, health savings account that has specific rules in terms of submitting information in order to use the funds, you will still be required to comply with those rules before using the funds so that paying cash will not provide you with privacy rights in terms of using your HSA funds.

The takeaway for me…It’s obviously up to you whether you choose to pay for privacy.

Essentially the rules seem to be intended to expand responsibilities for maintaining patient privacy to specific entities and business associates who might have contact with personal health information. The rules also address genetic testing information which cannot be used by insurance companies for establishing premiums (GINA, Genetic Information Nondiscrimination Act).

The provisions will apply to contractors and subcontractors as well as PSOs (Patient Safety Organizations) that receive reports and concerns to use for analysis of data. Specifically left undefined is Health Information Organization intended to provide flexibility in terms of the types of business or individuals who must comply with the rule.

As far as paying for privacy, I believe that you must decide whether it’s worth it to you based on the limitations of the increased privacy you can purchase.

If you decide to pay cash for specific services, do it thoroughly to make sure you really get the benefit of paying cash for privacy, especially in terms of notifying all health care participants with access to your personal health information.

You should always pay by check or get a receipt for the amount billed and the amounts paid and keep that for your records.

You should always make sure that the privacy you paid for is reflected in the provider’s records.

If you believe that providers are charging you more because of your choice to elect restriction of disclosure you should let them know and let appropriate government and professional agencies that you believe you’re being price-gouged.