Major Changes to HIPAA Laws Take Effect Feb. 18
Next week marks the deadline for health care covered entities and business associates to comply with several privacy law requirements implemented by the 2009 Health Information Technology for Economic and Clinical Health Act (a.k.a. HITECH Act). Specifically, under the language of the Act, the following must be satisfied by February 18, 2010:
- Business Associate Agreements. Previously, business associates were required to comply with HIPAA-related privacy laws through a contract with a covered entity, but were not directly responsible for HIPAA compliance. Now, business associates are bound by the HIPAA laws, and must have policies and procedures documenting the same. Specifically, any business associate who performs work on behalf of a covered entity with respect to the entity’s “covered functions” must amend their business associate agreements to add language that the business associate must comply with the HIPAA rules (including breach notification requirements) and include details on how the business associate will store and safeguard PHI.
- Minimum necessary rule. Covered entities are now required to use or disclose only the “minimum necessary” amount of PHI required to complete a covered function. While HHS has yet to issue guidance on the definition of “minimum necessary” (such details are expected to be released August of 2010), effective February 18 covered entities are to use a “limited data set” or the least amount of PHI necessary to accomplish the intended purpose.
- Request for restrictions. Currently, covered entities must allow individuals to request restrictions on how their PHI may be disclosed, but are not required to honor such requests. For example, a patient who pays out-of-pocket can request that his health care provider not disclose information about his medical condition or treatment to his employer/insurer. Under the old privacy laws, a covered entity was required to accept the patient’s request but did not have to act upon it. Effective February 18, however, covered entities must honor requests not to disclose PHI (for purposes of payment or health care operations only) if the patient pays the entire cost of treatment out-of-pocket.
After the jump - HITECH amends access, marketing policies
- Access to Electronic Health Records. Effective February 18, 2010, covered entities who use electronic health records must provide patients with a copy upon request (note that covered entities can charge a reasonable fee for complying with the request, such as copy/labor costs).
- Marketing/fundraising communications. Currently, covered entities may not engage in marketing activities that use a patient’s PHI without authorization. However, an exception exists whereby covered entities and their business associates can encourage patients to purchase or use a healthcare-related product or services without authorization. For example, a cardiologist can send materials to his patients encouraging them to use a certain cholesterol-reducing drug. This exception applies even if the covered entity is paid by a third party (i.e. the drug manufacturer) to engage in such marketing. Under HITECH, such activities are still permitted, but with additional limitations. Specifically, the marketing communications must: 1) describe a health care-related product or service that is provided by or included in the plan of benefits of the covered entity making the communication (i.e., an insurance company cannot market a drug that is not covered); 2) relate to the treatment of the individual, and 3) relate either to the case management or care coordination for the individual or to the recommendation of alternate treatments or providers. Additionally, covered entities can continue to receive payments in exchange for these communications, but the communications must relate to a drug that the patient is currently prescribed and the payment must be reasonable.
For additional information on the HITECH requirements and how to comply, providers should contact an experienced health care attorney.
