The U.S. Department of Health and Human Services wants to let patients hide some medical care from their health plans by paying for the care out of pocket.
HHS has included provisions for helping patients keep treatment secrets from health plans in a notice of proposed rulemaking that is set to appear in the Federal Register July 14.
The proposed regulations would update the health data security and health information provisions in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to reflect statutory changes made by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Congress passed the HITECH Act in an effort to encourage the widespread adoption of electronic health records and other health information technology, in part by easing health information privacy concerns.
HHS officials last updated HIPAA privacy rules in 2002 and HIPAA data security rules in 2003, and the proposed regulations include a variety of technical changes and general updates as well as changes related to the HITECH Act, officials write in a preamble to the proposed regulations.
The proposed regulations will affect health insurers, health plans, health plan administrators and many other types of related entities as well as to physicians, hospitals and clinics, officials say.
Some of the proposed regulations have to do with definitions and procedures.
HHS officials now want to clarify the definition of “marketing,” for example. Officials want nonprofit health care providers to warn patients and give patients a chance to opt out before sending them fundraising appeals. HHS also would treat a move by a mammography equipment manufacturer to pay for a hospital to let patients know about the arrival of a new mammography machine as marketing. But a nonprofit group could help a hospital tell patients about the arrival of new mammography equipment without that being treated as marketing, officials say.
HHS officials intend to exclude prescription refill reminders from the definition of marketing; make sure that the definition of systems for storing health data includes employer intranets and will continue to work even if the term “electronic media” becomes obsolete; and implement a HITECH provision that would replace the current one-level violator culpability standard with a four-level standard. The lowest-level violators would be those that fail to try hard enough to understand and follow the rules; the highest-level violators would be those that are guilty of “willful neglect” and do not bother to correct their neglect within a reasonable time period.
HHS officials will be trying to add a new paragraph to the HIPAA privacy rules that would “require a covered entity, upon request from an individual, to agree to a restriction on the disclosure of protected health information to a health plan if: (A) the disclosure is for the purposes of carrying out payment or healthcare operations and is not otherwise required by law; and (B) the protected health information pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full.”
If, for example, a patient received care for asthma and for diabetes from the same physicians and paid for the diabetes-related care out of pocket, the patient could keep the physicians from telling the health plan about the diabetes, officials say.
The health care provider or other covered entity could still contact the health plan if the patient did not really pay the full out-of-pocket costs for the care. If, for example, a patient’s check bounced, a provider could contact the health plan for payment, officials say.