New HIPAA health records rules: 4 things agents have to know

A new batch of Obama administration guidance could have a direct effect on any individual insurance clients who send health records to insurers, and on any employer clients with plans that that hold sensitive employee health information.

The Office for Civil Rights (OCR), an arm of the U.S. Department of Health and Human Services (HHS), has kicked off what likely will be years of legal disputes by posting a document showing how HHS believes the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to consumers' requests for medical records.

The guidance will govern any requests for personal health information from "covered entities." The term "covered entities" includes health care providers and health plans.

But the term could affect agents and brokers who have nothing to do with major medical coverage because, for HIPAA privacy purposes, "health plan" includes almost any plan that covers health-related risk, including issuers of dental insurance, disability insurance, critical illness insurance, Medicare supplement insurance and long-term care insurance.

In the guidance, OCR officials assume consumers will be asking the providers and plans for the information, but the standards still apply if the covered entities have parked the requested information with plan administrators, recordkeeping companies, or your agency and insurance brokerage firm.

OCR officials say consumers should be able to get:

Copies of most personal health information within 60 days.
Most of the records they're seeking in a convenient electronic format.
Any records health plans are using in claim determination decisions, such as decisions about whether a health plan will cover inpatient care for depression or anorexia, or whether a group disability plan will cover a claim for fibromyalgia.

HHS has been working on implementing the HIPAA privacy regulations since 2001.

For a look at some other provisions in the guidance that appear to be of interest to members of the insurance community, read on.

1. The rules on time limits have some give.

The HIPAA Privacy Rule gives covered entities 30 days to offer individuals access to the records quested.

An entity can get a 30-day extension by informing the requester in writing about the reason for the delay, OCR officials say.

"Only one extension is permitted per access request," officials say.

2. The record cost and format rules look vague.

Officials say covered entities cannot charge people asking for personal health information for the cost of searching for the information, retrieving it, storing it or maintaining the data systems.

But an entity can charge the recipient for time spent on copying the information; the paper or electronic media used to create the copies; postage; and the time spent on preparing explanations or summaries of the information.

Similarly, even though OCR officials seem to give consumers the ability to ask for information to be provided in the preferred electronic format, there are no clear standards set.

Covered entities may be able to meet the requirements in the guidance by providing copies in some electronic format that's easy for them to handle, or by providing photocopies of paper records.

3. The guidance is not kind to the disorganized.

HHS itself has repeatedly refused, over the course of years, to respond to requests from members of Congress for information about the operations of Patient Protection and Affordable Care Act (PPACA) programs.

HHS officials appear to be basing their decisions not to provide information on the idea that members of Congress are harassing them, or that the information is hard to get.

OCR officials have not provided any relief in their guidance for covered entities that have lost records, or are having a hard time finding records within the 60-day time limit.

Officials note, in an answer to questions that might be asked about the guidance, that individuals have a right to access personal health information that is "very old" or is archived, as well as for more recent information.

The grounds for denying access to the records "do not include the age or location of the information," officials say.

One thing is on one side of a fence; everything else is on the other side

4. The "right of access" has some exceptions.

The right of access requirement excludes psychotherapy notes and "information compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative action or proceeding," OCR officials say.

A covered entity can also deny:

Some requests for copies from correctional institution inmates.
Requests about records that are part of a research study that's still in progress.
Requests for some records affected by statutory privacy exceptions, such as records held by some federal agencies.
Requests for access to information that is "reasonably likely" to endanger or cause substantial harm to people.