The U.S. Department of Health and Human Services (HHS) has issued final rules to:
- Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information;
- Modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comments received on the interim final rule;
- Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title 1 of the Genetic Information Nondiscrimination Act of 2008 (GINA); and
- Make other modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to improve their workability and effectiveness, and to increase flexibility and decrease burden on regulated entities.
The final rules were published in the Federal Register on January 25, 2013, and will be effective on March 26, 2013. Covered entities and business associates must comply with the final rules by September 23, 2013. This is the fourth in a series of articles that will address key provisions of the rules, their impact on post-acute providers, and practical solutions for compliance.
According to the final rules, individuals may request electronic copies of protected health information (PHI) that is maintained in an electronic health record (EHR) or another electronic designated record set. Providers are required to provide an electronic “machine readable copy.” This is digital information stored in a standard format that permits PHI to be processed and analyzed by a computer. Providers have flexibility with regard to the exact format, since systems may vary. Providers must, however, accommodate requests from individuals to receive information in specific formats, if possible.
The final rules also address requests to send information to third parties. When individuals request providers to send PHI directly to another individual, providers must send the information as requested. Requests from individuals must:
- Be in writing and signed by the individuals making requests; and
- Clearly identify persons designated to receive the information and the address to which copies must be sent.
If providers already require requests for access in writing, then they can use the same requests to access individuals’ PHI or require separate written requests. Providers need to establish and implement policies and procedures to verify the identity of persons who request PHI and safe- guards to protect the information that is used or disclosed.
The final rules also make it clear that labor costs for copying PHI can be separately identified in both paper and electronic form as part of fees charged. HHA acknowledges in the final rule that there are labor costs for searching and retrieving PHI. Providers may also include the costs of paper and any supplies used to provide electronic copies, including CDs or USB flash drives. Providers are also allowed to charge for postage to send portable media at the request of individuals. Fees related to maintaining systems, infrastructure, and storage are not considered reasonable, cost-based fees and cannot be passed along to patients.
The final rules also remove the sixty-day time frame for retrieval of records. When the rules become effective, providers will have thirty days to provide records to individuals in all circumstances. Providers may still utilize one thirty-day extension. States may, however, have more stringent requirements.
No portion of this material may be reproduced in any form without the advance written permission of the author.
© 2013 Elizabeth E. Hogue, Esq. All rights reserved. No portion of this material may be reproduced in any form without the advance written permission of the author.