The HITECH section of the American Recovery and Reinvestment Act (ARRA) added privacy and security requirements that providers of health care services must follow in handling the Protected Health Information (PHI) of those they treat over and above those provided for in HIPAA. HIPAA allowed PHI to be exchanged for treatment and operations without patient consent as along as patients were so notified in the organization’s Statement of Privacy Practices.
HITECH provides for stronger controls. It requires that the provider be able to inform the patient (upon the patient’s request for the information) about all the times that PHI has been released by the organization (disclosures), to whom it was released, and the purpose of the release. This includes release of information for operations and billing. If you send claims to an insurance carrier via a clearinghouse, you would need to be able to document every time a claim was sent and that it went to both the clearinghouse and the insurance company. If you send it to the payer directly on their web site, you would still need to be able to document every time you did that.
HHS has been gathering comments from provider organizations about the burden this will place upon them. How the rules are ultimately written remains to be seen.
At the same time, the HealthIT Policy Committee has been working on a framework for privacy and security of PHI as we move toward EMRs and the electronic exchange of identifiable personal information. An attempt is being made to come up with methods and understandings that will allow a national standard and method of exchanging PHI in spite of different laws and requirements in each of the 50 states. A Privacy and Security white paper series explores these issues.
Part of the current concern is the point in an exchange at which a specific consent should be required from a patient for release of their information. It is believed that patients feel fairly secure when provider #1 releases information to provider #2 whether the provider is a lab or another physician. Trying to determine the point at which comfort in an exchange is lost and the requirement of consent is triggered is part of the challenge. For example, if provider #1 has consent to send information to provider #2 but the only method of doing so is through a third party (like a clearinghouse or directory), does additional consent need to be obtained for that transaction? What kind of situation must exist to trigger a patient’s right to “opt out” of the electronic transaction.
These are important issues that pertain to information electronically exchanged for billing and operations as well as for treatment. Avoiding the use of an EMR will not shield you from addressing these issues if you send claims electronically. . . even at a payer’s web site.
What do you think about protecting the PHI of the consumer of services? What are you doing to assure that you meet the requirements of the law? Please share your thoughts and comments below.