Privacy on keyboardThere are a lot of changes to the HIPAA Privacy Rule in the 2013 Omnibus Rulemaking.  The primary changes involve the Genetic Information Nondiscrimination Act (GINA) and incorporating those requirements into the Privacy Rule.  There are many other changes to the Privacy Rule, but very few that directly affect security.

GINA changes to the HIPAA Privacy Rule

Genetic information now falls under protected health information, and must be protected according to all of the Privacy Rule requirements.  Additionally, GINA places additional restrictions on using genetic information.  HHS is ensuring that all health plans must restrict genetic information use, not just those specifically called out in the GINA law.  Health plans cannot use genetic information to affect an individual’s premium, eligibility or other services.

Sale of PHI

Sale of protected health information (PHI) requires an opt-in approach (not opt-out) for individual authorization.  Treatment, payment, or benefits can not be conditioned on giving that authorization – with the exception of clinical trials and similar situations.

Sales are explicitly defined as information in exchange for financial remuneration, which has some very specific exceptions:

  • Limited data set sharing for public health purposes
  • Research purposes
  • Mergers and acquisitions
  • Treatment and payment purposes
  • To or by a business associate (and within the covered entity or affiliated groups)
  • Individuals paying a fee for their own PHI or a list of disclosures
  • Any reason allowed in the Privacy Rule for a cost-based fee

The rulemaking also explicitly discusses the authorization process and what is and is not allowed.

Privacy Policy

Privacy policies must also be changed.  In the past, a privacy policy only had to list the uses for data that were not allowed or exempt under the Privacy Rule if they were going to engage in those activities – and notify users of their right to prevent or prohibit those uses.  The new Rule requires that the privacy policies must tell users that most uses and disclosures of psychotherapy notes, protected health information for marketing purposes and sale, as well as any other uses and disclosures not discussed in the privacy policy must require authorization.

Health plans with a website must post their new privacy policies on the web immediately, and mail them out at the next annual mailing.  Health plans without a website must notify their users within 60 days of the compliance date.

The inclusion of GINA restrictions constitutes a material change, and so the Notice of Privacy Practices must be updated after this rulemaking for some covered entities.  Covered entities that are not health plans and have already updated their privacy policies for HITECH won’t have to update their policies – as long as those policies are consistent with the 2013 updates.

Immunization information

The new rules also allow covered entities/providers to give schools immunization information with only verbal permission from the individual (or individual’s guardian).  The provider must record that authorization in their records, but a verbal authorization over the phone is allowed instead of a written authorization.

Other interesting tidbits

Providers can disclose a deceased person’s PHI to family members and others involved in their care or payment prior to death – unless they are aware of a specific wish/request of the person otherwise.

People who want to pay out of pocket for a procedure, diagnosis, etc. can do so – and request that their provider not disclose that information to their healthcare plan.  So, if someone receives treatment for that they don’t want their insurance company to know about, they can request the doctor not tell them – as long as they pay out of pocket.

Individuals can receive their protected health information in an electronic form if they request it.  This means a doctor must provide a patient’s records in electronic form if the patient requests it.  The doctor and patient must negotiate an acceptable format for doing the transfer.  This means that many doctors who are using older records systems that don’t support electronic export will have to upgrade or update their systems.  Those older systems are still out there which won’t perform electronic export in a human readable format.

We discussed changes to the Breach Notification Rule in an earlier article.