On July 14, 2010, the Department of Health and Human Services ("HHS") formally published its proposed regulations implementing changes made to the HIPAA Privacy and Security Rules by the Health Information Technology for Economic and Clinical Health Act ("HITECH").  The proposed regulations also include other changes intended to confirm or clarify the original Privacy and Security Rules.  Because the proposed regulations cover a broad range of topics,  we are issuing several more Alerts in our HIPAA Impact Series to provide further analysis of those topics.  This Alert covers the provisions of the proposed regulations regarding patient rights. 

Form & Format of Protected Health Information ("PHI")

The proposed regulations state that covered entities must provide access to hard copy or electronic PHI in both the form and format requested by the patient, if such PHI is readily available in that form or format. If it is not, the covered entity must provide access to a legible alternative form and format agreed upon by the patient and covered entity.  Additionally, if the PHI requested is maintained electronically and the individual requests it in electronic form, the covered entity must provide the PHI in the electronic form requested if it is readily producible in that form.  If it is not readily producible in that form, the covered entity must provide the PHI in an alternate electronic form.  The covered entity could still charge a reasonable cost-based fee for any electronic media it provides.

The proposed regulations also provide that covered entities must honor patients' written requests to transmit PHI to another designated individual, provided that the request contains the patient's signature. 

Restrictions on PHI Disclosures for Services Paid Out-of-Pocket in Full

HIPAA provides an individual the right to request restrictions on how a covered entity uses and discloses his/her PHI, but covered entities are not required to agree to such requests.  HITECH, however, changed this for disclosures relating to services for which the individual paid out-of-pocket in full.  The proposed regulations  implement that change and clarify that covered entities are required to comply with a patient's request to restrict disclosure of PHI to a health plan if the PHI relates exclusively to health care items/services provided and the patient, or an individual on the patient's behalf, paid for the items or services in full, and disclosure is not otherwise legally required. Covered entities are also prohibited from disclosing the restricted PHI to the health plan's business associates.

There has been much discussion related to the potential challenges in implementing this requirement, including:  how to designate records or portions of records as restricted PHI; how to notify downstream entities; how to bill handle payment and billing for follow-up treatments; how to determine an appropriate timeframe for receipt of payment in full; and what steps a covered entity must take to obtain full payment prior to requesting payment from the patient's health plan.  Covered entities with concerns in these areas should take advantage of the opportunity to submit comments to HHS as further discussed below.    

Additional Provisions in Notices of Privacy Practices

Under the proposed regulations, covered entities would be required to ensure their Notices of Privacy Practices include language stating:

• Most disclosures of PHI for remuneration will require the individual's authorization
• Most uses and disclosures of psychotherapy notes will require the individual's authorization
• Most uses and disclosures for marketing purposes will require the individual's authorization
• The individual has the right to request restrictions on PHI disclosures for services paid out-of-pocket in full 

Additionally, if a health care provider intends to send communications regarding treatment alternatives or other health-related products or services and the provider will receive financial remuneration in return for making the communication, the provider's Notice of Privacy Practices must inform the individual of that intention as well as the individual's ability to opt out of receiving such communications.

HHS also specifically is requesting comments in two areas relating to Notices of Privacy Practices.  First, HHS is requesting comment on whether covered entities should be required to include a provision in their Notices of Privacy Practices informing individuals of the covered entity's obligations under the HIPAA Breach Notification Rule.  Second, HHS is requesting comment on the current HIPAA requirement that health care providers with a direct treatment relationship with an individual make a revised Notice available upon request on or after the effective date of the revision.  In particular, HHS is interested in comments regarding whether that requirement will be overly burdensome.

HHS will accept comments regarding the proposed regulations from the public and the industry for a 60-day period ending September 13, 2010.  Sometime thereafter, HHS will issue final regulations.  For most provisions, including those described in this Alert, HHS intends to set the effective date for a compliance at 180 days after the final rule is published.