Skip to main content

The Final Rule for HIPAA was issued yesterday.  It was actually several final rules that were kind of rolled into one big final rule.  These rules confirm some new rights that people receiving healthcare must receive.  If you receive healthcare, the new rights are for you.

A little background:  HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.  When it was first passed it addressed three main areas.  

First, it allowed for a certain level of health insurance portability.  If you had health coverage at Employer A, then took a job at Employer B, if Employer B’s health plan had a prohibition against covering “preexisting conditions” for a certain period of time, the Employer B plan needed to count the time you were on the Employer A plan for that purpose.  Thus, your "seniority" in a healthplan for purposes of preexisting conditions was "portable."  There were also many other changes relating to health insurance.  This first part of HIPAA is now largely obsolete with the passage of the Affordable Care Act, which does a better job addressing these areas.

The second part of HIPAA is known as Administrative Simplification.  It’s very important, although it’s probably the least known part of HIPAA.  Administrative Simplification requires healthcare providers and insurers to use the same sets of codes and the same kinds of electronic transmissions when they do various electronic healthcare transactions, such as sending a bill.  For example, if the mandated code for an appendectomy is 123, then every healthcare provider needs to bill a 123 for an appendectomy, and every health insurer needs to accept 123 as the code for an appendectomy.  Before Administrative Simplification, providers and health insurers were free to use their own codes which created a lot of problems.  Especially when health insurers created silly one-off codes that mainly had the effect of making it harder for healthcare providers to get paid and patients to get covered.  Different code sets were a big reason you would see people throw figures around like, “25% of every healthcare dollar is used for administration, not healthcare.”  So, while healthcare billing and related transactions are still pretty complicated, they’re better than they were before because of this part of HIPAA.

The last part of HIPAA dealt with the privacy of medical information, and put many limits on what healthcare providers could do with that information (the same restrictions apply to health insurers and some other companies, but I’m just focusing on healthcare providers like doctors and hospitals).  For example, HIPAA prohibits healthcare providers from selling your medical information to other companies who want to market something to you.  It also prohibits healthcare providers from releasing your information to anyone other than the people you authorize.  It’s a fairly broad rule that has many moving parts that are applicable to different situations.

HIPAA also addresses the security of health information, and has various requirements healthcare providers must undertake to ensure that medical information they store remains secure and reliable, mainly from the technical perspective.  For example, healthcare providers are required to consider the use of encryption technology for portable devices (smartphones, laptops, USB memory keys, etc.) that hold medical information.

Because the first part of HIPAA is obsolete, and because most people don’t know about the Administrative Simplification part of HIPAA, the word “HIPAA” as used by the general public now almost always refers to the third part of HIPAA, relating to privacy and security.

Various rules were implemented over the years on the privacy/security aspects of HIPAA.  There have been four main rules that, until yesterday, were not considered to be completely finalized, and much of which were not in effect.  They are:  (1) the Privacy Rule, which describes the basic privacy protections for medical information; (2) the Security Rule, which describes mainly the technical requirements for computer and other systems that store, process and transmit health information; (3) the Breach Notification Rule, which describes the processes that healthcare providers need to follow if they lose certain medical information, including notification of the patients whose information was lost; and (4) the Enforcement Rule, which describes how the government will go about considering and imposing penalties on people and companies that don’t comply with one of the first three rules.  Each of the four rules contains multiple parts, other rules, etc.

The Final Rule issued yesterday finalizes all four of these rules.  This Final Rule has an effective date of March 26, 2013, and a “compliance date” of September 23, 2013.  For the most part this means that while the new rules go into effect in March, people don’t need to actually follow them until September.  It’s a pretty doable deadline for most of the requirements, but the September date may be pushing it for some requirements at certain healthcare providers.  For example, a large healthcare provider will often need more than a year to plan and implement a new computer system, so that new system was necessary for compliance it would be a challenge.

Many of the newer rules were created in response to changes that were made to HIPAA in 2009, pursuant to the HITECH Act.  The HITECH Act was not its own law; it was part of the 2009 stimulus bill that was passed after the big crash.

The Final Rule confirms several changes that apply to everybody who receives healthcare.  The following is not a comprehensive list (the rule is 560+ pages long) but rather some highlights:

1.    The normal rule currently used is that person’s health insurer has the right to access the person’s medical records for payment purposes (e.g., to verify that a billed service was actually provided, was necessary, etc.).  So a patient basically has no medical privacy from the patient's own health insurer.  Under the Final Rule, a person who pays in full for a certain service out-of-pocket (i.e., no health insurer is billed) has the right to restrict the disclosure of the medical records for that service from being disclosed to their health insurer.  For example, if you are getting a test that you consider to be unusually sensitive for whatever reason (e.g., for an STD, cancer, etc.) you can pay for it yourself and restrict the information about the test from being shared with your health insurance company.  

2.    Probably the biggest news is that HIPAA is now applicable to “business associates” all the way down the chain.  A “business associate” is a person or company that performs a function for a healthcare provider.  For example, if a doctor hires an outside billing company to prepare and submit the doctor’s bills, the billing company is a “business associate” of the doctor.  The first version of HIPAA didn’t apply to business associates directly, so the government required healthcare providers to enter into contracts with business associates.  This framework left a lot of exposure in the event problems occurred.  If a business associate did something wrong with a person’s medical information, the government could only directly penalize the healthcare provider, not the business associate.

The Final Rule confirms that business associates need to follow most of the same rules, and offer most of the same protections, as healthcare providers do.  Also, business associates must extend these obligations to their own business associates all the way down the chain.  For example, if a billing company is a business associate of a doctor, and uses a computer company to host its data, the computer company is also a business associate (to the billing company, not the doctor) and needs to maintain privacy and security under HIPAA just like the billing company and the doctor.  The overall effect of this is to prevent a person’s medical information from losing protected status simply by moving from one legal entity to another, as had been the case before.  Also, patients may now make most requests (e.g., for copies of information, restrictions, etc.) to business associates in addition to healthcare providers.

3.    The Final Rule confirms that a person’s genetic information (e.g., DNA analysis result) is protected by HIPAA.  This was not completely clear previously because HIPAA allows insurers use a person’s medical information to decide whether to issue a policy and for other insurance-related decisions.  The Final Rule clarifies that genetic information can’t be used in this way.  It harmonizes the provisions of HIPAA with the GINA law (Genetic Information Nondiscrimination Act of 2008), which prevents discrimination against people based their genetic makeup.

4.    A healthcare provider needs the patient’s authorization before sending  marketing material that the healthcare provider is being paid by another party (e.g., a drug company) to send.  The authorization must disclose to the patient that the healthcare provider is being paid.

5.    A healthcare provider must give a patient a copy of his medical information, in the format requested by the patient if possible.  If the patient requests an electronic copy, the information must be provided to the patient electronically.  This is an expansion of the patient's right of access under the current law.

6.    The rule expands the people who may receive information about a patient’s death.  Previously only a specified personal representative of the patient (such as the executor of the patient’s will) could get this information.  The Final Rule clarifies that anyone “involved in the patient’s care” can access death-related information, and the commentary specifically says that this group of people might include the patient’s domestic partner.  This requirement contains an exception to honor the patient’s wishes (i.e., if the patient did not want particular a particular loved one who was involved in the patient’s care to know this information, the healthcare provider would need to do its best to honor this request).

7.    The rule changes the current status of child vaccinations.  Prior to the Final Rule, a healthcare provider couldn’t release child’s immunization records to the child’s school without written permission from the child’s parent/legal guardian.  This caused all sorts of problems, especially for schools that will not enroll a child without first receiving confirmation of immunization – parents/legal guardians would have to drop everything to run to the healthcare provider’s office to sign forms.  The Final Rule changes this to allow for oral authorization (e.g., over the phone).

8.    The Final Rule confirms that patients have the right to ask the healthcare provider to send their medical information to a third party (e.g., a new doctor).  Before this, patients only had the right to get the information themselves, and they would then need to send the information to a third party.  This caused the patients to have to waste time in this process.

There are many other changes, but these are ones that most clearly can be exercised by patients.  Note that states are free to pass stronger requirements in any area covered by HIPAA, so some states might have additional protections.

A final word.  Almost everything HIPAA says a healthcare provider can’t do, the healthcare provider can do if it receives written permission signed by the patient.  To preserve your rights, you actually need to read the forms you get in the waiting room, and know what you’re signing.

Originally posted to Tailfish on Fri Jan 18, 2013 at 08:26 PM PST.

Also republished by Good News and Community Spotlight.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  What we need is the right not to get screwed (19+ / 0-)

    by Insurance Companies.  

    Strange oversight to have left that out...

  •  I *thought* this is true, but not in Medicare (10+ / 0-)
    It also prohibits healthcare providers from releasing your information to anyone other than the people you authorize.
    Apparently, Medicare replacement companies can authorize companies to do research into your current medical situation for their reporting to CMS, so companies entirely unknown to the beneficiary can get ALL your information and mine it for who knows what and catalog it and do who knows what with it.  The authorization is apparently by extension to the one made to the insurance provider.  Given that there are such enormous databases out there about personal health info kept by the insurance companies, I find it very uncomfortable that my health is being mined for info I cannot know and for purposes I cannot track.

    "This is the best bad idea we have by far..." ~Argo

    by MsGrin on Fri Jan 18, 2013 at 09:00:47 PM PST

    •  I presume this is some version of biz assoc (8+ / 0-)

      portions - but if the biz assoc is unknown to the patient, any misuse of the information would be unlikely to be in a place the patient would come across the transgression.

      "This is the best bad idea we have by far..." ~Argo

      by MsGrin on Fri Jan 18, 2013 at 09:04:09 PM PST

      [ Parent ]

    •  That's true (9+ / 0-)

      I was trying to keep the explanation at a high level since the regulations themselves are pretty complicated.  There are a number of exceptions to requiring authorization, all the way down to releasing your information without authorization to the Secret Service if you're threatening to kill the President.  The biggest general exceptions are for treatment and payment - once you're actually getting medical care (e.g., you've been admitted to a hospital), your medical information can be shared among your health care providers for the purpose of treating you, and can be shared with your insurer for purposes of billing.  Again, with some exceptions to those exceptions.

      •  This was for some audit of the MA company, if I (5+ / 0-)

        understood.  I kinda felt like I should be able to opt out, and I made an effort so to do, instructing my doc to not release my files, but they hounded his office and I did not have enough enthusiasm to get more legalistic about it.

        "This is the best bad idea we have by far..." ~Argo

        by MsGrin on Fri Jan 18, 2013 at 09:10:46 PM PST

        [ Parent ]

      •  Employers have some access too... (1+ / 0-)
        Recommended by:
        mahakali overdrive

        although that access is limited to that which is needed to administer group health plans.

        If an employer has a self-funded plan, typically they have more access to specific claims data because they in essence are the "insurer" - but are also obligated by the HIPAA rules.

        It is also the case that employers must keep any information related to employee benefits separate from other employment data. Your manager would typically have access to your employee file to see past reviews, training programs, etc. - but cannot have access to anything relating to medical issues, etc.

        It often requires more courage to dare to do right than to fear to do wrong. – Abraham Lincoln

        by firstalto on Sat Jan 19, 2013 at 11:01:19 AM PST

        [ Parent ]

  •  People should know (7+ / 0-)

    that their pharmacies are selling their prescription records with their personal information stripped off, and this has been ruled not to be a HIPAA violation.  But as we all know, data mining companies are hard at work re-identifying information of all kinds. Does anyone think the drugs we take aren't going to be in our dossiers?

    Will hospitals be next?

    We decided to move the center farther to the right by starting the whole debate from a far-right position to begin with. - Former House Majority Leader Tom DeLay

    by denise b on Fri Jan 18, 2013 at 09:09:35 PM PST

    •  HIPAA doesn't protect "deidentified" data (10+ / 0-)

      If all of the parts of a medical record that could be used to identify a person are removed (name, DOB, address, many other parts), the record becomes "deidentified."  Once deidentified it's no longer protected, and can be used as part of data mining, etc.  I haven't heard that re-identification has been successful - it seems unlikely given the requirements to remove the data that could be used to identify a patient.

      •  I haven't heard (3+ / 0-)

        that it's been successful with pharmacy data and I don't see how it could be, but do I know that they're pretty clever about putting stuff together. I don't what they can do or what they'll be able to do in the future, and it concerns me.

        We decided to move the center farther to the right by starting the whole debate from a far-right position to begin with. - Former House Majority Leader Tom DeLay

        by denise b on Fri Jan 18, 2013 at 09:39:55 PM PST

        [ Parent ]

      •  Yes (1+ / 0-)
        Recommended by:
        mahakali overdrive

        Even the age of the patient has to be removed if it can be used to identify. The standards are pretty strict, and deidentified data is nearly impossible to attach back to PHI.

        An ancient evil. An immortal warrior. The Tears of Ishtar by Michael Ehart http://www.mehart.blogspot.com/

        by IsraelHand on Sat Jan 19, 2013 at 11:40:00 AM PST

        [ Parent ]

    •  The prescribing efforts of doctors to use generics (10+ / 0-)

      or less expensive alternatives has been patient de identified but not doctor de-idnetified. The information is passed onto pharmaceuticals which in turn speedily send a persuasive rep out to said doctor, to prompt use of their more expensive drugs. It is pressure on doctors and their time.

      Science is hell bent on consensus. Dr. Michael Crichton said “Let’s be clear: The work of science has nothing to do with consensus... which is the business of politics. Science, on the contrary, requires only one investigator who happens to be right,”

      by Regina in a Sears Kit House on Sat Jan 19, 2013 at 08:18:28 AM PST

      [ Parent ]

        •  Going to DC for ID doc, and just lucky enough to (1+ / 0-)
          Recommended by:
          wilderness voice

          catch the inauguration.

          We believe that we've given my immune system as much time as we can to settle down, and it is time to initiate treatment in what ever way we can ease into it.

          Hopefully after all the tests are reviewed and seeing I've been on a plateau for awhile, ID doc will agree I'm as good as I can be without treating the underlying cause.

          thank you for asking.

          Science is hell bent on consensus. Dr. Michael Crichton said “Let’s be clear: The work of science has nothing to do with consensus... which is the business of politics. Science, on the contrary, requires only one investigator who happens to be right,”

          by Regina in a Sears Kit House on Sat Jan 19, 2013 at 11:41:51 PM PST

          [ Parent ]

      •  That irritates me. I'm a doctor and I don't like (4+ / 0-)

        the fact that drug companies can monitor my prescribing habits.

        The drug companies are supposed to keep that information  away from the "detail people" who come to tout new medicines.  But a detail man from Merck once asked me, pointedly, "Are you prescribing my medicine, or just maintaining patients on the samples I leave you?"

        We're all pretty strange one way or another; some of us just hide it better. "Normal" is a dryer setting.

        by david78209 on Sat Jan 19, 2013 at 10:01:38 AM PST

        [ Parent ]

        •  They seem to work every angle. I am curious (0+ / 0-)

          do you get a chance to talk with colleagues about these practices?

          More and more docs we talk/work with are denying reps access if they can.

          Science is hell bent on consensus. Dr. Michael Crichton said “Let’s be clear: The work of science has nothing to do with consensus... which is the business of politics. Science, on the contrary, requires only one investigator who happens to be right,”

          by Regina in a Sears Kit House on Sat Jan 19, 2013 at 11:44:05 PM PST

          [ Parent ]

          •  I really haven't talked with other docs about this (0+ / 0-)

            I don't get many reps calling on me any more.  I'm happy to talk to them if they're leaving samples of useful medicines.  The one whom I've seen recently brings Lantus insulin in these nifty injector "pens".  It's hard enough to talk people into taking a shot every day, and then I worry about whether they really understand how to do it and whether they're giving themselves the right dose.  The pens make it easier to set the dose, and a lot easier to give yourself an injection, so I don't begrudge the 'detail lady' some time to advertise her product to me.

            We're all pretty strange one way or another; some of us just hide it better. "Normal" is a dryer setting.

            by david78209 on Mon Jan 21, 2013 at 10:38:53 AM PST

            [ Parent ]

  •  One of the secrets about HIPAA (10+ / 0-)

    is that hospitals and other providers frequently hide behind HIPAA to avoid releasing damaging information about errors and substandard care they provided to patients.

    For if there is a sin against life, it consists perhaps not so much in despairing of life as in hoping for another life and in eluding the implacable grandeur of this life. - Albert Camus

    by Anne Elk on Fri Jan 18, 2013 at 09:40:57 PM PST

  •  I heard Malkin today saying that HIPPA... (3+ / 0-)
    Recommended by:
    wilderness voice, wader, NapaJulie

    PREVENTED Docs from ASKING you questions, specifically in her so-called mind about gun ownership. Next thing she'll say is that patients are being administered sodium pentathol and forced to answer doctors questions at the point of a large bore syringe...

  •  Have they fixed the glitch (3+ / 0-)

    that prevents medical information being shared among the people actually providing the care?
    A friend of mine is a lowly worker at a nursing home (I can't remember the job title). She does the real dirty work, changing soiled beds, wiping dirty bottoms et cetera. She is not able to find out whether the guy that bit her is HIV+ or not because the MDs and Nurses would be prosecuted for revealing the patient's records. Likewise, my aunt, an LPN, has told me that in her hospital, patient charts are kept locked away and second shift nursing staff are not always given enough information about meds, et cetera, leading to accidents.
    Meanwhile, the insurance company account execs can quote your chart to you over the phone as they decline to cover you (personal experience).
    Any of that get fixed?
    Because it seems to me that due to these two conditions, HIPAA has been, on balance, detrimental to the individual's health without doing enough top protect their privacy from those who would profit from violating it.

    If I ran this circus, things would be DIFFERENT!

    by CwV on Sat Jan 19, 2013 at 06:55:18 AM PST

    •  Coupla points (7+ / 0-)

      Information about HIV status is protected by a variety of state and federal regulations, not just HIPAA privacy and security.

      Direct care workers should be practicing 'standard' (aka universal) precautions for infection control, which consider ALL patients as potential sources of infection, and which protect the worker from exposure to infectious material. Measures include consistent, effective hand washing, and the use of gloves (and other protective equipment like masks and face shields) for prolonged contact or when there's the likelihood of exposure to contaminated material like soiled linens and body fluids.

      The only way to contract HIV is to have unprotected sex with an infected person. A secondary risk is non-sexual contact with an infected person's body fluids (but not ALL body fluid) when the worker's own skin integrity is compromised - like in the case of a bite (though exposure to the bitter's blood, and NOT saliva, is the risk).

      In THAT event (a very serious incident of an occupational injury), NIOSH and OSHA (and an agency's own policies) are very clear that the person bitten should be tested and followed for potential HIV; and that treatment be offered and provided.

      The issue of direct care staff not being provided access to essential information, if true, is quite serious - a form of malpractice. It has nothing to do with privacy regulations.

      Securing chart access is a normal and expected method of complying with privacy and confidentiality, but HIPAA makes clear that information can be shared for the purpose of health care treatment (by all staff) and the operation of a provider.

      Beware the pitfalls of unsubstantiated anecdotes.

      "FK the deficit. People got no jobs. People got no money." Charlie Pierce

      by RubDMC on Sat Jan 19, 2013 at 08:01:51 AM PST

      [ Parent ]

    •  Your friend has a Personal Injury case. (2+ / 0-)
      Recommended by:
      maybeeso in michigan, NapaJulie

      She can get a free consultation from almost any decent PI lawyer.  The mental anguish portion will just drag on until the nursing home insurance company reveals the facts.  Tell her to go get an aggressive lawyer to look at her situation - many specialize in industrial injuries like this one.

    •  I agree (3+ / 0-)
      Recommended by:
      Chi, happymisanthropy, NapaJulie

      HIPAA privacy so far has been nothing but a stupid joke as far as I am concerned. As cited above it has been used as a smokescreen to hide hospital malfeasance. The people who can harm you (insurers) have full access but everyone else, including oneself, has to jump through hoops to get around it.

    •  Not sure if your friend (0+ / 0-)

      has the right people giving her advice.

      In my hospital, the 'biter' is tested for HIV, etc.

      The "bitee" is also tested and the 'bitee' will damn well be told if the 'biter' is HIV positive.

      as far as I am aware....

      I live in a country where the health and safety of it's people takes second place to profits and political gain. Enough.Is.Enough.

      by karma13612 on Sat Jan 19, 2013 at 03:01:29 PM PST

      [ Parent ]

      •  After the fact. (0+ / 0-)

        But she's handling lots of patients per day (cheap bas+ards she works for "economized" on staff by letting 1/3 of them go and doubling everyone else's workload), she has no idea who is sick with what (HIV doesn't seem to be the actual issue, but there are any number of other things to worry about in that environment). To go full protection and constantly change garb all day is not workable and scares the patients.
        It just seems wrong to keep the chart secret from the care givers while publishing it on whatever insurance company database they read from.

        If I ran this circus, things would be DIFFERENT!

        by CwV on Sat Jan 19, 2013 at 03:13:32 PM PST

        [ Parent ]

  •  what? (2+ / 0-)
    Recommended by:
    wader, NapaJulie
    you had health coverage at Employer A, then took a job at Employer B, if Employer B’s health plan had a prohibition against covering “preexisting conditions” for a certain period of time, the Employer B plan needed to count the time you were on the Employer A plan for that purpose.  
    I thought pre-exsting conditions were history, and it is entirely stupid to have an employer based and for-profit health care system in the first place.  

    What we need is a Democrat in the White House.

    by dkmich on Sat Jan 19, 2013 at 07:13:34 AM PST

  •  Cue stupid Republican outrage... (4+ / 0-)

    They just hate anything that might improve peoples' lives.

    It's here they got the range/ and the machinery for change/ and it's here they got the spiritual thirst. --Leonard Cohen

    by karmsy on Sat Jan 19, 2013 at 07:38:46 AM PST

    •  Actually, many Republicans support privacy rights (4+ / 0-)
      Recommended by:
      wader, karmsy, ER Doc, NapaJulie

      especially the most conservative ones.  I was surprised to discover this years ago when doing grassroots lobbying in support of privacy for genetic information.  They realize it could happen to them, too.

      Democratic Leaders must be very clear they stand with the working class of our country. Democrats must hold the line in demanding that deficit reduction is done fairly -- not on the backs of the elderly, the sick, children and the poor.

      by Betty Pinson on Sat Jan 19, 2013 at 08:45:34 AM PST

      [ Parent ]

  •  Great diary (9+ / 0-)

    I'm a hospice clinical staff educator, and cover this material regularly for new staff, as well as annually for all staff.

    You've provided a great explanation and thorough context, which I hope to use in upcoming presentations (with attribution and links).

    "FK the deficit. People got no jobs. People got no money." Charlie Pierce

    by RubDMC on Sat Jan 19, 2013 at 08:03:36 AM PST

  •  Thank you so much, Tailfish (7+ / 0-)

    Your diary's so clear and direct and useful.  I really, really appreciate it.  

    "Injustice wears ever the same harsh face wherever it shows itself." - Ralph Ellison

    by KateCrashes on Sat Jan 19, 2013 at 08:05:12 AM PST

  •  Thanks, Tailfish, I appreciate your expertise... (4+ / 0-)

    ...and the work you put into presenting this diary.

    HHS Sec'y Kathleen Sibelius has done a bang up job from day 1 and proven she's a strong populist executive. IMO she's been the most impressive selection in Obama's org and a lynchpin for PPACA.  

  •  Thank you for a well written and clear summary of (5+ / 0-)

    a very long and complex set of regulations. Just the sort of writing we need.

    IIrc, one of the other provisions enacted early on, and this was big, was a requirement to move patient record keeping to electronic methods and storage. I'm not sure a specific format or compatibility was required.

    Docs were complaining about the cost to convert and the perceived loss of privacy this would permit. And greater access by insurers to private information.

    Not sure what's happened with this.

    These newer regs seem to solve some of the privacy and access issues in both directions in a practical way.

    Lastly, since these are laws, it seems that subsequent amendments or slight change of wording could begin to either fix or weaken protections in this bill. We have seen in many ways before.

    Science is hell bent on consensus. Dr. Michael Crichton said “Let’s be clear: The work of science has nothing to do with consensus... which is the business of politics. Science, on the contrary, requires only one investigator who happens to be right,”

    by Regina in a Sears Kit House on Sat Jan 19, 2013 at 08:30:32 AM PST

  •  Enforcement & Penalties are still a problem (4+ / 0-)

    Penalties to violators of patient privacy are as little as $100 per incident, a very small penalty if the release of a patient's private medical information results  in the loss of a job, cancellation of life insurance, etc.

    The biggest problem with HIPAA and GINA are that they don't allow the patient who has been wronged a right to private action.  If a patient is harmed by a job loss, etc. as a result of release of medical information, they don't have the right to sue for damages.

    One of the most important part of right to sue is not just the ability of a plaintiff to receive compensation & damages, but the threat of a lawsuit often prevents bad actors (employers, corporations who profit from the sale of personal medical information, etc.) from violating the rights of patients.

    That's a problem particularly when it comes to genetic testing.  Science on genetic predisposition to disease is in it's infancy.  Because someone tests positive for a certain genetic anomaly doesn't mean they will ever get the disease, but they (and their blood relatives) may be treated as if they will.

    Democratic Leaders must be very clear they stand with the working class of our country. Democrats must hold the line in demanding that deficit reduction is done fairly -- not on the backs of the elderly, the sick, children and the poor.

    by Betty Pinson on Sat Jan 19, 2013 at 08:40:20 AM PST

  •  I wish they could have put something in (4+ / 0-)

    HIPPA that prevents employers from running credit checks on potential employees. Since the number one cause of bankruptcy is medical debt, it seems like that would be an appropriate issue to be addressed by HIPPA.

    •  whole heartedly agree (1+ / 0-)
      Recommended by:
      mahakali overdrive

      I still cannot get over the fact that a potential employer can run a credit check on you.

      completely don't get that

      How does that impact my 'qualitifications' for the job? If I have an ex husband that totally bankrupted me, and I am looking for a job, it's a catch 22. How do I ever get a job to pay off the creditors? How do I payoff the creditors without a job?

      assenine

      I live in a country where the health and safety of it's people takes second place to profits and political gain. Enough.Is.Enough.

      by karma13612 on Sat Jan 19, 2013 at 03:05:35 PM PST

      [ Parent ]

  •  timely diary -- thank you (2+ / 0-)
    Recommended by:
    ER Doc, NapaJulie

    Thank you Tailfish for this diary. I have been reviewing my practice HIPAA compliance and this paragraph is what I have been looking for:

    A final word.  Almost everything HIPAA says a healthcare provider can’t do, the healthcare provider can do if it receives written permission signed by the patient.  To preserve your rights, you actually need to read the forms you get in the waiting room, and know what you’re signing.
    Might you have a reference where I can actually pull and view this rule?  

    And may I ask your training/background that explains your interest and expertise in HIPAA?

    •  Thanks! (2+ / 0-)
      Recommended by:
      NapaJulie, roonie

      The concept of requiring the patient's written consent is sprinkled throughout the HIPAA rules.  The important thing to understand is that the general rule under HIPAA is that you can't release patient information without the patient's consent.  There are exceptions to the general rule, but the general rule is what applies in most release cases that need to be analyzed (other than for treatment, etc).  This general rule is reflected in the first paragraph of 45 CFR 164.508, which also goes on to describe a few specific situations where consent is required (not an exhaustive list of everything).  You can see it at:

      http://www.gpo.gov/...

      As for background, I'm a lawyer that works mainly in the healthcare sector, so HIPAA issues are kind of a day to day thing I work on.

  •  Great writeup of the highlights. (2+ / 0-)
    Recommended by:
    ER Doc, NapaJulie

    Thank you so much for this. Big thumbs up.

    Before you win, you have to fight. Come fight along with us at Texas Kaos.

    by boadicea on Sat Jan 19, 2013 at 09:06:44 AM PST

  •  That's better on vaccinations, but... (0+ / 0-)
    The rule changes the current status of child vaccinations.  Prior to the Final Rule, a healthcare provider couldn’t release child’s immunization records to the child’s school without written permission from the child’s parent/legal guardian.  This caused all sorts of problems, especially for schools that will not enroll a child without first receiving confirmation of immunization – parents/legal guardians would have to drop everything to run to the healthcare provider’s office to sign forms.  The Final Rule changes this to allow for oral authorization (e.g., over the phone).
    I really wish this applied to all immunizations not just 'childhood' ones.  (Maybe it does?)  Adults can have trouble remembering if they got this year's flu shot.   ("Was it this year or last year?")  They can also have trouble remembering when they got their last tetanus shot.  My home county tried to set up a registry of all immunizations, but ran into HIPAA problems.  I can't imagine why someone would care if his or her immunization records got released to the public.  It's not some sensitive, potentially juicy bit of gossip like having been tested for HIV.  It usually just means you complied with the regulations to go to public school.

    We're all pretty strange one way or another; some of us just hide it better. "Normal" is a dryer setting.

    by david78209 on Sat Jan 19, 2013 at 09:53:22 AM PST

    •  the anti-vax conspiracists will not (1+ / 0-)
      Recommended by:
      mahakali overdrive

      want to be on some gub'mint list. . .

    •  vaccination and schools (0+ / 0-)

      I'd actually like to see the rules allow health care providers to release vaccination records (or at least certification that the required list has been received) to a school without having to have written or verbal authorization. Schools should be able to get that information as a matter of course without parents with some strange bee in their bonnet or conspiracy idea getting in the way. It's good that this was loosened, but it wasn't loosened enough.

  •  Thanks so much! (0+ / 0-)

    As a newly minted Ombudsman for our county, this information is like gold to me...
    I never knew when I started this program how much I would learn.  Again, thanks a bunch!

    "I'm Grandma-delicious because his mom is so nutritious..."

    by NapaJulie on Sat Jan 19, 2013 at 11:06:53 AM PST

  •  That's funny... (0+ / 0-)

    ... I just attended a long boring meeting in which much of the time was devoted to coding differences for certain services between Medicare and commercial plans.  For instance, an annual preventive health visit for a patient over 65 uses one code if the insurance is Medicare and a different code if the insurance is commercial.  

    It's all so simple.  Right?

    There are plenty of Democrats with spines out there. Why can't we elect one President?

    by Deighved H Stern MD on Sat Jan 19, 2013 at 11:49:36 AM PST

    •  yea, I'm a coder and it seems I spend (1+ / 0-)
      Recommended by:
      Odysseus

      all my time dealing with edits and the differences between various insurances and what CPT codes and dx codes are good enuf to get a clean claim.

      In my opionion, if ALL the payors used the same darn codes, we could certainly do away with a huge amount of wasted time.

      If the public really knew about all this, they would have DEMANDED single payer instead of thinking: "I don't want to be like a socialist country"

      Brother...

      I live in a country where the health and safety of it's people takes second place to profits and political gain. Enough.Is.Enough.

      by karma13612 on Sat Jan 19, 2013 at 03:09:12 PM PST

      [ Parent ]

  •  Awesome News!!! (0+ / 0-)

    This post is dedicated to myself, without whom, I'd be somebody else. Though I'd still be an asshole. My Music: [http://www.myspace.com/beetwasher]

    by Beetwasher on Sat Jan 19, 2013 at 11:51:01 AM PST

  •  YOU DON'T HAVE TO SIGN AWAY YOUR RIGHTS (1+ / 0-)
    Recommended by:
    Odysseus

    Just because your doctor's office hands you a release to sign, doesn't mean you have to sign it.  For instance, you are NOT obligated to give up your right to sue your doctor and rely on mediation instead.

    Doctors routinely ask their patients to sign such waivers, but many won't make you if you object.

    Ask the receptionist or office manager if being a patient of that particular doctor requires that you agree to give up your right to sue, and if so, find another doctor.

    Stop the party of Gut & Spend policies that gut our Earned Benefits programs like Social Security and Medicare and spends on tax breaks for the wealthy elite.

    by jillwklausen on Sat Jan 19, 2013 at 12:12:36 PM PST

  •  Good for this (0+ / 0-)
    which prevents discrimination against people based their genetic makeup.
    Because people like me will be completely fucked otherwise.

    "Til you're so fucking crazy you can't follow their rules" John Lennon - Working Class Hero

    by Horace Boothroyd III on Sat Jan 19, 2013 at 12:33:15 PM PST

  •  Still some real problems to be worked out (4+ / 0-)
    Recommended by:
    slouchsock, sydneyluv, susanala, Odysseus

    As a Pediatrician, How do I ask and counsel my teen patients about sex, drugs and rock and roll when their parents have the right to discovery? How do I record any suspicion I might have about malingering without creating a problem (these are the folks who will look!). Psychiatrists have an exception to these HIPAA rules, I understand, but psychiatrists aren't the only ones who deal with psychiatric problems.

  •  question about my late father's records (0+ / 0-)

    6. The rule expands the people who may receive information about a patient’s death.

    The guardian and personal representative for my father was a step-grandson.  

    Can I now obtain his cancer history without going through the erstwhile relative?

    Can you point me to where I could find out?

    •  Unfortunately (1+ / 0-)
      Recommended by:
      Odysseus

      The rule's not in effect until 3/26, and hospitals don't need to start following it until 9/23.  Even then, the focus is on sharing information with people who were involved in the patient's care (i.e., the hospital staff got to know them since they were always visiting, staying with the patient, etc.).  Family relation isn't the test, it's being involved in the patient's care.  So it could be a friend, etc. who the information is shared with.

      If your dad's estate is being probated, you might consider asking the judge to order the release of his cancer history to you.

    •  death and privacy (0+ / 0-)

      Death should be the end or at least a significant relaxor of these privacy rights. If you're related (child, parent, grandparent, sibling, etc.) or have a need to know, such as questions of history that might be relevant to your own health, then the information should be available without large amounts of red tape. Their life as come to an end. Privacy is no longer a concern of theirs, and they can no longer be harmed by its release. But availability of that information may be of real ongoing concern in the life and health of others.

  •  I have a question about privacy (0+ / 0-)

    of health care records.

    The NRA is saying we don't need gun control, we need people control, to keep guns out of the hands of people with psychiatric problems. I'm not sure exactly how they define psychiatric problems -- being forcibly hospitalized for treatment, getting a prescription for mood-altering drugs, ADHD, being treated for depression, or whatever -- but shouldn't psychiatric records qualify as health records under HIPAA?

    How does that work? If I go to a doctor for the flu, the records are private, but if I'm depressed, I'm in a national database that says I can't buy a gun? Not that it applies to me (never been treated for depression and never tried to buy a gun). I'm just curious.

    “If you misspell some words, it’s not plagiarism.” – Some Writer

    by Dbug on Sat Jan 19, 2013 at 07:00:54 PM PST

  •  Info for family & access to one's own records (0+ / 0-)

    Thanks for the great diary and summery of the rule changes. It is quite helpful, and much of what you outline is good.

    I still have my misgivings about the tightness here, especially with regards to family and being able to disclose to family and others (especially clergy) that a person is in the hospital. It can be too difficult for family members to get information about their loved one, especially if they are in different cities or regions, especially if the family member or partner is not currently capable of providing the usual permissions. Thankfully, some of the previous silliness of misinterpretation there has been alleviated. Perhaps not enough, yet, however.

    The other item that is missing here is further improvements for accessing one's own records. The right to get copies allows one to see the record, but getting a copy isn't always what is needed and could be overly costly for the provider. My clinic has a system that allows me to see some basic information such a test results, "letters," and other summary information. Their system (an Epic EMR system), however, doesn't allow me to see the full medical record without asking for that copy. It should be the right of everyone to be able to see the entire record, not just these summary bits, if they request such access to be set up. Further, there should be nothing in the record that can be held back by a provider and a patient should be allowed to add any notation of their own to any record, if not able to require any correction be made when an error is found.

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site