The U.S. Department of Health and Human Services wants to let patients hide some medical care from their health plans by paying for the care out of pocket.
HHS has included provisions for helping patients keep treatment secrets from health plans in a notice of proposed rulemaking that is set to appear in the Federal Register July 14.
The proposed regulations would update the health data security and health information provisions in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to reflect statutory changes made by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Congress passed the HITECH Act in an effort to encourage the widespread adoption of electronic health records and other health information technology, in part by easing health information privacy concerns.
HHS officials last updated HIPAA privacy rules in 2002 and HIPAA data security rules in 2003, and the proposed regulations include a variety of technical changes and general updates as well as changes related to the HITECH Act, officials write in a preamble to the proposed regulations.
The proposed regulations will affect health insurers, health plans, health plan administrators and many other types of related entities as well as to physicians, hospitals and clinics, officials say.
Some of the proposed regulations have to do with definitions and procedures.
HHS officials now want to clarify the definition of "marketing," for example. Officials want nonprofit health care providers to warn patients and give patients a chance to opt out before sending them fundraising appeals. HHS also would treat a move by a mammography equipment manufacturer to pay for a hospital to let patients know about the arrival of a new mammography machine as marketing. But a nonprofit group could help a hospital tell patients about the arrival of new mammography equipment without that being treated as marketing, officials say.
HHS officials intend to exclude prescription refill reminders from the definition of marketing; make sure that the definition of systems for storing health data includes employer intranets and will continue to work even if the term "electronic media" becomes obsolete; and implement a HITECH provision that would replace the current one-level violator culpability standard with a four-level standard. The lowest-level violators would be those that fail to try hard enough to understand and follow the rules; the highest-level violators would be those that are guilty of "willful neglect" and do not bother to correct their neglect within a reasonable time period.
HHS officials will be trying to add a new paragraph to the HIPAA privacy rules that would "require a covered entity, upon request from an individual, to agree to a restriction on the disclosure of protected health information to a health plan if: (A) the disclosure is for the purposes of carrying out payment or healthcare operations and is not otherwise required by law; and (B) the protected health information pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full."
If, for example, a patient received care for asthma and for diabetes from the same physicians and paid for the diabetes-related care out of pocket, the patient could keep the physicians from telling the health plan about the diabetes, officials say.
The health care provider or other covered entity could still contact the health plan if the patient did not really pay the full out-of-pocket costs for the care. If, for example, a patient's check bounced, a provider could contact the health plan for payment, officials say.
"We recognize that this provision may be more difficult to implement in some circumstances than in others, and we request comment on the types of interactions between individuals and covered entities that would make requesting or implementing a restriction more difficult," officials say.
The officials ask, for example, how restrictions on sending health information to health plans might work if a patient paid out of pocket for care from a physician, and the patient then authorized the physician to send health records to another care provider, such as a pharmacy.
If an individual paid out of pocket for care to avoid telling the health plan about the care, the individual could not count the payments toward the health plan's out-of-pocket expense threshold, officials say.
Insurers and benefit plan administrators would have to tell plan members about the changes in the privacy and data security rules.
HHS officials estimate the new requirements would lead to about $166 million in costs for affected parties in the first 12 months after the requirements took effect.
Updating a HIPAA "notice of privacy practices" will take about 20 minutes of professional legal time, or about $30 worth of legal time, for about 697,000 health care providers, meaning that providers will spend a total of about $21 million on updating privacy notices, officials estimate.
There are about 1,000 health insurers and about 3,500 health benefit plan administrators, and they will spend a total of about $120 million on drafting, printing and distributing privacy notices, officials predict.
"We note that this total may be an overestimation of the costs because many insurers may use bulk mailing rates to distribute their [notices] which would reduce their mailing costs," officials say.
Comments on the proposed regulations will be due 60 days after they appear in the Federal Register.
CORRECTION: An earlier version of this article described the agency proposing the HITECH regulations incorrectly. The agency that proposed the regulations is the U.S. Department of Health and Human Services.