New HIPAA Rule Affects Providers’ Notice of Privacy Practices

The Health Insurance Portability and Accountability Act (“HIPAA”) requires health care providers to inform patients of the providers’ legal duties and the patients’ rights regarding protected health information (“PHI”). Providers do so in their Notice of Privacy Practices. The recent HIPAA omnibus rule promulgated by the United States Department of Health and Human Services alters and emphasizes obligations related to Notice of Privacy Practices.

The Notice of Privacy Practices that providers have used previously will remain largely unchanged, but certain additional requirements now exist. These requirements include informing patients of certain uses and disclosures of PHI requiring the patient’s authorization (such as selling a patient’s PHI and most uses and disclosures of psychotherapy notes), stating that the provider will notify the patient if PHI is breached, stating that the patient has the right to opt out of fundraising and providing information on how to do so, and stating that the patient has the right to restrict disclosure of PHI to the patient’s insurer if the patient fully pays for treatment out-of-pocket (i.e., without the insurer paying for any of the bill).

The new rule also clarifies that if physicians receive remuneration from a third party (e.g., pharmaceutical reps) that incentivizes the use of the third party’s product (e.g, drugs), the provider needs authorization before disclosing a patient’s PHI to the third party. Any such authorization requires a notice that the provider is receiving payment from the third party for the disclosure. Providers – and particularly physicians – must be aware of these new marketing requirements because payments may be indirect (for example, payment for golf events, hotel stays, and other non-direct monetary payments). Any marketing for which a physician is reimbursed should be closely scrutinized under the new rule, given the potential civil and criminal penalties HIPAA may impose.

The new rule becomes effective September 23, 2013.

Medicare Requires Retention of Physician Orders for Seven Years

Effective October 1, 2012, any physician or other provider who orders or certifies Medicare-covered durable medical equipment, prosthetics, orthotics, and supplies (“DMEPOS”), clinical laboratory services, imaging services, or home health services and the provider or supplier who actually furnishes such supplies or services must maintain the ordering documentation for at least seven years from the date of service and provide access to the documentation upon the request of CMS or a Medicare contractor. These obligations arise from 42 C.F.R. 424.516 and CMS Transmittal 431, which provides instructions to Medicare contractors on the enforcement of these requirements.

According to the federal regulations and Transmittal 431, provider orders must include the following:

  1. all written and electronic documents relating to written orders, requests, and certifications for Medicare-covered services and supplies; and
  2. the NPI of the ordering/certifying physician or provider.

Medicare Contractors cannot use this new regulation to request order and certification documentation dated before July 6, 2010. We encourage all providers who order or provide Medicare-covered services and supplies to update their document retention policies to comply with this new requirement.