Omnibus Rule in Detail
Note (4/9/14): this page is currently being edited by the staff at EFF. Please check back in a couple weeks for revised text!
HIPAA recently got a long-delayed makeover when the Omnibus Rule, which at 136 three-column microprint pages in the Federal Register is as heavy as it sounds, was finally released. It is still, however, missing a major piece about the obligations covered entities have to account to all of us about their disclosures of protected health information (PHI), which is still under construction.
So, what’s new with HIPAA? A lot and nothing much—at least from a privacy perspective.
Marketing Communications: Probably the biggest change where patients are concerned is that disclosure of PHI for marketing purposes, formerly riddled with tortuous exceptions, now requires your written authorization to use your information for anything other than sending you reminders to refill prescriptions or that you can switch to a generic version (but no messages about switching to another brand-name drug). There’s still a little wiggle room for marketing, but it’s pretty limited. For example, a hospital can’t use PHI to notify patients about the acquisition of a new imaging machine if the manufacturer pays for the communication, but if say, a nonprofit organization or community foundation pays, it’s permissible.
Sale of PHI: The sale or licensing of PHI requires written authorization. PHI is considered sold if the seller (a covered entity, since HIPAA does not apply to any other sellers) receives anything of value in exchange for the data. The exceptions to the authorization requirement for selling PHI are sufficiently convoluted that it’s hard to tell how they might actually work in the real world.
For example, there’s an exception for the sale of PHI for research purposes where the remuneration received represents a “reasonable cost-based fee.” What is a reasonable cost-based fee and who determines what it is? If a drug company offers a hospital $250 each for the records of all its patients with Type 2 diabetes and the hospital, a large urban medical center, has 6000 such patients, would it be unreasonable of the hospital not to accept payment and turn over the records without getting patients’ authorization? There’s also an exception for payments to or by a business associate for doing something with PHI on behalf of a covered entity if the payment is for the business associate’s services. Given the almost total lack of transparency in the variety of services business associates can perform for covered entities it’s impossible to know what they might actually be doing with PHI without your authorization.
Use of PHI for Fundraising: Patients win a little and lose a lot on this regulation. A covered entity can now use more PHI than previously for fundraising. In addition to your, name, address, phone number, insurance status and dates of service, a fundraiser may use information about the department where you were treated (e.g., oncology, gynecology, mammography, etc.), the doctor who treated you and general information about the outcome of treatment. The privacy problem is that fundraising is very often contracted to third parties, which, even if they are regulated by HIPAA as business associates of covered entities, are using PHI in an entirely different setting, one at a considerable professional and ethical remove from that of a medical facility treating patients. So while the Omnibus Rule now requires that your request to opt out of use of your PHI for fundraising be honored (instead of the fundraiser merely trying to honor it), you can only opt out after you receive a solicitation. And you can only be solicited because the fundraiser already has your information.
Data Breach Notification: Changes to breach notification affect how a covered entity decides if it’s obligated to notify individuals in the event of a data breach. Now, rather than assessing the “risk of harm” (financial, reputational, or “other”) caused by a data breach, the standard seems more straightforward and less subjective. A covered entity must determine whether or not the data has been “compromised,” taking these four factors into account:
- the nature and extent of the PHI;
- the unauthorized person who used or received the PHI;
- whether the PHI was actually viewed or acquired;
- the extent to which the risk to the PHI has been mitigated.
There are exceptions for unintentional good-faith access, inadvertent disclosure between people authorized to access the data, and disclosures where it’s reasonable to believe the data could not have been retained. The period for notifying affected individuals of a breach is up to 60 days. Keep in mind that notice comes after the fact of a data breach, when the damage may already have been done to the privacy of your medical information.
Restricting Disclosure of PHI to Health Plans: Previously you could ask a doctor or hospital not to disclose your information to an insurer (or for that matter, another doctor), but there was no requirement to honor your request. Now, if you pay for treatment entirely out-of-pocket, the provider must honor a request not to disclose your information. This may be effective if you see a psychiatrist who practices alone and pay cash for your treatment. But it will not prevent an insurer from knowing your psychiatrist prescribed certain drugs if the insurer pays for them. Also, the rule doesn’t require a doctor or hospital to maintain a separate record for treatments paid for out-of-pocket or otherwise to segregate your PHI, so if the record is in an EHR in a large practice setting, it’s difficult to see how a provider notify others—like accounts payable, for example—that the information is restricted and treatment is not to be billed to an insurer. HHS left that problem up to health care providers.
For more on Omnibus Rule modifications to HIPAA, see Dr. Mark Rothstein’s article, “HIPAA 2.0” and Bloomberg’s Bureau of National Affairs Insights, “HIPAA Omnibus Rule Reshapes Landscape for Health Care Privacy, Security Compliance.”