The HIPAA Omnibus Final Rule, known in the industry as the HIPAA mega rule, affords patients two key rights that your practice needs to be prepared to implement. Patients now have the right to request and receive their own protected health information (PHI) from your practice electronically and they also have the right to decline to use available health insurance and opt to pay out of pocket instead.
The mega rule was finalized in January, but key provisions took effect on Sept. 23, 2013.As you know, patients have long had the right to have access to a copy of their own medical records. Now, patients have the right to request and receive this information electronically. The only exception your practice has for not providing PHI electronically is if it is unable to do so because the records are not available electronically.When this is the case, your practice is still obligated to furnish records in a mutually agreed upon format, including paper or an alternative online format, such as a Microsoft word document or a PDF file with the information. As was the case before, you are permitted to charge a fee for furnishing the information. Make sure to check with applicable state or local laws on these charges.Patients now clearly have the right under HIPAA to request that your practice not file a claim with any insurance available to the patient for services rendered. Patients may have a variety of reasons for not wanting an insurance claim to be filed – the patient is under no obligation to specify a reason, but you are obligated to comply with the request.
When a patient opts to not use insurance coverage for a service, the terms of the insurance contract will not apply to the service. As a result, you are allowed to charge the patient your usual charge for the service – you’re not obligated to charge the allowed charge set by the patient’s insurance.
If the patient requests that a claim not be filed with insurance, but then fails to pay the bill for the services rendered, your practice is permitted to disregard the patient’s request and file a claim with the insurance company for payment after a reasonable amount of time and failed efforts to collect.
As with many regulations, CMS is not specific in the HIPAA mega rule on what constitutes a reasonable amount of time before a claim is filed. Your practice’s best bet is to institute an upfront policy in these situations. When a patient requests no insurance claim be filed, inform the patient upfront that the patient has a specified amount of time to pay for the services before a claim is filed and that you will send a specified number of requests for payment during that time.
Have the patient sign an agreement signifying that he or she understands the terms.

Author: Scott Kraft

– Source: http://codapedia.com/article_643_New-HIPAA-rule-gives-patient-the-right-to-%E2%80%9Crefuse%E2%80%9D-to-use-insurance-receive-PHI-electronically.cfm#sthash.jf8ddPQT.dpuf

One of the biggest changes under the HIPAA Omnibus Final Rule – known as the HIPAA Mega Rule – that was finalized earlier this year and took effect last month is a significant change to how you are required to handle breaches of patient protected health information (PHI). The change makes it far more likely your organization will need to report disclosures of PHI.

The final rule essentially forces you to assume that any breach of PHI needs to be disclosed unless you can establish that there is a “low probability” of patient harm from the disclosure. Previously, HIPAA used a “harm threshold” which meant you did not have to disclose a breach unless the breach carried a significant risk of financial, reputational or other harm to the affected party.

You’re now required to do an objective analysis to determine the low probability of harm, considering at a minimum the nature and extent of the disclosed information, the person to whom it was disclosed, whether the information was actually viewed or acquired and to what extent the disclosure was controlled or mitigated, according to analysis published by the law firm Quarles & Brady LLP.

Consider, for example, if a disclosure was inadventently faxed to the wrong physician, who then immediately destroyed the information. Such a breach would likely not have to be disclosed under the low probability standard. However, any breach for which you did not know the possible extent of the breach would have to be disclosed.

If you lost and then recovered a laptop, for example, you likely would not have visibility or confidence into the extent of the breach of PHI and would have to disclose the breach. The same could apply for lost paper records. When data is encrypted, however, you would likely not have to disclose the loss of the data, such as in the case of a lost or stolen laptop.

As a practical matter, the change makes it critical you and your practice safeguard patient data even more closely because it’s highly likely that any loss or breach of PHI would have to be disclosed, including costly efforts to ensure the patient is not adversely affected as a result.

Author: Scott Kraft

– Source: http://codapedia.com/article_647_HIPAA-Breaches-much-more-likely-to-require-disclosure-under-Mega-Rule.cfm#sthash.7s3WKhJi.dpuf

Handling young patients who display mental health issues is a challenge for all providers.  While looking out for the patient is always the priority, providers often become confused about the rights and obligations that apply to handling a mental health crisis while complying with HIPAA’s privacy rule.

A good example of this dilemma is a call I received from an internal medicine physician treating a patient who was 18 years of age.  The patient had signed an authorization allowing her parents to be informed of her care.  The patient subsequently displayed disturbing mental health behavior which concerned the provider and family.  The parents wanted to alert the patient’s new out-of-state school and contacted a physician near the school to take over care of the patient.

The parents and treating physician believed they had reason to fear for the safety of the patient and others in her presence.

They asked me how they could share this information with the new physician and school since the patient refused to sign an authorization.  They also asked how they should respond to the patient stating she regretted her original authorization.

Dealing with young adults is a challenge for families and providers, as this is the age when mental health conditions often manifest. Providers must be aware of HIPAA requirements if they confront a similar scenario to the one described above:

1. Did the patient withdraw the authorization verbally by her statement? Once a patient provides an authorization, HIPAA gives individuals the right to revoke it, at any time. The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid authorization.

2. Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else?  In addition to family, the HIPAA privacy rule permits a healthcare provider to disclose necessary information to law enforcement or other persons, when the provider believes the patient presents a serious and imminent threat to self or others.  The scope of this permission is described in a letter to the nation’s healthcare providers issued on January 15, 2013. When a healthcare provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the privacy rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. These provisions may be found in the privacy rule at 45 CFR § 164.512(j).

Under HIPAA provisions, a healthcare provider may disclose patient information to any persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators, or campus police, and others who may be able to intervene to avert harm from the threat.  In addition to professional ethical standards, most states have laws and/or court decisions which address, and in many instances require, disclosure of patient information to prevent or lessen the risk of harm.

It’s not entirely clear whether these exceptions allow the new physician to receive information.  From my perspective, the parents should speak with the school to formulate an approach.  The institution likely has a medical clinic/provider that will treat the patient as a condition of remaining at the school.  Medical records could easily be transferred at that time and the current and new provider could also then freely speak.

There are not always clear answers under HIPAA, particularly when it comes to mental health issues.  However, all providers should be familiar with the law so as to protect the patient and those around him, as well as to protect their own practice from an unintended violation of HIPAA.

By: Ericka L. Adler

– Source: http://www.physicianspractice.com/law-malpractice/hipaa-and-mental-health-answers-top-doc-questions#sthash.vj7KWUms.dpuf