Privacy in Outsourcing of Health Information

Posted October 9, 2009 by   · Print This Post Print This Post

The general Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires anyone to obtain a patient’s prior consent in order to use “individually identifiable health information” for non-medical purposes, such as employer evaluations.   For medical treatment and payment purposes, however, using or sharing medical information “for incidental use or disclosure” is permitted.   For marketing purposes, a pharmacist may use a patient’s medical information to make recommendations to the patient to switch medications.

The final Privacy Rule, published August 14, 2002, preserves the role of outsourcers of medical information.  Certain prior draft provisions were softened.

Prior Draft Regulations.

Prior draft regulations, issued by the administration of former President Bill Clinton, would have prevented hospitals and clinics from  scheduling medical tests or surgery until the patient had read and signed a long, legalistic “privacy notice.”

Impact of Regulations on Outsourcing of Medical Information Processing Services.

The prior draft HIPAA Privacy Rule raised several concerns for those involved in outsourcing of medical information processing services.

Continuation of Outsourcing Services.
The prior draft targeted situations in which covered entities outsource their billing, claims, and reimbursement functions to accounts receivable management companies. These collectors often attempt to recover payments from a patient on behalf of multiple health care providers.  Affected covered entities and their services providers were concerned that the Privacy Rule would prevent these collectors, as business associates of multiple providers, from using a patient’s demographic information received from one provider to facilitate collection for another provider’s payment.  Under the final HIPAA Privacy Rule, outsourcing such services is permitted. .

Continuation of Outsourcing of Records Management and Photocopying.
The prior draft would have had a negative impact on outsourcing of records management and photocopying activities.   It could have effectively eliminated any economic benefits to outsourcing services providers of the cost-based copying fees allowed to be charged to individuals who request a copy of their medical record under the right of access provided by the Privacy Rule. See 45 CFR Section 164.524.  There was a risk of driving the outsourcers out of business.

In acknowledging this, the Department of Health and Human Services made a special clarification to accommodate outsourcing.  Many hospitals and other covered entities currently outsource their records reproduction function for fees that often include administrative costs over and above the costs of copying. In some cases, the fees may be set in accordance with State law. The Privacy Rule, at Sec. 164.524(c)(4), however, permits only reasonable, cost-based copying fees to be charged to individuals seeking to obtain a copy of their medical record under their right of access.   In response to comments that persons seeking copies of all or part of the medical record, such as payers, attorneys, or entities that have the individual’s authorization, would try to claim the limited copying fees provided in Sec. 164.524(c)(4), the final Privacy Rule makes clear that the fee structure in Sec. 164.524(c)(4) applies only to individuals exercising their right of access.

However, the Department of Health and Human Services acknowledged that even this accommodation could put a strain on covered medical-related entities, and that the regulation forced subsidized access to medical records by the individual patients.   HHS argued:

To the extent hospitals and other entities outsource this function because it is less expensive than doing it themselves, the fee limitation for individuals seeking access under [45 CFR] Sec. 164.524 will affect only a portion of this business; and, in these cases, hospitals should still find it economical to outsource these activities, even if they can only pass on a portion of the costs to the individual.

While perhaps onerous on covered entities, the rule does allow outsourcers and their customers to recover more than their costs on non-patients in order to subsidize patients’ access to medical records.

Outsourcing Continues to Require Contracts.
The Department of Health and Human Services final Privacy Rule requires that any relationship between a “covered entity” and a “business associate” (also known as an outsourcer or services provider) must be established and managed by contract.  Some service providers tried, unsuccessfully, to be authorized to “self-certify” their compliance, or have a neutral certification authority.  “With respect to certification by a third party, it is unclear whether such a process would allow for any meaningful enforcement (such as termination of a contract) for the actions of a business associate,” the HHS concluded.

Minimum Standards, not Exclusive Standards.

The final Privacy Rule does not supersede any more stringent privacy protections of any state laws.   The “best practices” approach, therefore, may be to obtain the patient’s consent for certain uses of the medical information, particularly for patients who are likely to change residences from one state to another and the new state of residence has stricter provisions.

Outsourcing Contract Terms.

The final Privacy Rule adopted in August 2002 sets forth specific requirements for contracts between “covered entities” and “business associates” (outsourcers).   For the minimum terms of such a contract, our subscribers can view the terms at hipaa privacy data use contract terms

Definitions.
Key definitions under the final Privacy Rule can be reviewed at hipaa_privacy_definitions