The new HIPAA rule on restricted disclosures to health plans in the context of a provider agreement
"Please don’t submit a claim for today’s appointment to my dental plan. I’ll pay today’s bill myself.”
A HIPAA covered dental practice must agree if a patient asks the dental practice not to give information to the patient’s dental plan or medical plan, as long as the information:
- Is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and
- Pertains solely to a health care item or service for which the patient or someone else (including a different plan) has paid the dental practice in full.
Covered dentists were required to be in compliance with this requirement as of September 23, 2013.
If a covered dentist participates in a dental plan, the dentist may need to determine how to comply with this HIPAA requirement in the context of the plan’s provider contract.
Disclosing such restricted information to a plan risks violating HIPAA. The Office for Civil Rights (“OCR”) has stated, “A provider who discloses restricted protected health information to the health plan is making a disclosure in violation of the Privacy Rule and the HITECH Act, which, as with other impermissible disclosures is subject to the imposition of possible criminal penalties, civil money penalties, or corrective action.” Such a disclosure may also be a breach of unsecured protected health information requiring notification under the HIPAA Breach Notification Rule.
Examples of contractual provisions that may appear to conflict with this HIPAA requirement include provisions that:
- Require the dentist to submit claims to the plan when the dentist provides covered items or services to plan members
- Restrict the dentist’s right to bill the patient directly
- Require the dentist to provide the plan with access to patient records
However, a covered dental practice is required to comply with the HIPAA Privacy, Security and Breach Notification Rules. Indeed, many provider contracts also specifically require the dentist to comply with all applicable laws as a contractual requirement, and many also specifically require HIPAA compliance.
OCR has indicated that a covered provider may not rely on an obligation in the plan contract as a ground for denying patients their right under HIPAA to pay in full and restrict disclosure to the plan. However, contractual provisions that do not conflict with this HIPAA requirement may continue in effect with respect to an item or service even though the patient has restricted disclosure to the plan; for example, restricted disclosure would not appear to conflict with a contract provision requiring the dentist to accept no more that the contracted fee when the dentist provides a covered item or service to a patient covered by the plan.
OCR has indicated that covered dental practices must have procedures in place to prevent the dental practice from making a disclosure to a plan in violation of the restriction. In the preamble to the Omnibus Final Rule, OCR stated:
Covered health care providers will need to employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan.
Covered dental practices must revise their HIPAA policies and procedures to comply with the new rule on restricted disclosures (as well as other applicable changes in the Omnibus Final Rule), and train staff to comply with the revised policies and procedures.
Covered dental practices must use HIPAA-compliant procedures to prevent disclosure to a plan in violation of a restriction requested by the patient. When disclosing patient information to a health plan, covered dental practices are already required to disclose the “minimum necessary” amount of information for the purpose of the disclosure.
Dentists may need to consult a qualified attorney for legal advice on reconciling HIPAA compliance with any potential conflict in a provider contract when a patient has requested restricted disclosure to a health plan. Suppose a plan asks for access to certain patient/beneficiary records (as permitted by the contract), but one of the requested patient records includes a restricted disclosure. If a dental practice may, in compliance with HIPAA, disclose the fact that a restriction is in place for that patient record, then it may be appropriate for the dental practice to work out a response that satisfies both the patient’s restricted disclosure request and the plan’s access request (to non-restricted PHI).
Keep in mind that HIPAA requires a covered dental practice to document all such required restrictions on disclosure of PHI, as well as any other kinds of restrictions that the dental practice agrees to, and retain the documentation for at least six years from the date the documentation was created, or from the date when the documentation was last in effect, whichever is later.
The Omnibus Final Rule provision granting patients the right to restrict disclosure to a health plan is found in Sec. 164.522 of the Privacy Rule, which is entitled “Rights to request privacy protection for protected health information.” Sec. 164.522 can be found on pages 104-105 of the unofficial Combined Regulation Text of the HIPAA Administrative Simplification Regulations, available on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html.
More information about the Omnibus Final Rule is available in the revised ADA Practical Guide to HIPAA Compliance, available in the ADA catalog at http://catalog.ada.org, and on the OCR website at http://www.hhs.gov/ocr/privacy.