As of Sept. 23, a new provision of the federal law on patient rights and medical privacy — affectionately known as HIPAA — takes effect, and it’s sure to please the paranoiac in all of us. It allows patients who pay for a treatment out of pocket to limit access to the medical record of it — and that includes barring your health insurer from seeing it, if you choose.
Now, this may not excite you if you don’t expect to need treatment for a sexually transmitted disease any time soon. But some people feel deeply protective of their medical records — and may not have warm and trusting feelings toward their insurers or employers. For an explanation of the new privacy provision, I spoke with Matt Fisher, chair of the Health Law Group at Mirick O’Connell, a law firm with offices in Worcester, Boston and Westborough. Our conversation, lightly edited:
So this new HIPAA rule that takes effect on Sept. 23 basically says that if the patient pays for their care, they can keep it from the knowledge of their health plan?
The patient can request that services or items provided, that they paid for out of pocket in full, that access to that information be restricted to specific individuals or providers. So that means that they can say, ‘Don’t share it with this insurance company,’ which request previously could be ignored by a provider. This change modifies the existing rule that a patient can ask for information to be restricted, but doing so is at the provider’s discretion. It is now not optional with regard to health plans.
So how does this differ from what we already had?
You already had protection from just general disclosure of the information, but there were permitted disclosures that can be made between what are called covered entities: a physician, a hospital or an insurance company. So absent the request that the information not be shared if the services are paid for out of pocket, that information can be shared with insurers without the patient’s authorization, if it’s for payment or health care operations. Those three broad categories allow providers and insurers to interact and each perform their functions. So it makes sense you wouldn’t require authorization for that type of sharing.
But the new provision says that if the patient has paid for it out of pocket, now you can say, ‘Don’t share it with my insurer — they don’t need to know about it because they’re not paying for it.’ Or there could be some other reason you don’t want it shared.
Can you paint a couple of scenarios of how you expect this to be used once people know about it?
One example I’ve heard about a lot is if an individual goes in for a treatment of a sexually transmitted disease — so there might be a feeling of some type of social stigma or some other instance where you might have the feeling of not wanting it shared.
So anything with stigma?
Yes, if you go in for mental health services — although there are going to be more restrictions when you deal with those types of records anyway — but going back to the stigma or fear of someone learning something about an issue you’re seeking help with, you might not want that shared around.
And even though Obamacare prohibits denying insurance for pre-existing conditions, mightn’t it, for example, hurt someone’s chances of getting a job if the employer could see treatment for certain conditions on a health record?
That’s something that might be feared, that if an employer somehow got that information, although unless the employer is self-sponsoring the insurance plan, or they ask to receive your health record and you give them authorization, it would be hard for them to get the information. Though there are a number of jobs out there where you do have to give authorization, or if you’re applying for life insurance, you have to sign a HIPAA authorization to see your medical record.
So this new provision would allow you to actually keep treatment you received off your medical record?
It would be on your record but I visualize it as a line in a medical record: to the left side is information that will shared with anybody with a valid claim to disclosure, and to the right side is information that can only be shared with XYZ, or this information cannot be shared with XYZ. So it’s still all part of your medical record, but it’s a matter of when and where can that info be shared.
So you could put on the right side of the line that this treatment you received cannot be shared with your insurer or anyone but the actual treating health care team?
Yes, you can restrict it so the insurer can’t see the information, but when you’re filing applications for your insurance you can’t intentionally mislead or you can’t lie about it, because otherwise that opens another door full of issues. If you’re defrauding the insurance company to get the coverage you’re not going to be protected from them being able to rescind the policy at that point.
So how do you expect this to mostly be used?
I could see it being used when a patient needs a special test and worries about potentially adverse insurance consequences, such as increased premiums if a result comes out a certain way. Additionally, someone can always ask that a provider not share certain treatment information with others, such as a family member, but the provider will be able to decide if they will comply with the request in that circumstance. The requirement to comply with a request is limited to insurers.
Some people also just feel very, very private about their medical information, so this offers additional gates to get past to get at it…
Yes, but again, while it sounds very attractive, I don’t think it will come into play very quickly. It goes to the general problem that no one can figure out how much anything cost in health care, so how likely are you to pay for something out of pocket? And why pay for insurance and then pay for care out of pocket?
Any other concerns about this?
One concern is how capable the records are of doing the segregation. On paper, you can imagine creating say, a red folder that says “Do not share this information.’ But with an electronic medical record, how easily can you create that division?
Haven’t people been doing this anyway? Say, going anonymously to a clinic for STD treatment?
If you go to a different provider than your typical primary care provider, there could be some question of whether the record is actually shared, which is a different issue. You also always hear anecdotes from physicians that they’re not always getting the full picture from the patient. So I’m sure it’s been going on to some extent, but maybe this is a way of not trying to find those alternative providers but feeling more comfortable going to your main provider. Though that doesn’t solve the problem of maybe you don’t want to share that information with your main provider. It’s probably always helpful to give your primary care provider the full picture of your health, but I know that’s not always how it goes. I had an extended family member who’d say, ‘Oh, well, my doctor doesn’t need to know that…”
Readers, thoughts? Do you expect to take advantage of this new HIPAA provision?
For the legalistic among us, Matt kindly sent over this relevant chunk of the United States Code of Federal Regulations: