A new batch of Obama administration guidance could have a direct effect on any individual insurance clients who send health records to insurers, and on any employer clients with plans that that hold sensitive employee health information.
The Office for Civil Rights (OCR), an arm of the U.S. Department of Health and Human Services (HHS), has kicked off what likely will be years of legal disputes by posting a document showing how HHS believes the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to consumers’ requests for medical records.
The guidance will govern any requests for personal health information from “covered entities.” The term “covered entities” includes health care providers and health plans.
But the term could affect agents and brokers who have nothing to do with major medical coverage because, for HIPAA privacy purposes, “health plan” includes almost any plan that covers health-related risk, including issuers of dental insurance, disability insurance, critical illness insurance, Medicare supplement insurance and long-term care insurance.
In the guidance, OCR officials assume consumers will be asking the providers and plans for the information, but the standards still apply if the covered entities have parked the requested information with plan administrators, recordkeeping companies, or your agency and insurance brokerage firm.
OCR officials say consumers should be able to get:
Copies of most personal health information within 60 days.
Most of the records they’re seeking in a convenient electronic format.
Any records health plans are using in claim determination decisions, such as decisions about whether a health plan will cover inpatient care for depression or anorexia, or whether a group disability plan will cover a claim for fibromyalgia.
HHS has been working on implementing the HIPAA privacy regulations since 2001.
For a look at some other provisions in the guidance that appear to be of interest to members of the insurance community, read on.
1. The rules on time limits have some give.
The HIPAA Privacy Rule gives covered entities 30 days to offer individuals access to the records quested.
An entity can get a 30-day extension by informing the requester in writing about the reason for the delay, OCR officials say.
“Only one extension is permitted per access request,” officials say.
See also: Feds post HIPAA privacy notice models
2. The record cost and format rules look vague.
Officials say covered entities cannot charge people asking for personal health information for the cost of searching for the information, retrieving it, storing it or maintaining the data systems.