The resources at healthit.gov/meaningfulconsent reflect the regulatory changes of the so-called “omnibus” privacy and security rule released by HHS in January requiring compliance by Sept. 23. The rule largely updates changes to the Health Insurance Portability and Accountability Act of 1996 in the American Recovery and Reinvestment Act of 2009.
The 563-page omnibus rule also provided some updates to privacy rules created under the Genetic Information Nondiscrimination Act of 2008.
The posting includes an eight-page booklet (PDF) that could be used as a template for a provider's own privacy notification. The template reduces many complex privacy rule provisions to plain English, but also gives cursory treatments to several gnarly privacy problems.
The new booklet has sample language that informs patients: “If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say 'yes' unless a law requires us to share that information.”
However, neither the template nor a one-page instruction sheet offers guidance on how a provider might comply with the law if their electronic health-record systems cannot tag data with such a request from patients.
For example, most providers' EHRs cannot affix to an electronic prescription a notice to an outside pharmacist that their patient has asked that information about it be withheld from their insurance carrier.
“We will issue more detailed guidance and a FAQ soon” on that subject, said HHS Office for Civil Rights spokeswoman Rachel Seeger.
Privacy lawyer James Pyles of Powers Pyles Sutter & Verville was unimpressed with the OCR effort. He said it fails to mention up front that patients have a constitutional right of privacy, as referenced specifically in the preamble to the first HHS privacy rule written by the Clinton administration in 2000. It also neglects to specifically mention a right to privacy for all psychotherapy records, a right upheld by a 1996 U.S. Supreme Court ruling, Pyles said.
“It's not a very helpful document,” Pyles said. “It's set up to make the public feel good, that they're somehow protected. But if you look at the part of the document that says these are your rights, there's really not much there. It looked pretty misleading to me.”
OCR is also offering a series of videos, including two on patient privacy rights under HIPAA and a third on an updated right to access an electronic copy of their electronic health records .
Follow Joseph Conn on Twitter: @MHJConn