Full Text

Safeguarding patients' personal health information has become a more complicated job--and potentially more punitive--thanks to a raft of new federal rules going into effect this week for healthcare companies and an untold number of their subcontractors.

Healthcare providers say most of the provisions governing data privacy and security in the 563-page Omnibus HIPAA Final Rule are workable, commendable even. But a few areas will create headaches for years to come, including bigger penalties, a strong push for systemwide data encryption, and drafting contracts assigning new liabilities to hospitals' "business associates," which now include contractors and subcontractors.

One particularly vexing provision requires providers to honor requests from patients to withhold sensitive records from insurance companies if the bills are paid out of pocket. Experts in the industry say modern electronic health-record systems make such data-segregation all but impossible, raising the possibility of mass noncompliance among thousands of hospitals and doctors offices when the rules go live Sept. 23.

"You may be able to stop a bill from going to a particular payer, but all the other pieces that we have put in place are so tightly wound together," says Pamela McNutt, senior vice president and chief information officer for seven-hospital Methodist Health System, based in Dallas. "How are you going to stop an insurance company that wants to do a chart audit from seeing one visit that the patient wanted to mask?"

HHS' Office for Civil Rights, which enforces healthcare data-privacy rules, continues to say the out-of-pocket opt-out rule will be enforced along with the rest of the new privacy and data-security regulations that were included in the HITECH provisions of the American Recovery and Reinvestment Act of 2009 and published in final regulation form last January.

"Overall, compliance is an ongoing effort and it is something that entities should be thinking about every day," says Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights. "It needs to be on everyone's mind, and not something that they will think about once a year."

Secret services

Federal health information privacy law has long given patients the right to request that information not be shared with other entities, whether...