Under the HIPAA Final Rule, patients are given increased rights regarding restriction requests. One provision details that should an individual pay out of pocket for a service in full, the patient has a right to restrict disclosures regarding those dates of service to a health planif the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law. This includes health information requests for insurance carrier audits.
The portion in italic above is just another example of how legislation language and real-life application are sometimes disconnected.
If the disclosure is for the purpose of carrying out payment, there would be no need for the health plan to receive any health information for that date of service because a claim would not exist if the individual paid out of pocket for the service in full. Therefore, it seems redundant for that wording to even exist in the HIPAA Final Rule under this section.
There have been additional concerns regarding the potential for insurance fraud under this provision. The HIPAA Final Rule does clarify that this rule does not apply to Medicare or Medicaid patients who are ineligible to pay out of pocket for services under certain state or other laws that prevent providers from billing and receiving cash payment from an individual for covered services over and above any permissible cost sharing amounts. State or other laws include Medicare conditions of participation with respect to health care providers participating in the program, and statues and regulations that require the production of information if payment is sought under a government program providing public benefits. When providers are required to submit a claim to the health plan under these circumstances, the disclosure is required by law and revokes the individuals right to request a restriction to the health plan.
Like most legislation, a loophole exists that allows for an exception if a beneficiary refuses, of his/her own free will, to authorize the submission of a claim to Medicare. In such cases, a Medicare provider is not required to submit a claim to Medicare for the covered service and may accept an out of pocket payment for the service from the beneficiary. We must note that this is only detailed in the Medicare Benefit Policy Manual, not for Medicaid or any other federally funded program.
It is the industry recommended best practice for Covered Entities to have a method for notating records that correspond to services paid out of pocket by the individual. It is not required, or suggested, for Covered Entities to create additional sections in the medical chart for restricted information under this provision. It is important to have procedures and protocol in place for effective communication across all HIM staff and billing staff regarding these types of restriction requests.
Another example of a potential problem that may come as a result of this restriction request provision is the event of dual authorizations where one restricts the dates of service and the other states any and all records. The recommendation is to process each request on a case-by-case basis and honor each individual authorization because the HIPAA Final Rule does specify that it is the responsibility of the individual, not the Covered Entity, to notify the provider of the health plan restriction request. Silver lining: at least that burden is not on the provider.