Under the new rules, physicians may disclose
immunizations to schools required to obtain proof of immunization prior to admitting
the student so long as the physicians have and document the patient or patient’s legal
presentative’s “informal agreement” to the disclosure.
The new rules allow physicians to make relevant disclosures to the
deceased’s family and friends under essentially the same circumstances such
disclosures were permitted when the patient was alive; that is, when these individuals
were involved in providing care or payment for care and the physician is unaware of
any expressed preference to the contrary. The new rule also eliminates any HIPAA
protection for PHI 50 years after a patient’s death.
Copies of e-PHI
Physicians will now have only 30 days to respond to a patient’s
written request for his or her PHI with one 30-day extension, regardless of where the
records are kept (eliminating the longer 60-day timeframe for records maintained
offsite). They must provide access to EHR and other electronic records in the
electronic form and format requested by the individual if the records are “readily
reproducible” in that format. Otherwise, they must provide the records in another
mutually agreeable electronic format. Hard copies are permitted only when the
individual rejects all readily reproducible e-formats.
Physicians must also consider transmission security, and may send PHI in
unencrypted emails only if the requesting individual is advised of the risk and still
requests that form of transmission.
Charging for copies of e-PHI or PHI
The new rules modify the costs that may be charged to the individual for copies to include labor costs (potentially to include
skilled technical labor costs for extracting electronic PHI and supply costs if the
patient requests a paper copy, or if electronic, the cost of any portable media (such as
a USB memory stick or a CD)), assuming state law does not set a lower reimbursement
rate. The rules also clarify that physicians may impose a separate charge for creating
an affidavit of completeness.
The new rules permit physicians to combine conditioned and
unconditioned authorizations for research participation, provided individuals can opt
in to the unconditioned research activity. Moreover, these authorizations may
encompass future research.
Notice of Privacy Practices (NPP) Physicians must amend their NPPs to reflect the changes set forth above, including those
related to breach notification, disclosures to health plans, and marketing and sale of PHI. To
the extent physicians engage in fundraising, they will also have to amend their NPP to inform
patients of their right to opt-out of those communications. As the rules presume these are all
material changes, physicians will have to post the revised NPP, and make copies available at
their office, to all new patients and to anyone else on request. Physicians who maintain a
website are cautioned to post the updated
NPP on their website as required by the existing HIPAA Privacy rule. The new rules also eliminate requirements to include information on communications concerning appointment reminders, treatment alternatives, or health
benefits or services in NPP
s, but the rules do not require that that information be removed