It takes 255 pages, half a ream of paper, to lay out the new federal regulations concerning privacy of patient medical information and the reasons for them. Things like this continue to make me be thankful that I do not work in such a highly regulated profession. Attorneys understand, as physicians and health providers do, that client and patient information should be protected and released only with the consent of the individual. The difference for attorneys is that it does not take hundreds of pages to say that.
Any significant federal regulations are required to have detailed analyses of their cost implications, so as part of the rationale for these regulations, the government analyzed the postage costs of sending millions of notices about these new rules and breaches of them. That analysis, however, was based on postage rates that were in effect for only nine days before the increase in late January. Doesn't the government know about postage increases?
On a more serious note, the new regulations, scheduled to go into effect this fall, contain a number of provisions that are important not only to health care providers and health plans but also to their "business associates." Those are entities that have access to protected health information by contract with a health care provider or health plan, because they need it to perform some legitimate business function for the provider or plan. Under the regulations, the entity which originally had the information is responsible for any violations of the privacy rules by its business associates and must give appropriate notices about those violations.
The explanatory information about the new rule points out some potential issues that might not have immediately occurred to those involved in handling protected health information. One issue is that most modern fax machines and photocopiers store digital copies of the documents sent from or printed on them. When one of those machines is sold, traded in or otherwise disposed of, its digital memory must be scrubbed of protected health information. This might well escape the attention of a business associate, since it is not necessarily involved full time in the health care industry.
Another issue that remains to be sorted out in New York is access to protected health care information of decedents. The regulations state the obvious-that an executor may obtain such information-but they go on to say that family members involved in the patient's care may do so too. The New York Public Health Law has a statute permitting disclosure of medical records to a family member who would be the distributee of a decedent, who would have an interest in the estate by intestacy if the decedent had no will, so long as no executor or other personal representative of the estate has been appointed by the Surrogate's Court. The state law does not require the family member to have been involved in the patient's care, so the more restrictive federal rule should apply.
Another potentially difficult issue to deal with is provisions in the regulations allowing individuals to restrict access to their records to only certain recipients. This will be an administrative nightmare for handling the records of the handful of individuals who will invoke this right.
The regulations also implement restrictions on the use of genetic information based on legislation spearheaded by Rep. Louise Slaughter of Rochester. The regulators caved in to pressure from the insurance industry and exempted long-term care insurers from using genetic information in their underwriting decisions. The industry argued that without such information it could not as readily assess who might need long-term care services in the future. The cynic in me says that the public should be thankful this exemption was granted, because it will assist the long-term care insurance industry to continue on its death spiral of underwriting so tightly that no one will qualify and the long-term care insurance market will collapse as a result.
While large health care entities will no doubt figure out the intricacies of these regulations, smaller health care entities and business associates that may have little or no significant business with the health care industry could be subject to some unpleasant surprises if there is a breach of protected health information by them.
Rene Reixach is an attorney with Woods Oviatt Gilman LLP, where he concentrates his practice on health law. He formerly was executive director of the Finger Lakes Health Systems Agency.3/15/13 (c) 2013 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email firstname.lastname@example.org.