Providers must consider another challenge the HIPAA omnibus rule poses: If a patient pays in full and requests that the provider not bill his insurance company for the services, the provider has to honor that request.
"Most organizations are going to have to implement process and procedural changes to ensure that the patient's request is honored," McNutt says. "That includes tweaking your billing systems to make sure the patient is flagged in such a manner that all employees know that the patient's insurance should not be billed."
Even more important is to establish a culture of privacy in each organization. "When I've seen security firms come in and do security audits, generally the weaknesses are cultural and social, not so much the technology," says Brian Ahier, health IT evangelist at the 49-bed Mid-Columbia Medical Center and president of Gorge Health Connect, Inc., a health information exchange, both located in The Dalles, Ore., about 85 miles east of Portland.
Ahier notes the coming surge in patient complaints about being denied access to their electronic medical record. "The HIPAA omnibus rule expands that right now into the digital realm," Ahier says. "I'd be willing to bet that the first penalty that gets applied after September is going to be one not for a breach, but from a patient complaining about being denied their PHI. People from advocacy groups have been plastering letters around from the OCR explaining patients' access right, with information on how and where to complain."
Ahier also contends that patients can request their electronic PHI be provided in an unencrypted format, even if they wish it to be emailed to their Yahoo or Gmail account—although such a transmission being sent in an unencrypted format is itself a breach of HIPAA.
Despite this possibility, other providers intend either to deny such a request from patients, or plan to make patients sign consent forms so that they understand the risks of receiving PHI in an unencrypted format.
"It's a substantial contradiction," says Ron Strachan, CIO at Community Health Network in Indianapolis, Ind. "That was an oversight in the rule development, something that's going to have to be corrected. Certainly sending it unencrypted to a public email provider like a Yahoo or a Google is the absolute wrong way to do it."