February 25, 2013
Does the Omnibus HIPAA Rule Endanger "Free" EHR Business Models?
Many commentators have worried that medical privacy laws aren't keeping up with new devices and business practices. It appears that the Omnibus HIPAA rule released last month may put some concerns to rest. For example, Marla Durben Hirsch argues that EMRs based on certain types of information exchange and use may prove to be impractical or unworkable under the rule:
The HIPAA updates impose new limitations on marketing. For the first time, it requires providers to obtain patient authorizations "for all treatment and healthcare operations communications where the covered entity receives financial remuneration for making the communications for a third party whose product or service is being marketed." The authorization can't be buried in the provider's notice of privacy practices. . . .
So if a physician is reviewing the chart after hours and a pop up ad recommends some new drug, and he or she doesn't have an authorization from the patient, does he or she have to wait until the next face-to-face visit before suggesting it to the patient? Does she ask the patient to come in before her next visit?
As Duben Hirsch suggests, these are tough questions, and guidance is necessary. It would be very disruptive for a physician to learn an EHR system, only to find that the funding model behind it was rendered obsolete by privacy regs.