Use of 'free' EHRs may violate new HIPAA rule

Tools

I don't like being interrupted by pop up ads when I'm on the internet. And I imagine providers who receive pop up and other types of ads from pharmaceutical and medical device manufacturers while they're using free EHRs also aren't overly fond of the interruptions.

But now those pop up ads may be more than an annoyance. They could get those physicians into legal trouble, thanks to the new HIPAA mega rule, which the U.S. Department of Health & Human services released earlier this month.

I'm not kidding. The HIPAA updates impose new limitations on marketing. For the first time, it requires providers to obtain patient authorizations "for all treatment and healthcare operations communications where the covered entity receives financial remuneration for making the communications for a third party whose product or service is being marketed."  The authorization can't be buried in the provider's notice of privacy practices, and it must inform the patient that the physician is receiving a financial benefit for sharing the third party's information with the patient.

This is one of the biggest and most surprising changes in the privacy rules. It mirrors the "sunshine" provision in the Affordable Care Act, various state laws, and medical staff bylaws in many hospitals that require transparency when physicians are receiving financial benefits from these manufacturers.

The megarule doesn't specifically address pop up ads in EHRs. But the purpose of the ads is to market their products to physicians with the hope that they will prescribe, promote or sell them to patients. That sounds just like the marketing that the megarule is addressing. If the physician then "communicates" the product or service in the ad without having patient authorization to do so, the physician is in violation of HIPAA.

This provision is also confusing. For instance, it can be argued that the physicians aren't receiving "financial remuneration" when they receive the pop-up ad, so that marketing the product or service in the ad doesn't require authorization. But the financial benefit can be direct or indirect, according to the megarule. So if the pop up ads are enabling the physicians' to use EHRs for free, that's a financial benefit.

A big one.

And now to really split hairs, the megarule allows an exception for face-to-face communication to an individual--for exmple, to offer an alternative medication to a patient. No authorization required there. But a physician would need an authorization to suggest the new medication in an email or by phone. OCR was very specific about that. 

So if a physician is reviewing the chart after hours and a pop up ad recommends some new drug, and he or she doesn't have an authorization from the patient, does he or she have to wait until the next face-to-face visit before suggesting it to the patient? Does she ask the patient to come in before her next visit?

So what's a physician to do? If you're using a so-called free EHR system, do you procure authorizations from all of your patients, just in case you want to share the information in one of these pop up ads? Or do you resolve to totally ignore the ads and not share any of their information with patients, even if it's good information? 

Or should the physician bite the bullet and forego the free EHR with its now problematic pop up ads and go buy an EHR system?

OCR says in the megarule that it "intends to provide future guidance" to address unanswered questions about marketing. I hope the guidance on this one comes quickly. - Marla (@FierceHealthIT)