Health Information Technology for Economic and Clinical Health (HITECH) Act
HITECH = Cash Pay for Privacy

HITECH requires that any HIPAA covered entity offer cash pricing to patients that want to keep the information private from their "health plan."  This includes Medicare, though the Medicare limiting rates still apply when the patient pays the bill, and the physician is free to offer a rate less than the Medicare amount to any patient.  A detailed explanation is included in the Federal Register from pages 5,623 to 5,634.  Here is another helpful resource from MGMA.

Section 13405(a) of the HITECH Act sets forth certain circumstances in which a covered entity now MUST comply with an individual’s request for restriction of disclosure of his or her protected health information. 
§45 C.F.R 164.522(a)(1).

Specifically, section 13405(a) of the HITECH Act requires that when an individual requests a restriction on disclosure pursuant to § 164.522, the covered entity must agree to the requested restriction unless the disclosure is otherwise required by law, if the request for restriction is on disclosures of protected health information to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full

HMO / Medicaid Implications

If a provider is required by State or other law to submit a claim to a health plan for a covered service provided to the individual, and there is no exception or procedure for individuals wishing to pay out of pocket for the service, then the disclosure is required by law and is an exception to an individual’s right to request a restriction to the health plan pursuant to § 154.522(a)(1)(vi)(A) of the Rule. 

HITECH Medicare Implications

With respect to Medicare, it is our understanding that when a physician or supplier furnishes a service that is covered by Medicare, then it is subject to the mandatory claim submission provisions of section 1848(g)(4) of the Social Security Act (the Act), which requires that if a physician or supplier charges or attempts to charge a beneficiary any remuneration for a service that is covered by Medicare, then the physician or supplier must submit a claim to Medicare. However, there is an exception to this rule where a beneficiary (or the beneficiary’s legal representative) refuses, of his/her own free will, to authorize the submission of a bill to Medicare. In such cases, a Medicare provider is not required to submit a claim to Medicare for the covered service and may accept an out of pocket payment for the service from the beneficiary. The limits on what the provider may collect from the beneficiary continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare. 

Hospitals are allowed to charge cash pay patients less than their Medicare charge master.  This has been the case for some time according to this OIG Bulletin and the concept is also discussed in this Health Lawyers manuscript.  

HITECH Privacy Implementation:

1) Have the patient sign a request that information relative to self-paid services not be disclosed (usually called a Restrictions on Uses and Disclosures Form)
2) Flag this information so that it is not shared with the “health plan” 
3) Inform the patient about the need to make the same request downstream (pharmacies, labs, specialists)

HITECH Privacy Summary

All covered entities MUST have a process  (Refusal must be of patient’s “own free will”)
Medicare  (May accept cash payments, but limiting charges apply)
Medicaid (May or may not provide an exception (ex KY & CO))
HMO laws (state based) (May or may not provide an exception)
Private Insurance Contracts  (Federal law trumps terms of private agreements)