Health Information Technology for Economic and Clinical Health (HITECH) Act
HITECH = Cash Pay for Privacy

HITECH requires that any HIPAA covered entity offer a cash price to patients desiring to keep their protected health information private from their "health plan."  This election is available to Medicare patients, though the Medicare limiting rates still apply when the patient pays the practice out of pocket in full. The physician is free to offer a rate less than the Medicare amount to any patient including Medicare patients.  A detailed explanation is included in the Federal Register from pages 5,623 to 5,634.  Here is another helpful resource from MGMA.

Section 13405(a) of the HITECH Act sets forth certain circumstances in which a covered entity now MUST comply with an individual’s request for restriction of disclosure of his or her protected health information. See 45 CFR § 164.522(a)(1).

Specifically, section 13405(a) of the HITECH Act requires that when an individual requests a restriction on disclosure pursuant to 45 CFR § 164.522(a)(1)(vi), “A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if:
(A) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
(B) The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.”

Thus the covered entity must agree to the requested restriction unless the disclosure is otherwise required by law, if the request for restriction is on disclosures of protected health information to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full. 

HMO / Medicaid Implications

If a provider is required by State or other law to submit a claim to a health plan for a covered service provided to the individual, and there is no exception or procedure for individuals wishing to pay out of pocket for the service, then the disclosure is required by law and is an exception to an individual’s right to request a restriction to the health plan pursuant to 45 CFR § 154.522(a)(1)(vi)(A) of the Rule. 

HITECH Medicare Implications

“With respect to Medicare, it is our understanding that when a physician or supplier furnishes a service that is covered by Medicare, then it is subject to the mandatory claim submission provisions of section 1848(g)(4) of the Social Security Act (the Act), which requires that if a physician or supplier charges or attempts to charge a beneficiary any remuneration for a service that is covered by Medicare, then the physician or supplier must submit a claim to Medicare. However, there is an exception to this rule where a beneficiary (or the beneficiary’s legal representative) refuses, of his/her own free will, to authorize the submission of a bill to Medicare. In such cases, a Medicare provider is not required to submit a claim to Medicare for the covered service and may accept an out of pocket payment for the service from the beneficiary. The limits on what the provider may collect from the beneficiary continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare.”

Hospitals are allowed to charge cash pay patients less than their Medicare charge master.  This has been the case for some time according to this OIG Bulletin and the concept is also discussed in this Health Lawyers manuscript.  

HITECH Privacy Implementation:

1) Have the patient sign a request that information relative to self-paid services not be disclosed (usually called a Restrictions on Uses and Disclosures Form)
2) Flag this information so that it is not shared with the “health plan” 
3) Inform the patient about the need to make the same request downstream (pharmacies, labs, specialists)

HITECH Privacy Summary

All HIPAA “covered entities” MUST have a process and refusal to share PHI must be of patient’s “own free will”
Medicare  (May accept cash payments, but limiting charges apply)
Medicaid (May or may not provide an exception (no exceptions in KY & CO))
HMO laws (state based) (May or may not provide an exception)
Private Insurance Contracts  (Federal law trumps terms of private agreements)

For a detailed academic summary of the information above, please see my discussion here:
Exercising Patient Rights Under the HITECH Act, Eskew P, J Am Phys Surg, 2019;24:50-52.