|February 18, 2013|
Previously published on February 11, 2013
The U.S. Department of Health and Human Services Office of Civil Rights recently released the Omnibus Final Rule (Final Rule), which implements changes to HIPAA. Under the current HIPAA regulations, covered entities must provide a “notice of privacy practices” (NPP) that describes permissible uses and disclosures of individuals’ “protected health information” (PHI) by covered entities, covered entities’ legal duties regarding PHI, and individuals’ rights concerning their PHI. The Final Rule requires the NPP to incorporate changes to HIPAA made to the Privacy Rule and by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Notice of Privacy Practices: New Content Requirements
The Privacy Rule identifies certain information that must be included in a covered entity’s NPP, including a statement advising individuals that any use or disclosure of PHI other than those permitted by the Privacy Rule will be made only with written authorization of the individual, and that the individual has the right to revoke an authorization. The Final Rule mandates significant changes to covered entities’ NPP regarding uses and disclosures that require authorization, and other provisions required to implement the HITECH Act changes. Covered entities will need to make changes to their NPPs to accommodate the following new rules:
Fundraising. If the covered entity uses PHI for fundraising, its NPP must inform individuals that they have the right to opt out of fundraising solicitations and explain the process for the opt-out right.
Marketing. Covered entities’ NPP now must contain a statement indicating that uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require an individual’s written authorization.
Use or Disclosure of Psychotherapy Notes. The NPP must inform the individual that an authorization is required if the covered entity intends to use or disclose psychotherapy notes.
Breach Notice. The NPP must inform individuals of the covered entity’s obligation to notify them following a breach of their unsecured protected health information.
Right to Request Restrictions for Disclosures Related to Self-Payment. The NPP must include a statement that the covered entity is required to comply with a request not to disclose health information to a health plan for treatment where the individual has paid in full out-of-pocket for a health care item or service.
Use or Disclosure of PHI for Underwriting. If the covered entity is a health plan that intends to use or disclose PHI for underwriting purposes, its NPP must include a statement that it is prohibited from using or disclosing genetic information for such purposes.
The NPP should also include statements addressing changes to HIPAA individual rights made in the Final Rule, such as the right to receive electronic copies of health information, decedent protections and disclosures about decedents to those involved in care, school immunizations, research, or any changes made to how the covered entity uses or discloses an individual’s PHI.
The NPP no longer has to inform patients that the covered entity may contact them to provide appointment reminders or information about treatment alternatives or health-related benefits or services.
Notice of Privacy Practices: Distribution Requirements
The requirements for distributing updated NPPs have been modified for health plans but not health care providers.
Health plans may include their revised NPP in their next annual mailing as long as they prominently post the revised NPP on their web sites by the effective date of the material change to the NPP. Health plans that do not have customer service web sites are required to provide the revised NPP, or information about the material change and how to obtain the revised NPP, to individuals covered by the plan within 60 days of the material revision to the NPP.
Health care providers must simply provide the revised notice to all new patients and to anyone else on request, and post it in a clear and prominent location at the delivery site if the full NPP is immediately available to patients and there is no additional burden for patients to acquire the full NPP.
HHS concluded that these changes represented a “material change,” thus requiring covered entities to promptly revise and distribute their NPP. Ordinarily, health plans must provide a revised NPP to individuals within 60 days of a material revision, but in an effort to increase flexibility, HHS suspended this requirement for health plans that post their NPP on their website. Now, these health plans may post the change or their revised NPP on their website by the effective date of the material change (September 23, 2013) and provide the revised NPP, or information about the material change and how to obtain the revised NPP, in their next annual mailing to individuals then covered by the plan.
The requirements for health care providers regarding distribution of a revised NPP remain the same: they must provide their revised NPP after the compliance date of a material change (September 23, 2013).
How We Can Help
Covered entities should review and revise their NPPs to ensure that they accurately describe their privacy practices in light of the new requirements in the Final Rule.