On January 25, 2013, the Department of Health and Human Services (“HHS”) formally published its Omnibus Final Rule (“Final Rule”), which includes modifications to the HIPAA Privacy and Security Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”). Because the Final Rule covers a broad range of topics, we will be issuing a series of articles in our HIPAA Impact Series to provide further analysis on these topics. This article focuses on modifications covered entities are required to make to their notice of privacy practices (“NPP”) for compliance with the Final Rule.
Expansion to the Notice of Privacy Practices
The Privacy Rule sets out requirements for most covered entities to have and distribute an NPP. The NPP describes uses and disclosures of protected health information (“PHI”) covered entities are permitted to make, the covered entity’s legal duties and privacy practices with respect to PHI and an individual’s rights concerning PHI. The Final Rule expands these requirements to include a covered entity’s obligations to provide individuals with notice of (i) the types of uses and disclosures that require individual authorization, (a full listing of all situations requiring authorization is not required); (ii) an individual’s right to opt out of fundraising communications; (iii) an individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out-of-pocket in full for a health care item or service; (iv) an individual’s right to notice in the event of a breach of unsecured PHI; and (v) an individual’s rights with respect to use of their genetic information for health plan underwriting purposes.
Required Additional Statements to Notices of Privacy Practices
For compliance with Final Rule NPP modifications, covered entities must ensure their NPPs include language stating, in effect:
- Most uses and disclosures of psychotherapy notes (if recorded by a covered entity) will require the individual’s authorization. There is no requirement, however, to describe how these notes are recorded or stored.
- Most uses and disclosures for marketing purposes, including subsidized treatment communications, will require the individual’s authorization.
- Most disclosures of PHI that constitute the sale of PHI will require the individual’s authorization.
- Other uses and disclosures not described in the NPP will be made only with authorization from the individual.
- The individual may be contacted for fundraising purposes; however, the individual has the right to opt out of such fundraising communications with each solicitation. The specific mechanism of the opt-out does not have to be included in the NPP.
- The individual has the right to request restrictions on PHI disclosures to the individual’s health plan for health services or items paid out-of-pocket in full, and the covered entity must comply with such request (only health care providers are required to include this language in their NPPs).
- The individual will receive notification of any breach of his/her unsecured PHI. The breach notification process does not need to be outlined in detail in the NPP.
Notice of Privacy Practices Distribution Requirements
Changes to NPP requirements under the Final Rule are considered material changes. Covered entities must make their revised NPPs available as follows:
Health Care Providers: On or after September 23, 2013, health care providers must make their revised NPP available upon request, have copies available at delivery site and post the revised NPP in a clear and prominent location and on its website, if applicable. Providers may also post a summary of the notice in a prominent location as long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up without any additional burden on their part. There is no requirement to print and hand out a revised NPP to all individuals seeking treatment. Consistent with existing rules, providers should retain copies of each version of their NPPs and of any written acknowledgements by individuals of receipt of NPPs.
Group Health Plans: In compliance with GINA, health plans are required to include a statement in their NPPs that they are prohibited from using or disclosing genetic information of an individual for underwriting purposes. The Final Rule included a limited exception to this requirement for certain issuers of long-term care policies. Health plans currently posting their NPPs on their websites must promptly post the material change or revised NPPs on their websites by September 23, 2013 and include their revised notices or information about material changes in their next annual mailings to individuals currently covered by their health plans. Health plans with no customer service websites must provide revised NPPs, or information about material changes and how to obtain a revised NPP, to individuals currently covered by the health plans within 60 days of material revision to the notices. Health plans should provide both paper and web-based notices in a manner accessible to all beneficiaries, including those individuals with disabilities.
Practical Takeaways
In response to the Final Rule, it is recommended that covered entities do the following:
- Review and revise their NPPs and any related policies and procedures to comply with the Final Rule; and
- Identify personnel whose job functions will be affected by the Final Rule, and make certain they are properly trained in ensuring the revised NPP is properly posted, distributed and acknowledged by individuals.
For more information, please contact:
- Charise R. Frazier at 317-338-9236 or cfrazier@wp.hallrender.com;
- Kendra L. Conover at 317-977-1456 or kconover@wp.hallrender.com; or
- Your regular Hall Render attorney.
