Do You Need to Revise Your Notice of Privacy Practices?
On Thursday, January 17, 2013, the Department of Health and Human Services (HHS) released its Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule, making significant modifications to the Act’s Privacy, Security, Enforcement, and Breach Notification Rules. Troutman Sanders has analyzed these changes and is providing a series of summaries to help our clients understand how these changes will affect them and what they need to do to comply. This is our second e-alert in the series, which will address issues related to Notices of Privacy Practices (NPPs). For other e-alerts published by Troutman Sanders on the HIPAA Omnibus Rule, visit our webpage.
Covered entities should review their Notice of Privacy Practices (NPP) since the HIPAA Omnibus Rule makes material changes to the Privacy Rule’s NPP requirements. HHS incorporated new requirements stemming from the Health Information Technology for Economic and Clinical Health (HITECH) Act, modified proposed requirements, and removed an existing requirement.
Specifically, covered entities must now include a number of new statements in their NPPs.
-
The NPP must include a statement that uses and disclosures of any protected health information for marketing purposes and disclosures that constitute the sale of PHI require an authorization. HIPAA regulations continue to require a statement that any other uses and disclosures not specified in the NPP require an authorization.
-
If the covered entity maintains “psychotherapy notes,” the NPP must include a statement that the psychotherapy notes will only be used and disclosed with the individual’s authorization.
-
If the covered entity contacts individuals for fundraising, the NPP must already state this as a separate use and disclosure. Under the HIPAA Omnibus Rule, the covered entity must also include a statement in its NPP that the individual has the right to opt out of receiving these fundraising communications.
-
The HITECH Act gave individuals the right to have their provider restrict certain protected health information from disclosure to health plans where the individual pays out of pocket, in full for the care and requests such a restriction.
-
The HIPAA Omnibus Rule requires that a statement about this right be incorporated into a health care provider’s NPP.The HIPAA Omnibus Rule makes several important changes to the breach notification rules, which we will address in a future e-alert. Among the changes is a new requirement that a covered entity’s NPP include a general statement that an individual has a right to receive notifications whenever a breach of his or her unsecured PHI occurs.
- Consistent with the Genetic Information Nondiscrimination Act (GINA), health plans must include a statement in their NPP that the health plan is prohibited from using or disclosing genetic information for underwriting purposes.
In addition to adding the new NPP requirements described above, the HIPAA Omnibus Rule removes a current requirement. Currently, an NPP must include a statement that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or services that may be of interest. After March 26, 2013, this statement will no longer be required to be included in an NPP. Although the statement is no longer required, covered entities may continue to include such a statement in their NPP if they so wish.
Covered entities must make sure that their NPPs comply with these new requirements by September 23, 2013. To do this, covered entities should evaluate their NPPs to determine whether any changes are needed in response to these new rules. Some covered entities that revised their NPPs following the passage of the HITECH Act may find that they do not need to make any additional changes to comply with the requirements of the HIPAA Omnibus Rule. Even if you are one of the covered entities that recently updated your NPP, you should still review it to determine whether further revisions are necessary.
All revisions to a covered entity’s NPP must be published in accordance with HIPAA. For health care providers, this means providing the revised NPP upon request and having the NPP clearly posted on site.
For health plans, the existing process of publishing material revisions to an NPP was a bit more onerous, so HHS revised this process in the HIPAA Omnibus Rule. Health plans which already post their NPP online must (1) post the changes or revised notice on its website as of the effective date of the changes; and (2) send the revised NPP or information about the material changes in its next annual mailing to covered individuals. Those health plans that do not post their NPP online must continue to comply with the existing rule that requires them to provide notice of the material change to all covered individuals within 60 days of the effective date of the change.
If you have any questions about the impact of the HIPAA Omnibus Rule on your Notice of Privacy Practices, please do not hesitate to contact any member of our Health Care Practice Group.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result. Follow Troutman Sanders on Twitter.