This is the third in a series of articles regarding the HIPAA Omnibus Final Rule recently released by HHS. For a comprehensive list of other articles on HIPAA by McGuireWoods LLP, click here.
On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the Omnibus Final Rule pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Final Rule modifies and expands the statements that covered entities must include in the Notice of Privacy Practices, the HIPAA-mandated notice that apprises patients of their rights with regard to protected health information (PHI) and the limits imposed upon a covered entity’s uses and disclosures of PHI.
Notice of Privacy Practices
The Privacy Rule requires covered entities to maintain and distribute a notice of privacy practices (NPP), which must provide that any uses or disclosures other than those expressly permitted by the Privacy Rule will be made only with the written authorization of an individual (45 C.F.R. § 164.520). The Final Rule expands the requirements to provide individuals with a better understanding of (i) a patient’s right to restrict disclosures; (ii) the types of uses and disclosures that require individual authorization; (iii) a patient’s right to opt out of certain disclosures (45 C.F.R. § 164.520(b)(1)); (iv) rights to notice in the event of a breach; and (v) rights with respect to the use of their genetic information for health plan underwriting purposes.
The Final Rule modifies § 164.520(b)(1)(ii)(E) to expand the statements in the NPP regarding uses and disclosures that require authorization. Although the Final Rule does not require the NPP to include a list of all situations requiring authorization, the NPP must contain a statement indicating that the following uses and disclosures will be made only with authorization from the individual: (i) most uses and disclosures of psychotherapy notes (if recorded by a covered entity); (ii) uses and disclosures of PHI for marketing purposes, including subsidized treatment communications; (iii) disclosures that constitute a sale of PHI; and (iv) other uses and disclosures not described in the NPP. The Final Rule adopts, as proposed, the requirement that if a covered entity intends to send fundraising communications to an individual, the NPP must also inform the individual of this intent and that the individual has the right to opt out of such fundraising communications with each solicitation (45 C.F.R. § 64.520(b)(1)(iii)(B)). Finally, the Final Rule requires that the NPP contain a simple statement indicating that the covered entity is required to notify the patient of any breach of his or her unsecured PHI.
Healthcare providers must state in the NPP that if an individual has paid for services out-of-pocket, in full, and the individual requests that the healthcare provider not disclose PHI related solely to those services to a health plan, the healthcare provider must accommodate the individual’s request, except where the healthcare provider is required by law to make a disclosure (45 C.F.R. §164.520(b)(1)(iv)(A)). The Final Rule does not require covered entities to inform other downstream covered entities of an individual’s request not to disclose PHI to a health plan; however, the commentary to the Final Rule does suggest that covered entities should consider providing notification where feasible.
Additionally, consistent with GINA, health plans are required to include a statement in their NPPs that they are prohibited from using or disclosing genetic information of an individual for underwriting purposes (45 CFR 164.520(b)(1)(iii)(C)). The Final Rule included a limited exception to this requirement for certain issuers of long-term care policies.
The Final Rule requires a health plan that currently posts its NPP on its website in accordance with § 164.520(c)(3)(i) to: (i) prominently post the material change or its revised notice on its website by the effective date of the material change to the notice (i.e., the compliance date); and (ii) provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan, such as at the beginning of the plan year or during open enrollment. If a health plan does not have a customer services website, then the health plan must provide the revised NPP, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of the material revision to the notice.
The Final Rule does not modify the current requirement, applicable to all covered entities, to distribute revisions to the NPP (45 C.F.R. § 164.520(c)(2)(iv)). Therefore, when a healthcare provider revises an NPP, the healthcare provider must make the NPP readily available upon request on or after the effective date of the revisions at the delivery site to existing patients who request a copy, must post the revised notice on its website, if applicable, and must post the notice in a prominent location on its premises. Providers may even post a summary of the notice, provided that the full notice is immediately available. New patients who receive services for the first time after modification of an NPP should be provided with a copy of the revised NPP. Consistent with the existing rules, providers should retain copies of previous versions of their NPPs and of any written acknowledgements by patients of receipt of NPPs.