HITECH Update #8: New Requirements for HIPAA Notices of Privacy Practices
This post is part of our series on key aspects of the published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.
The final HITECH omnibus rule requires covered entities to add several new provisions to the (“NPP”) that they distribute to patients and beneficiaries. Generally, an NPP describes how the covered entity may use and disclose protected health information (“PHI”), an individual’s rights with respect to PHI (e.g., the right to access PHI and request restrictions on uses and disclosures), and the covered entity’s legal duties with respect to PHI (e.g., the duty to abide by the terms of the NPP).
- Uses and Disclosures Requiring Authorization. The omnibus rule requires a covered entity to include a separate statement informing individuals that certain uses and disclosures require authorization. Specifically, NPPs must state that the following require an individual’s prior authorization: (1) most uses and disclosures of psychotherapy notes (if the covered entity maintains psychotherapy notes); (2) uses and disclosures of PHI for marketing purposes; and (3) disclosures of PHI that constitute a “sale.”
- Opting Out of Fundraising Communications. If a covered entity contacts individuals for fundraising purposes, its NPP must notify individuals that they have a right to opt out of such communications, although the NPP does not need to describe the mechanism for opting out of receiving such communications. Each fundraising communication will specify the opt out option(s) available.
- Restricting Certain Disclosures. A health care provider’s NPP must inform individuals of their right to restrict certain disclosures of PHI to health plans when the individual has paid in full for a health care item or service.
- Breach Notification. The NPP must inform individuals of their right to receive a notification in the event of a breach of their unsecured PHI. In the Statement of Basis and Purpose, HHS explained that a “simple statement…that an individual has a right to or will receive” a breach notification in appropriate circumstances “will suffice for purposes of this requirement.” No further description is required.
HHS stated that the modifications required above are “material changes” to a covered entity’s NPP. As a result, covered entities must notify individuals of these material changes in accordance with the Privacy Rule. The omnibus rule also revises and clarifies how covered entities are required to notify individuals of material changes:
- Health Plans. If a health plans posts an NPP on its website, it must post the revised NPP with the material change on its website by the effective date of the material change, and also “provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals covered then by the plan.” If the health plan does not have a website where it posts its NPP, it must "provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days” of the material change. In the Statement of Basis and Purpose, HHS also suggested that health plans should provide beneficiaries with “both paper- and web-based notices.”
- Health Care Providers. The omnibus rule does not change the requirements for health care providers to inform patients of material changes to their NPPs. However, the Statement of Basis and Purpose does discuss how health care providers should distribute and display their NPPs. For example, HHS explained that health care providers may post a summary of their NPP “in a clear and prominent location at the delivery site” if the full NPP is “immediately available” to patients (i.e., on a table next to the posted summary) and there is no additional burden to acquire the full NPP. Requiring patients to ask a receptionist for the full NPP would be considered an unacceptable burden.
Covered entities should revisit their NPPs and ensure that they comply with the new requirements prior to the rule’s compliance date.