HIPAA Rule Update: Call Us (To Help Revise Your Notice of Privacy Practices), Maybe
Health Law Update 02/08/13 Sarah E. Coyne
This episode of “The Days Of Our Lives: Final HIPAA Omnibus Rule” will feature . . .drumroll please . . . notices of privacy practices!!! Unless you are hibernating for the winter, and maybe even then, you are aware that the U.S. Department of Health and Human Services (HHS) finally published the final rule implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act (Final Rule). The Final Rule contains a lot of information, and our goal is to break it down into easily digested bitesized pieces for you. We knew you would get impatient if we did not address notices of privacy practices pretty early on in the process, given how much we all love giving them (as providers) and getting them (as patients). The authors especially love being patients and hearing, “I am supposed to offer you some HIPAA document, but you probably don’t want to read it anyway, so I’m not going to bother.” (Our expert advice: Don’t say that).
Here are our guesses at your questions and our guesses at the answers. Educated guesses. Very, very educated.
Do Business Associates Care at All about Anything in This Update?
Probably not. The exceptions would be:
- Business associates that are also covered entities.
- Business associates that have been contractually delegated responsibility for covered entity functions, including distribution of the notice of privacy practices.
Must Covered Entities Revise Their Notice of Privacy Practices?
Yes! HHS has now required material changes to the notice of privacy practices (set forth below — hold your horses!). Unless your covered entity has one of those super-organized, proactive and somewhat clairvoyant privacy officers who accurately anticipated these changes, covered entities will now need to update by September 23, 2013. We really doubt that your notice of privacy practices was updated in perfect harmony with the Final Rule unless you rushed and did it since the Final Rule came out, in which case you really need to consider some life-balance issues.
Must Covered Entities Redistribute Their Amended Notice of Privacy Practices?
Yes! Because HHS deemed some of the changes in the Final Rule to be “material changes” to the original Privacy Rule provisions addressing notices of privacy practices, covered entities must revise and distribute the notice. As mentioned above, if by some fortuitous turn of events your notice happens to be up to snuff with the Final Rule and previously distributed, you would not need to redistribute it.
Are There Changes in How Covered Entities Should Distribute Their Amended Notice of Privacy Practices?
Yes and no. Oh, you want more detail?
For health care providers: Distribute as you have been doing. Here’s a reminder of what you have been doing:
- When material changes are made and you have a direct treatment relationship with the patient:
- New patients: Provide on the date of first service delivery (or as soon as reasonably practicable after an emergent situation).
- Existing patients: If you have a physical delivery site, post the notice (or a summary, with the notice immediately available if requested) conspicuously in a clear and prominent location (one suggestion: your forehead), and make the notice available upon request on or after the effective date of the revision.
- HHS clarified in the Final Rule that providers do not need to print and hand out a revised notice to all individuals seeking treatment. Providers must give a copy of the notice and obtain acknowledgement of receipt of the notice from new patients. This is good — we love trees.
For health plans: It depends on whether you have your notice posted on a website. Specifically:
- Health plans that do not post the notice of privacy practices on a website must provide the revised notice (or information about the material change and how to obtain the revised notice) to individuals covered by the plan within 60 days of the revision.
- Health plans that do post the notice of privacy practices on a website must:|
- Prominently post the changes or revised notice on the website by the effective date of the changes (here, September 23, 2013), and
- Provide the revised notice or information about the change and how to obtain the revised notice in the next annual mailing to individuals covered by the plan.
What Should Covered Entities Add to Their Notice of Privacy Practices?
The Final Rule requires that certain statements be added to the notice of privacy practices.
- Uses and Disclosures Requiring Authorization. The Final Rule adopts the proposed rule’s requirement that there be certain statements in the notice of privacy practices regarding uses and disclosures that require authorization, as follows:
- For covered entities who maintain psychotherapy notes, there must be a statement indicating that most uses and disclosures of psychotherapy notes will require authorization. (Remember that “psychotherapy notes” does not quite mean what you think it would mean; it means private notes of a mental health professional kept separately from the record.)
- There must be a statement that uses or disclosures of protected health information for marketing purposes will require authorization.
- There must be a statement that a disclosure that constitutes the sale of protected health information (PHI) — see our previous exciting update on this topic — requires authorization.
- Fundraising. The Final Rule requires a statement that the individual has the right to opt out of receiving fundraising communications. The notice can explain the exact mechanism for how an individual can opt out, but that detail is not required. (Instead, the opt-out mechanism will have to be disclosed with each fundraising solicitation — more on that in a super-exciting future update.)
- Health Plans & Genetic Information. A health plan that intends to use or disclose PHI for underwriting purposes must state in the notice of privacy practices that the health plan is prohibited from using or disclosing genetic information for underwriting purposes.
- Paying Out of Pocket (For Health Care Providers Only). In most cases, a covered entity does not have to agree to a patient’s request to restrict the use or disclosure of PHI. Under HITECH, however, providers must agree to restrict the disclosure of PHI (for payment or health care operations) to a health plan when the patient paid for the service or item in question out of pocket in full. The Final Rule requires that a statement in the notice of privacy practices reflect the provider’s mandatory agreement when this request is made.
- Breach Notification. The Final Rule requires that the notice of privacy practices state that an individual has a right to be notified when a breach of his or her unsecured PHI has occurred. The statement does not have to be greatly detailed, and HHS rejected requests of commenters that the notice include the method of risk assessment.
Should Covered Entities Delete Any Statements from The Existing Notice of Privacy Practices?
You may delete — if you wish — the statement that you plan to contact individuals to provide appointment reminders or information about treatment alternatives or other health benefits that may be of interest to the individual. As of March 26, 2013, the effective date of the Final Rule, this statement no longer needs to be included in a notice. But you can keep it in your notice, if you would like to do that. Whatever floats your boat.
Stay tuned for our next episode!!!
Previous HITECH Updates:
- HIPAA Rule Update: Stop, Drop . . . and Comply — Understanding the New Restrictions on the Sale of PHI and the HIPAA Enforcement Rule
- HIPAA Rule Update: Extended Compliance Time for “Grandfathered” Agreements
- It’s Finally Here! HHS Releases the Final Rule to Modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules