April 2013

Notice of Privacy Practices a Focus of the New HIPAA Omnibus Final Rule

By Keith Carrington, JD Candidate and Chuck Wright

HIPAA Notice of Privacy PracticesOn Tuesday, March 26, 2013, the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule took effect, making significant modifications to the Act’s Privacy, Security, Enforcement, and Breach Notification Rules.

Pursuant to this rule, covered entities must review their Notice of Privacy Practices (NPP) since material changes to the Privacy Rule’s NPP requirements have been mandated.   The U.S. Department of Health and Human Services (HHS) incorporated new requirements stemming from the Health Information Technology for Economic and Clinical Health (HITECH) Act, modified proposed requirements, and removed an existing requirement.  

Specifically, covered entities must now include a number of new statements in their NPPs.

  • The NPP must include a statement that uses and disclosures of any protected health information for marketing purposes and disclosures that constitute the sale of PHI require an authorization. HIPAA regulations continue to require a statement that any other uses and disclosures not specified in the NPP require an authorization.

  • If the covered entity maintains “psychotherapy notes,” the NPP must include a statement that the psychotherapy notes will only be used and disclosed with the individual’s authorization.

  • If the covered entity contacts individuals for fundraising, the NPP must already state this as a separate use and disclosure. Under the HIPAA Omnibus Rule, the covered entity must also include a statement in its NPP that the individual has the right to opt out of receiving these fundraising communications. 

  • The HITECH Act gave individuals the right to have their provider restrict certain protected health information from disclosure to health plans where the individual pays out of pocket, in full for the care and requests such a restriction.

  • The HIPAA Omnibus Rule requires that a statement about this right be incorporated into a health care provider’s NPP.  The HIPAA Omnibus Rule makes several important changes to the breach notification rules, which we will address in a future e-alert. Among the changes is a new requirement that a covered entity’s NPP include a general statement that an individual has a right to receive notifications whenever a breach of his or her unsecured PHI occurs.

  • Consistent with the Genetic Information Nondiscrimination Act (GINA), health plans must include a statement in their NPP that the health plan is prohibited from using or disclosing genetic information for underwriting purposes.

In addition to adding the new NPP requirements described above, the HIPAA Omnibus Rule removes a prior requirement. Prior to the HIPAA Omnibus Rule, an NPP must have included a statement that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or services that may be of interest.  Effective March 26, 2013, this statement is no longer required to be included in an NPP. Although the statement is no longer required, covered entities may continue to include such a statement in their NPP if they so wish.   

Covered entities must make sure that their NPPs comply with these new requirements by September 23, 2013. To do this, covered entities should evaluate their NPPs to determine whether any changes are needed in response to these new rules. Some covered entities that revised their NPPs following the passage of the HITECH Act may find that they do not need to make any additional changes to comply with the requirements of the HIPAA Omnibus Rule. Even if you are one of the covered entities that recently updated your NPP, you should still review it to determine whether further revisions are necessary. 

Once the revisions are made, covered entities must provide their patients with a copy of the new Notice of Privacy Practice, post the notice in the covered entity’s offices or facilities, and if posted on a website, do so in a prominent location no more than one click from the home page.

For practices who will mail a copy of the NPP to their patients, which should be done on an annual basis, it is advised that such mailings be conducted using a HIPAA compliant direct mail provider who can provide you with proof of delivery reports.  These reports should be retained for audit and legal purposes, and in a manner consistent with the covered entity’s document retention policy.

Other Relevant HIPAA Related Articles...

Notifying Patients of Notice of Privacy Practices…As Easy As 1-2-3

Breach Notification Rule Changes with Implementation of the New Law

The Business Associate Agreement Gets a Mandated Makeover

Patient Sign In Forms - Compliance Made Easy
HIPAA Presentation Video
March 28th  HIPAA Presentation Recap, Video and Discussion Link
Keith Carrington conducts both Meaningful Use and HIPAA Privacy & Security Rule Risk Assessments for medical providers and their Business Associates. Keith was named Editor of the law review for Concord University’s School of Law.

Chuck Wright  is the Owner of TWI Services, TWI Healthcare Medical Printing and Direct Mail and is the Founding President of Medical Offices Resources of Florida.