Required Revisions to Notices of Privacy Practices for Healthcare Providers
Last month, HHS issued the long-awaited omnibus final rule that implements, among other things, a number of provisions of the HITECH Act, modifying the HIPAA Privacy and Security Rules. One of the most far reaching changes for healthcare providers is a requirement that all existing Notices of Privacy Practices (NPPs) must be revised on or before the compliance date of September 23, 2013. Pursuant to the HIPAA Privacy Rule, 45 CFR §164.520, most covered entities are required to have and distribute an NPP, which must describe the uses and disclosures of PHI such covered entity is permitted to make, such covered entity’s legal obligations and privacy practices, and the patients’ rights regarding PHI.
The final rule required several important modifications to NPPs of healthcare providers, including to the following:
- Marketing, sale, and psychotherapy notes disclosures. NPPs must now contain a statement indicating that the following uses and disclosures of PHI require a written authorization: for marketing purposes; disclosures that constitute a sale of PHI; and, for those providers who record or maintain psychotherapy notes, most uses and disclosures of psychotherapy notes. However, covered entities that don’t record or maintain psychotherapy notes are not required to include a statement in their NPPs about the authorization requirement.
- Non-enumerated uses. NPPs must state that any uses and disclosures of PHI not described in the NPP will be made solely upon written authorization from the individual and a statement that the individual may revoke an authorization as provided in the regulations.
- Fundraising communications. NPPs must include a statement informing the individual of the provider’s intention to contact such individual for fundraising purposes, and of his or her right to opt out of receiving such fundraising communications. HHS did not require a specific opt-out mechanism to be used in such situations.
- Out-of-pocket payments restrictions. In line with other changes mandated by the HITECH Act, HHS now requires health care providers (but not other covered entities) to inform individuals that they have a right to restrict certain disclosures of PHI to a health plan if the individual has paid out-of-pocket in full for the health care item or service.
- Breach notices. HHS now requires NPPs to include a right of affected individuals to be notified following a breach of their unsecured PHI. HHS noted that a simple statement of such breach notification rights would be sufficient, but covered entities may include more information if necessary. It is worth noting, however, that healthcare providers need not include lengthy definitions of “breach” or describe their risk assessment mechanisms in such notices.
Most healthcare providers will need to make their revised NPPs available upon request by the patient and at the delivery site, and must post the notice in a clear and prominent location as soon as it has been revised, but no later than the final rule compliance date of September 23, 2013. HHS emphasized that there is no “one size fits all” approach to NPPs because the individual provisions of such notices will vary based on the type of covered entity issuing the NPP. Therefore, providers should consult with their counsel regarding the required modifications pursuant to the final rule.
Steven J. Fox is a principal with Post & Schell, PC, a law firm serving clients throughout the United States. Mr. Fox is an acknowledged authority on legal issues regarding information technology, data privacy and healthcare IT. Vadim Schick is an associate and member of the firm’s Information Technology and Data Protection Groups. Mr. Schick has authored several articles and is a frequent speaker about health IT transactions and data privacy compliance. Read more from them on the Health IT Law Blog.