Covered Entities Required to Modify Notice of Privacy Practices Under New HIPAA Rule
With the release on Jan. 17, 2013 of the U.S. Department of Health and Human Services’ (HHS) much-anticipated final rules implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, health plans, health care clearinghouses, and health care providers—or “covered entities” under HIPAA—must modify the notices they provide to individuals regarding their health information privacy practices.
Under the current HIPAA framework, covered entities must provide a “notice of privacy practices” (NPP) that describes permissible uses and disclosures of individuals’ “protected health information” (PHI) by covered entities, covered entities’ legal duties regarding PHI, and individuals’ rights concerning their PHI. The final rule builds on this framework by incorporating changes to HIPAA made by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 to strengthen privacy and security protections for PHI. Among these changes, covered entities’ NPP now must contain a statement indicating that uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require an individual’s written authorization. Additionally, the NPP must inform individuals of their right to restrict certain disclosures of their PHI to a health plan where an individual pays out of pocket in full for a health care item or service, and their right to be notified of a breach of unsecured PHI where an individual is affected by such breach.
HHS concluded that these changes represented a “material change,” thus requiring covered entities to promptly revise and distribute their NPP. Ordinarily, health plans must provide a revised NPP to individuals within 60 days of a material revision, but in an effort to increase flexibility, HHS suspended this requirement for health plans that post their NPP on their website. Now, these health plans may post the change or their revised NPP on their website by the effective date of the material change (in this instance, Sept. 23, 2013) and provide the revised NPP, or information about the material change and how to obtain the revised NPP, in their next annual mailing to individuals then covered by the plan. By contrast, the requirements for health care providers regarding distribution of a revised NPP remain the same: They must provide their revised NPP after the compliance date of a material change (again, Sept. 23, 2013 in this instance). Nevertheless, in response to concerns about printing costs for revised NPPs, HHS clarified that health care providers may satisfy their legal obligations simply by posting their revised NPP or a summary thereof in a clear and prominent location at the care delivery site, and by having copies of the full NPP there for individuals to take with them.
This entry is part of an ongoing series on the Barnes & Thornburg Healthcare Blog regarding the HIPAA final rule released on Jan. 17, 2013. Continue to visit www.bthealthlaw.com for new updates and analysis.