HIPAA Omnibus Rule Effective March 26, 2013
The omnibus final rule that amends the privacy, security and enforcement rules1 promulgated under the Health Insurance Portability and Accountability Act of 1996 (the statute and rules, together, HIPAA) requires that Covered Entities revise and redistribute their notice of privacy practices (NPP). As described below, this will generally involve updating NPPs for legally required changes and redistributing the NPPs, whether by posting on an intranet site or distributing hard copies, by September 23, 2013.
The final rule became effective on March 26, 2013; however, Covered Entities have until September 23, 2013 (the compliance date), unless otherwise excepted, to bring their NPPs into compliance. Many of the changes to the NPPs are required pursuant to statutory enactments under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act (GINA). Most new requirements are generally applicable to all Covered Entities, as defined under HIPAA, but certain requirements apply specifically to health plan Covered Entities and health care provider Covered Entities as summarized below.
New Requirements for Covered Entities’ NPPs
A Covered Entity must update its NPP to include these additional elements:
- A statement that certain uses and disclosures of protected health information (PHI) require an authorization from the subject individual, specifically psychotherapy notes (if recorded or maintained by the Covered Entity), PHI for marketing purposes and PHI in instances constituting the sale of PHI;
- A statement that uses and disclosures not addressed within the NPP require a written authorization;
- An acknowledgment that the individual may revoke any authorization granted for uses and disclosures requiring such authorization; and
- A notice of the individual’s rights following a breach of unsecured PHI, which can be sufficiently accomplished with a statement that the individual has a right to or will receive notification of a breach of his or her unsecured PHI.
Covered Entities that seek to contact individuals to raise funds for themselves must also include a notice of such intentions and of the individual’s right to opt out of such communications. However, the mechanism for opting out of fundraising communications does not need to be included in the NPP.
Specific Requirements for Health Care Providers’ NPPs
Tangential to new rights created by the final rule for individuals to restrict access to PHI, each health care provider must notify individuals of such new rights through its NPP.
- Notice Elements. In addition to those provisions discussed above, health care providers must include in their NPPs a statement notifying the individual of the individual’s right to restrict—and a health care provider’s affirmative obligation to agree to restrict—disclosures of PHI to the individual’s health plan where the individual has paid for the items or services out-of-pocket and in full.
- Distribution Methods. The final rule did not amend those provisions relating to the distribution of NPPs for health care providers; however, the preamble to the final rule did clarify the manner in which health care providers are expected to distribute NPPs by the compliance date. NPPs must be available at the delivery site, but health care providers may choose to post a summary of the policy with copies of the entire policy readily available at the patient’s request, with the exception of new patients, who must be given a complete copy and must return a good faith acknowledgment of receipt.
Specific Requirements for Health Plans’ NPPs
- Notice Elements. In addition to the above requirements, a health plan that uses PHI for underwriting purposes must include in its NPP a disclosure that the health plan may not use or disclose PHI that is genetic information for underwriting purposes.
- Distribution Methods. A health plan that currently posts its NPP on the company’s intranet site must (i) post the revised NPP (or the material changes to the NPP) on the website by September 23, 2013 and (ii) within the next annual mailing, provide the revised NPP or information about the material changes to the NPP and instructions for obtaining a copy of the revised NPP.
Alternatively, for those health plans that do not provide access to the NPP on the company’s intranet site, either (i) the revised NPP or (ii) information regarding the material change in the policy and instructions on how to obtain a copy of the revised notice must be distributed to individuals covered by the subject plan of the NPP within 60 days of such material revision. Distribution may be made via regular mail, hand delivery or, if applicable, electronic means. We anticipate many health plans will distribute a revised NPP as part of open enrollment.
The final rule exempts certain entities from specific aspects of the revised NPP provisions. Issuers of long-term care policies do not need to include notice of the restrictions on the use and disclosure of genetic information for underwriting purposes, as GINA did not apply such restrictions to these plans. As discussed above, health care providers are not required to disclose the protections afforded to individuals under GINA in NPPs, as health care providers may continue to disclose genetic information, subject to the minimum necessary requirements and in reliance upon a patient’s health plan’s exclusive obligation to comply with GINA’s restrictions on its use of and requests for such information.
Lastly, those health plans that have previously distributed NPPs in compliance with the final rule (as a result of the statutory enactment of such requirements under GINA and the HITECH Act) do not need to redistribute NPPs by the compliance date.
Before September 23, 2013, Covered Entities should revise NPPs to be compliant with the final rule and distribute such revised NPPs in accordance with the specified distribution methods applicable to the Covered Entity. Furthermore, those health plans that have previously distributed NPPs to comply with GINA and the HITECH Act should ensure that all of the elements of the final rule, including those applicable to all Covered Entities, have been satisfied before determining that the exception granted under the final rule applies.
1 45 C.F.R. parts 160 and 164, subparts A and E, 45 C.F.R. parts 160 and 164, subparts A and C, and 45 C.F.R. parts 160, subparts C through E, respectively.