July 25, 2014

HIPAA Omnibus Rule Effective March 26, 2013

The omnibus final rule that amends the privacy, security and enforcement rules1 promulgated under the Health Insurance Portability and Accountability Act of 1996 (the statute and rules, together, HIPAA) requires that Covered Entities revise and redistribute their notice of privacy practices (NPP). As described below, this will generally involve updating NPPs for legally required changes and redistributing the NPPs, whether by posting on an intranet site or distributing hard copies, by September 23, 2013.

The final rule became effective on March 26, 2013; however, Covered Entities have until September 23, 2013 (the compliance date), unless otherwise excepted, to bring their NPPs into compliance. Many of the changes to the NPPs are required pursuant to statutory enactments under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act (GINA). Most new requirements are generally applicable to all Covered Entities, as defined under HIPAA, but certain requirements apply specifically to health plan Covered Entities and health care provider Covered Entities as summarized below.

New Requirements for Covered Entities’ NPPs

A Covered Entity must update its NPP to include these additional elements:

  1. A statement that certain uses and disclosures of protected health information (PHI) require an authorization from the subject individual, specifically psychotherapy notes (if recorded or maintained by the Covered Entity), PHI for marketing purposes and PHI in instances constituting the sale of PHI;
  2. A statement that uses and disclosures not addressed within the NPP require a written authorization;
  3. An acknowledgment that the individual may revoke any authorization granted for uses and disclosures requiring such authorization; and
  4. A notice of the individual’s rights following a breach of unsecured PHI, which can be sufficiently accomplished with a statement that the individual has a right to or will receive notification of a breach of his or her unsecured PHI.

Covered Entities that seek to contact individuals to raise funds for themselves must also include a notice of such intentions and of the individual’s right to opt out of such communications. However, the mechanism for opting out of fundraising communications does not need to be included in the NPP.

Specific Requirements for Health Care Providers’ NPPs

Tangential to new rights created by the final rule for individuals to restrict access to PHI, each health care provider must notify individuals of such new rights through its NPP.

  1. Notice Elements. In addition to those provisions discussed above, health care providers must include in their NPPs a statement notifying the individual of the individual’s right to restrict—and a health care provider’s affirmative obligation to agree to restrict—disclosures of PHI to the individual’s health plan where the individual has paid for the items or services out-of-pocket and in full.
  2. Distribution Methods. The final rule did not amend those provisions relating to the distribution of NPPs for health care providers; however, the preamble to the final rule did clarify the manner in which health care providers are expected to distribute NPPs by the compliance date. NPPs must be available at the delivery site, but health care providers may choose to post a summary of the policy with copies of the entire policy readily available at the patient’s request, with the exception of new patients, who must be given a complete copy and must return a good faith acknowledgment of receipt.

Specific Requirements for Health Plans’ NPPs

  1. Notice Elements. In addition to the above requirements, a health plan that uses PHI for underwriting purposes must include in its NPP a disclosure that the health plan may not use or disclose PHI that is genetic information for underwriting purposes.
  2. Distribution Methods. A health plan that currently posts its NPP on the company’s intranet site must (i) post the revised NPP (or the material changes to the NPP) on the website by September 23, 2013 and (ii) within the next annual mailing, provide the revised NPP or information about the material changes to the NPP and instructions for obtaining a copy of the revised NPP.

Alternatively, for those health plans that do not provide access to the NPP on the company’s intranet site, either (i) the revised NPP or (ii) information regarding the material change in the policy and instructions on how to obtain a copy of the revised notice must be distributed to individuals covered by the subject plan of the NPP within 60 days of such material revision. Distribution may be made via regular mail, hand delivery or, if applicable, electronic means. We anticipate many health plans will distribute a revised NPP as part of open enrollment.

Excepted Entities

The final rule exempts certain entities from specific aspects of the revised NPP provisions. Issuers of long-term care policies do not need to include notice of the restrictions on the use and disclosure of genetic information for underwriting purposes, as GINA did not apply such restrictions to these plans. As discussed above, health care providers are not required to disclose the protections afforded to individuals under GINA in NPPs, as health care providers may continue to disclose genetic information, subject to the minimum necessary requirements and in reliance upon a patient’s health plan’s exclusive obligation to comply with GINA’s restrictions on its use of and requests for such information.

Lastly, those health plans that have previously distributed NPPs in compliance with the final rule (as a result of the statutory enactment of such requirements under GINA and the HITECH Act) do not need to redistribute NPPs by the compliance date.

Action Items

Before September 23, 2013, Covered Entities should revise NPPs to be compliant with the final rule and distribute such revised NPPs in accordance with the specified distribution methods applicable to the Covered Entity. Furthermore, those health plans that have previously distributed NPPs to comply with GINA and the HITECH Act should ensure that all of the elements of the final rule, including those applicable to all Covered Entities, have been satisfied before determining that the exception granted under the final rule applies.

1 45 C.F.R. parts 160 and 164, subparts A and E, 45 C.F.R. parts 160 and 164, subparts A and C, and 45 C.F.R. parts 160, subparts C through E, respectively.

© 2014 Vedder Price

About the Author

For more than 50 years, Vedder Price has counseled and advocated on behalf of a broad spectrum of health care organizations and organizations that provide services to the health care industry, including financial institutions with dedicated health care lending units.

You can expect a team of highly experienced, responsive attorneys who understand your market, your issues, and the evolving matters facing health care entities and their service providers today.


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.