September 23, 2020

Volume X, Number 267

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

Office of Civil Rights (OCR) Delays Required Changes to Notices of Privacy Practices for Laboratories

The HHS Office of Civil Rights (OCR) has granted certain clinical laboratories a temporary reprieve from the requirement to update their Notices of Privacy Practices (NPPs) by September 23, 2013, the deadline imposed by the HIPAA Omnibus Rule.  As a result, OCR will not take enforcement action or impose civil money penalties against laboratories that have not revised their NPPs by the deadline.  Additionally, OCR plans to issue a public notice at least 30 days in advance of the end of the enforcement delay.  This enforcement delay, however, does not apply to laboratories that operate as a part of a larger covered entity (e.g., a hospital) because those laboratories do not have NPPs separate from the larger entity. 

The HIPAA Omnibus Rule requires that all covered entities make significant updates to their NPPs, including adding statements regarding: 

  • the prohibition on the covered entity’s sale of personal health information (PHI) without an individual’s authorization;

  • permissible uses of certain PHI for marketing communications (pursuant to limitations on third-party funding of such marketing communications);

  • permissible uses of certain PHI for fundraising purposes, along with the patient’s opt-out rights from such fundraising communications;

  • the individual’s rights to restrict covered entity communications of PHI to health plans when he or she has paid for services out-of-pocket;

  • an individual’s right to receive copies of PHI delivered either to the individual or to a third party identified by the individual, if maintained in that form by the covered entity;   

  • the covered entity’s obligation to account for treatment, payment and health care operation disclosures if it maintained an electronic health record after January 1, 2007; and

  • the individual’s right to receive notification in the event of a breach as well as the covered entity’s ability to use PHI to provide such breach notifications.

As stated in its announcement on the eve of the weekend before the long-anticipated deadline, “the Department anticipates publishing an amendment to the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1998 (CLIA) regulations regarding the right of individuals to receive their test reports directly from CLIA and CLIA-exempt laboratories, which was proposed for public comment on September 14, 2011” (and profiled in this post).  

If proposed changes from the September 14, 2011 rule are adopted, OCR recognized that this would impose material changes to the privacy practices of laboratories covered by HIPAA.  Specifically, the rule would require the impacted laboratories to inform their patients of their new rights and describe how to exercise them.  The anticipated proximity of the two rulemakings prompted OCR to announce the enforcement delay to relieve the administrative burden for the potentially affected laboratories. 

Pending the release of the final rule, affected clinical laboratories can wait with bated breath for the release of the final rule on CLIA laboratory test report access rights, but should still look at the model NPPs OCR released earlier this week to ensure that they account for those basic changes in the interim. 

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume III, Number 264


About this Author

The frictionless flow of information is a defining feature of today’s information economy. Your organization’s ability to transfer customer data, employee files, financial records, and other information around the country or the globe quickly and cheaply has opened a world of new opportunities. Privacy laws vary by jurisdiction and are interpreted unpredictably, and even if your business is extremely conscientious, it can make a false step as it captures, uses, transfers, and discloses personal information. The consequences can be serious and even devastating — heavy...