New Requirements for HIPAA Notices of Privacy Practices

Health Law Alert

February 11, 2013
Health Law Alert

This Health Law Alert is the fourth in a six-part series Hinshaw & Culbertson LLP is publishing detailing the significant changes to Health Insurance Portability and Accountability Act (HIPAA) privacy, security, enforcement and breach notification rules as part of the Omnibus Final Rule issued by the U.S. Department of Health and Human Services.

The U.S. Department of Health and Human Services Office of Civil Rights recently released the Omnibus Final Rule (Final Rule), which implements changes to HIPAA. Under the current HIPAA regulations, covered entities must provide a “notice of privacy practices” (NPP) that describes permissible uses and disclosures of individuals’ “protected health information” (PHI) by covered entities, covered entities’ legal duties regarding PHI, and individuals’ rights concerning their PHI. The Final Rule requires the NPP to incorporate changes to HIPAA made to the Privacy Rule and by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Notice of Privacy Practices: New Content Requirements

The Privacy Rule identifies certain information that must be included in a covered entity’s NPP, including a statement advising individuals that any use or disclosure of PHI other than those permitted by the Privacy Rule will be made only with written authorization of the individual, and that the individual has the right to revoke an authorization. The Final Rule mandates significant changes to covered entities’ NPP regarding uses and disclosures that require authorization, and other provisions required to implement the HITECH Act changes. Covered entities will need to make changes to their NPPs to accommodate the following new rules:

The NPP should also include statements addressing changes to HIPAA individual rights made in the Final Rule, such as the right to receive electronic copies of health information, decedent protections and disclosures about decedents to those involved in care, school immunizations, research, or any changes made to how the covered entity uses or discloses an individual’s PHI.

The NPP no longer has to inform patients that the covered entity may contact them to provide appointment reminders or information about treatment alternatives or health-related benefits or services.

Notice of Privacy Practices: Distribution Requirements

The requirements for distributing updated NPPs have been modified for health plans but not health care providers.

Health plans may include their revised NPP in their next annual mailing as long as they prominently post the revised NPP on their web sites by the effective date of the material change to the NPP. Health plans that do not have customer service web sites are required to provide the revised NPP, or information about the material change and how to obtain the revised NPP, to individuals covered by the plan within 60 days of the material revision to the NPP.

Health care providers must simply provide the revised notice to all new patients and to anyone else on request, and post it in a clear and prominent location at the delivery site if the full NPP is immediately available to patients and there is no additional burden for patients to acquire the full NPP.

Compliance Deadline

HHS concluded that these changes represented a “material change,” thus requiring covered entities to promptly revise and distribute their NPP. Ordinarily, health plans must provide a revised NPP to individuals within 60 days of a material revision, but in an effort to increase flexibility, HHS suspended this requirement for health plans that post their NPP on their website. Now, these health plans may post the change or their revised NPP on their website by the effective date of the material change (September 23, 2013) and provide the revised NPP, or information about the material change and how to obtain the revised NPP, in their next annual mailing to individuals then covered by the plan.

The requirements for health care providers regarding distribution of a revised NPP remain the same: they must provide their revised NPP after the compliance date of a material change (September 23, 2013).

How We Can Help

Covered entities should review and revise their NPPs to ensure that they accurately describe their privacy practices in light of the new requirements in the Final Rule.

Hinshaw attorneys have extensive experience developing and advising on privacy and information security programs. If you have questions or need assistance in determining how to make the requisite changes to your NPP in order to come into compliance with the Final Rule, please contact Michael A. Dowell or your regular Hinshaw attorney.

Download PDF

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.