RETURN TO NEWS & INSIGHTS

Legal Update

Sep 24, 2013

Deadline for HIPAA Compliance is Here, Have You Updated Your Notice of Privacy Practices?

Click for PDF

September 23, 2013 is the compliance deadline for adopting and disseminating a revised Notices of Privacy Practices (Notice) that is compliant with the HIPAA Omnibus Rule.  This One Minute Memo is designed to provide tools to those providers who have not yet updated their Notice, or who have questions about what types of items should be in the revised Notice.

Background

On January 17, 2013, HHS issued an omnibus set of final regulations modifying and clarifying the privacy, security and enforcement provisions under HIPAA.  Providers and business associates must comply with these final regulations starting September 23, 2013.

HIPAA requires Covered Entities, including providers, to distribute a Notice that sets forth the uses and disclosures of protected health information (PHI) that the covered entity may make, the covered entity’s legal obligations, and individuals’ rights with respect to their PHI.  Under the final regulations, a Notice must now also contain:

  • A statement that most uses and disclosures of psychotherapy notes, most uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI can be made only with an individual’s authorization;
     
  • A statement that the individual has a right to opt out of receiving fundraising communications;
     
  • A statement that the provider must agree with an individual’s requested restriction on the disclosure of their PHI to a health plan if the disclosure is for the purposes of payment or healthcare operations and the individual has paid for the item or service out-of-pocket and in full; and
     
  • A statement that an individual has a right to be notified when a breach of his or her unsecured PHI has occurred.

Model Notices

Shortly before the compliance date, the HHS Office for Civil Rights (OCR) released model Notices for both health care providers and group health plans.  The model notices can be accessed here.  The model Notices are available in several different formats, but the language in each is substantially the same. OCR also released instructions that provide guidance as to what information the provider will need to add to the model Notices in order to fully comply with the requirements of HIPAA.  As OCR noted, the model Notices serve as a baseline for providers to come into compliance with the new requirements under the omnibus rules.  In addition, with the passing of the compliance date, it is likely that OCR will continue to audit providers’ compliance with the HIPAA Privacy and Security Rules. Therefore, providers should utilize this resource and take any necessary steps to achieve HIPAA compliance.

Next Step

  1. At this time, providers may have already updated their Notice or may be in the process of updating their Notice to comply with the final regulations.  They should determine whether to continue to use their revised Notice or change to the model Notice.  If the model notice is to be used, some customization should be done in order to ensure compliance with the new HIPAA requirements.
     
  2. Providers should determine how they are going to disseminate the amended Notice to patients.
     
  3. Providers should take any necessary steps to ensure that the amended notice is available on request and, if they have a physical delivery site, that the amended Notice is posted in a clear and prominent location.