By Adil Daudi, Esq.
After its initial publication at the beginning of the year, the Health Insurance Portability and Accountability Act (HIPAA) Final Rule is finally in effect. Although the actual rule became effective on March 26th, 2013, the Department of Human and Health Services (HHS) generously allowed all covered entities, business associates, and other healthcare organizations to have until September 23rd, 2013 to fall under compliance of the effective rule.
This article will analyze some of the significant modifications and changes to the Actâ€™s Privacy, Security and Breach Notification Rules that every covered entity and healthcare organization should be aware of, and more importantly should ensure are updated at their workplace. The purpose is to help physicians obtain a better understanding of how these modifications will affect them and what steps they should take to comply with the changes.
The Notices of Privacy Practices (NPPs) requires covered entities to distribute notice of privacy practice to all patients, which explains how oneâ€™s protected health information (â€œPHIâ€) can be used and disclosed.
Pursuant to the Final Rule, covered entities are now required to maintain the following new statements in their NPPâ€™s:
NPP shall contain a statement indicating that certain uses and disclosures will only be made with the authorization of the individual patient, such as:
- Psychotherapy notes – if recorded by a covered entity;
- Marketing purposes – In the event the covered entity intends to contact individuals for fundraising purposes, the NPP must already state this as a separate use and disclosure and inform the individual of this intent. In addition, the covered entity must further include a statement that the patient has the right to opt out of receiving these fundraising communications;
- Sale of PHI – Disclosures requiring the sale of PHI of an individual;
In addition to the above changes where authorization is now required for specific purposes, the Final Rule lays out additional statements that need be included in the NPP, such as:
- Covered entities now much state in their NPP that if an individual has paid for coverage out-of-pocket, in full, the individuals now have the right to have their provider restrict certain protected health information from being disclosed to health plan insurance carriers;
- Breach Notification – The Final Rule now requires the NPP to contain a statement informing the individual that the covered entity is required to notify them of any breach of their unsecured PHI. *Note, there has been a change made to the Breach Notification Rule where the presumption is now all impermissible uses of PHI is considered a breach unless an exception exists*
All covered entities must ensure that their NPPs comply with these new requirements by September 23, 2013. Therefore, covered entities should review their current NPPs to determine whether any changes are needed in response to these new rules.
Furthermore, the Final Rule does not amend the existing requirements of distributing revisions to the NPP to individuals. Therefore, when a covered entity is revising an NPP. the entity must make the revised NPP available upon request, must post it on the entityâ€™s website (if applicable), and must post it in a prominent location in the office.
In addition, all new patients who are being seen for the first time after the effective date of the Final Rule should be given a copy of the revised NPP. The continuing practice of having new patients sign written acknowledgments of receiving the NPPs shall be maintained.
If you, an entity, have any questions about the Final Rule and how it affects your practice, or if you are in need of updating and revising your NPPs, please do not hesitate to contact our firm and speak with a trusted Health Care Attorney.
Adil Daudi is an Attorney at Joseph, Kroll & Yagalla, P.C., focusing primarily on Health Law, Estate Planning, and Business Law. Mr. Daudi has experience in a wide range of regulatory issues, including the Stark law, Anti-Kickback Statute, False-Claims Act, and HIPAA. He can be contacted for any questions related to this newsletter or other areas of law at firstname.lastname@example.org or (517) 381-2663.