To comply with the new HIPAA Omnibus Rule, covered entities (including healthcare providers) will need to create or modify their Notice of Privacy Practices ("NPP") to include new provisions. Because many NPP's were prepared years ago, it is a good time to review your NPP to ensure it still contains the elements required by HIPAA and does not impose more obligations than required.
Checklist for NPP Compliance. Pursuant to 45 C.F.R. § 164.520, NPPs for healthcare providers must contain the following elements:
- Header. The NPP must contain the following header: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
- Uses and Disclosures. The NPP must describe the types of disclosures that HIPAA permits the covered entity to make without an authorization, including those identified below. To the extent a more restrictive state or federal law restricts such disclosures, the NPP must reflect the more restrictive law.
Under the Omnibus Rule, the NPP is not required to contain a statement that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other benefits or services that may be of interest.
- A description and at least one example of the types of disclosures the covered entity may make for each of the following purposes: treatment, payment, and healthcare operations.
- A description of each of the other purposes for which the covered entity is permitted or required to use or disclose protected health information ("PHI") without the patient's authorization per §§ 164.502-.512. For example, providers may want to describe the following uses or disclosures as applicable to the provider's practice:
- To family members and others involved in the individual's healthcare or payment for care unless the individual has objected per § 164.510. Under the Omnibus Rule, this exception would also allow disclosures of information about deceased persons to family members and others involved in the deceased person's care prior to their death unless the deceased person objected prior to their death.
- To personal representatives.
- To business associates.
- For facility directories if the patient has not objected.
- As required by another law.
- To avert a serious and imminent threat of harm.
- For certain public health activities.
- For certain health oversight activities.
- For judicial or administrative proceedings if certain conditions are met.
- For specified law enforcement purposes if certain conditions are met.
- To the extent allowed by state workers compensation laws.
- To coroners, medical examiners and funeral directors.
- For research purposes if certain conditions are met.
- For certain specialized government functions, e.g., military, prisons, etc.
- If the covered entity intends to engage in fundraising, a statement that it may contact the individual to raise funds for the covered entity and the individual has the right to opt out of receiving such communications.
- A description of the types of uses or disclosures that require an authorization under § 164.508(a)(2)-(4), i.e., psychotherapy notes, marketing, and sale of PHI.
- A statement that other uses and disclosures not described in the NPP will be made only with the individual's written authorization. Thus, providers should probably reference all of those uses or disclosures permitted by §§ 164.502 to 164.512 that the provider may wish to make without the individual's authorization; otherwise, the Office of Civil Rights may take the position that the provider is precluded from using or disclosing the information without the individual's authorization.
- A statement that the individual may revoke the authorization as provided in § 164.508(b)(5).
- Individual Rights. The NPP must describe the following individual rights:
- The right to request restrictions on uses or disclosures of PHI for treatment, payment or healthcare operations; for use in a facility directory (if applicable); or to family members and others involved in the patient's care; however, the provider is not required to agree to the restriction except in the case of a disclosure to a health insurer if the individual has paid for the care as required by
§164.522(a)(1)(vi). This is a change necessitated by the Omnibus Rule.
- The right to receive confidential communications by alternative means or at alternative locations per §164.522(b).
- The right to inspect and copy PHI per § 164.524. The provider may want to include a statement that the provider may charge a reasonable cost-based fee for copies.
- The right to amend PHI per § 164.526.
- The right to receive an accounting of disclosures of PHI as provided by § 164.528.
- The right to receive a paper copy of the NPP upon request.
- A brief description of how the individual may exercise the foregoing rights, e.g., by submitting a written request to the provider's privacy officer.
- Covered Entity Duties. The NPP must state that the covered entity is required by law to:
- Maintain the privacy of PHI.
- Provide individuals with notice of its legal duties and privacy practices with respect to PHI.
- Notify affected individuals following a breach of unsecured PHI. This is a new Omnibus Rule requirement.
- Abide by the terms of the NPP currently in effect and describe how the covered entity will provide a revised NPP to individuals. If the covered entity wants to apply NPP changes to previously acquired PHI, the covered entity must include a statement reserving the right to apply changes to all its PHI.
- Complaints. The NPP must include the following statements:
- Individuals may complain to the covered entity and to the Secretary of HHS if they believe their privacy rights have been violated.
- Individuals will not be retaliated against for filing a complaint.
- A brief description of how the individual may file a complaint with the covered entity. The regulations do not require the NPP to describe how the individual may file a complaint with HHS.
- Contact. The NPP must contain the name or title and telephone number for a person or office to contact for further information.
- Effective Date. The NPP must state the date on which the NPP is first in effect, which may not be earlier than the date on which the NPP is printed or otherwise published.
Health Plan NPPs. NPPs for health plans must contain slightly different terms as explained in § 164.520.
Providing the Revised NPP. In its Omnibus Rule commentary, HHS confirmed that providers are not required to print and hand out a revised NPP to all individuals seeking treatment; instead, providers need only post the revised NPP in a clear and prominent location and have copies of the NPP available on request to take with them. Providers will still need to give a copy of the NPP to, and obtain a good faith acknowledgment of receipt from, new patients. (78 F.R. 5625).
Additional Resources. If you have questions about these or other issues, the Office of Civil Rights maintains a helpful website on HIPAA issues, http://www.hhs.gov/ocr/privacy/. In addition, Holland & Hart has prepared sample HIPAA forms for its clients, including a sample NPP. If you are interested in obtaining such forms, please contact me at firstname.lastname@example.org.
For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: email@example.com, phone: 208-383-3913
This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.