Health Information Compliance Alert

Published on Tue Sep 10, 2013 PDF

Beware of new uses and disclosures requiring patient authorization.

The deadline for complying with the HIPAA omnibus final rule is looming large — and if you’re behind in getting your compliance in order, you’d better hurry up. With a compliance date of Sept. 23, one of your biggest challenges will be to ensure that your Notice of Privacy Practices (NPP) is updated with all the changes contained in the omnibus rule.

Your NPP will need to reflect a whole host of tweaks and changes to patient rights. Here are the changes you need to make to your NPP before the Sept. 23 deadline.

Include Right to Restrict Disclosures

You must include in your NPP the new right for patients to restrict disclosures to insurers if the patient pays for services in full out-of-pocket, according to HIPAA expert Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC based in Charlotte, Vt. You must honor such requests.

Another new provision under the omnibus rule is a patient’s right to receive an electronic copy of his PHI when you keep that PHI in an electronic format, such as an electronic health record (EHR). You need to include a statement about this right in your NPP as well.

Add Types of Uses & Disclosures that Require Individual Authorization

The final omnibus rule expands the statements in the NPP regarding uses and disclosures that require individual patient authorization, according to an article by the law firm McGuire Woods, LLP in Richmond, VA, for the American Bar Association’s Health Law Section. Specifically, you now must include in your NPP a statement indicating that the following uses and disclosures can be made only with authorization from the individual:

• Most uses and disclosures of psychotherapy notes;
• Uses and disclosures of PHI for marketing purposes, including subsidized treatment communications;
• Disclosures that constitute a sale of PHI; and
• Other uses and disclosures not described in the NPP.

Pay attention: Regarding disclosures that constitute a sale of PHI, you must have an authorization stating that the disclosure results in remuneration, Sheldon-Dean says. The exceptions to this rule would be when you’re using PHI for public health, research, treatment and payment purposes, sale of the practice, transfer to a business associate (BA) providing services, and relaying PHI to the individual.

Reprieve: Keep in mind that the omnibus rule clarifies that you don’t need to list in your NPP all situations requiring or not requiring individual authorization, according to a whitepaper by the law firm Epstein Becker & Green (EBG) posted on its website www.ebglaw.com. Also, your NPP doesn’t need to include a statement about the authorization requirement regarding psychotherapy notes if you don’t record or maintain psychotherapy notes.

State Right to Opt Out of Certain Disclosures

The omnibus rule provided the new right for patients to opt out of fundraising communications. You must provide an “easy opt-out,” for each fundraising campaign or for all campaigns, and you must honor that opt-out, Sheldon-Dean says.

Caveat: But you can use patients’ demographic information, dates of healthcare services, the department providing services, the physician, health plan status, and outcome for fundraising purposes without patient authorization, Sheldon-Dean explains. You do need to state this in your NPP, however.

What you don’t need to include in your NPP regarding fundraising communications is the specific mechanism you plan to use for patients to opt-out, EBG says.

Explain Breach Notice Rights

You must include a statement in your NPP that you will notify a patient when a breach of his unsecured PHI occurs, instructs attorney Wayne J. Miller, Esq., founding partner of the Compliance Law Group in Los Angeles. You can keep the statement simple, and you don’t need to describe the types of information you’ll provide in the breach notification.

Use of Genetic Information for Health Plan Underwriting Purposes

Another new requirement under the omnibus rule is that health plans cannot use genetic information for underwriting purposes, Sheldon-Dean states. This change is pursuant to the Genetic Information Nondiscrimination Act (GINA), which bars health plans from using genetic information for underwriting, enrollment, eligibility, premium computation, or consideration of pre-existing conditions.

Although the omnibus rule adopts these GINA requirements, the rule exempts long-term care policy issuers, EBG notes.

Resource: To view the entire HIPAA omnibus final rule, which was published in the Jan. 25 Federal Register, go to www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.