New Required HIPAA Omnibus Revisions for NPPs
by Leigh-Ann Renz, 6.24.13
In a previous post, we touched on how the HIPAA Omnibus Rule requires businesses to revise their notices of privacy practices (NPPs) by the September 23, 2013 compliance date: covered entities will most likely need to create and distribute a revised notice of privacy practices informing patients/clients of their rights and how their information is safeguarded. NNPs must now include a description of the types of uses and disclosures that require an authorization under § 164.508(a)(2)-(a)(4), including most uses and disclosures of psychotherapy notes.
(What defines a covered entity? Virtually all healthcare providers, including home health, mental health, dentists, ambulance services, etc; all healthcare payers, including insurance and health plans; and all healthcare clearinghouses that process or route electronic claims.)
Here are some additional details:
Psychotherapy notes disclosures: The NPP now has to include a statement that the following uses and disclosures of PHI [Personal Health Information] require a written authorization: 1) if the PHI is used or disclosed for marketing purposes; 2) if the disclosure constitutes a sale of PHI; 3) most uses and disclosure of psychotherapy notes. (Covered entities that don’t record or maintain psychotherapy notes are not required to include a statement in their NPPs about the authorization requirement.)
Uses and disclosures outside of the NPP: NPPs must now state that any uses and disclosures of PHI not covered by the NPP will only be made with the written permission of the individual, and state that this authorization may be revoked by the individual “as provided in the regulations”.
Fundraising Communication Opt-Outs: NNPs are required to state the covered entity’s intention to contact an individual for fundraising purposes and grant the individual the right to opt out of receiving contact about fundraising. However, HHS (Department of Health & Human Services) did not specify how the opt-out of this communication should be handled.
Restriction of PHI disclosure: HHS now requires that health care providers let individuals know that they can restrict certain disclosures of PHI to a health plan if they have paid for the health care item or service out-of-pocket in full.
Breach notification: NPPs must now include a statement that an individual will be notified if their unsecured PHI is compromised. A simple statement of breach notification rights is fine; you can include more information if you want, but “healthcare providers need not include lengthy definitions of “breach” or describe their risk assessment mechanisms.”
What does this mean for you as a mental & behavioral health care provider?
- You need to revise your NPPs by the deadline: On or before September 23, 2013, have the revised notices available on-site and by client request, as well as posted in a clear and prominent location as soon as it’s been revised.
- You have to include the new required statements as outlined above, as well as maintain the standard HIPAA notice of privacy practices.
- “HHS emphasized that there is no ‘one size fits all’ approach to NPPs because the individual provisions of such notices will vary based on the type of covered entity issuing the NPP”: be sure to consult with your HIPAA compliance officer or whoever you use for counsel to make sure that you’re in compliance with the changes.
Leigh-Ann Renz is the Marketing & Business Development Director of PIMSY EMR. Contact us for details or a price quote. Schedule a free live Web demo here and/or view our free 5 minute video demo here.