HIPAA Privacy Notices May Need to Be Updated

March 15, 2013

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released the omnibus regulations under the Health Insurance Portability and Accountability Act (HIPAA), including implementing changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH) and incorporating protections required by the Genetic Information Nondiscrimination Act (GINA). As a whole, this is referred to as “the final rule.”

There is one significant change to be aware of: covered entities (i.e. health care providers, health plans, and health care clearinghouses that handle individuals’ protected health information [PHI]) need to review, and possibly update, their privacy notices.

The final rule calls for certain changes to the notice of privacy practices in order to comply with the new HITECH and GINA requirements. Privacy notices should now (1) outline covered entities’ relationships with “business associates” and their new status under the final rule, (2) outline covered entities’ breach notification processes, (3) inform individuals of the prohibition on the use and disclosure of genetic information for underwriting purposes, and (4) include a statement about patients’ rights to restrict the disclosure of their health information when paying out of pocket for the services. Covered entities should also be aware that these revised privacy notices must be placed prominently and made available to patients upon request; they must also be listed on covered entities’ websites, too.

The promulgation of the final rule offers covered entities a great opportunity to review their privacy notices for needed updates. The final rule goes into effect on March 26, 2013, with a compliance date of September 23, 2013, the date by which covered entities must update their privacy notices and distribute them to plan participants and beneficiaries.

To subscribe to email alerts from Axley Law Firm, click here.