Since the publication of the final HIPAA Omnibus Rule (the “Omnibus Rule”) on January 17, 2013, health care publications have been replete with summaries highlighting changes. What seems to be lacking, however, are practical pointers on what Covered Entities need to do to come into compliance with the new regulations by the compliance deadline, September 23, 2013. One HIPAA-driven form which will certainly require updating due to changes in the regulations is the Covered Entity’s Notice of Privacy Practices (NPP). The Omnibus Rule also changes certain requirements for handling of the NPP. This article walks through the eight changes regarding NPPs which need to be made by Covered Entities who are classified as health care providers, rather than health plans. In addition to revising the form of NPP itself, Covered Entities should review and revise any HIPAA compliance policies and training materials that address the requirements for content and dissemination of NPPs.

The eight changes to the NPP requirements for healthcare providers are the following:

  1. The NPP must include a description of the types of uses and disclosures which require an authorization in the following three areas: 1) disclosure of psychotherapy notes; 2) disclosures for marketing purposes; and 3) disclosures that constitute a sale of protected health information. The NPP also must state that other uses and disclosures not described in the NPP will not be made unless an individual provides an authorization and that authorizations may be revoked prospectively at any time by written revocation.
  2. The NPP must explain the right of an individual to restrict disclosures of Protected Health Information (PHI) to a health plan for payment or health care operation purposes (but not for treatment purposes) for items or services which an individual has paid for in full and out-of-pocket. Providers will also need to adopt some method to flag in the record any such mandatory restrictions.
  3. If a provider intends to use PHI for fund-raising purposes, it must inform the individual of such intent and of the individual’s right to opt out of receiving fundraising communications.
  4. The NPP must inform the individual of the right to be notified following a breach of the individual’s unsecured PHI.
  5. The NPP must advise the individual that PHI may not be sold without the individual’s express written authorization.
  6. One prior requirement for NPPs has been removed: NPPs should no longer include a statement that the provider may send communications regarding treatment alternatives or health-related products or services if the provider is paid by a third party to make the communication. This change is due to the fact that the Omnibus Rule treats subsidized treatment communications as marketing and requires an individual’s authorization before such communications can be made.
  7. A health care provider that maintains a physical service delivery site must make the NPP available at the site for individuals to take with them, and also must post the NPP in a “clear and prominent” location where individuals will be able to read it.
  8. When an NPP is revised, as it must be by September 23, 2013, a health care provider is not required to mail out the new NPP, but rather to make the new NPP available to individuals upon request on or after the effective date of the revision, and to follow Step 7 above, if applicable. Of course, any new patient encounter after revision will require delivery of the NPP and an attempt to have the patient acknowledge receipt of the NPP.

The regulations addressing NPPs can be found at 45 C.F.R. § 164.520. The entire HIPAA Omnibus Rule can be found by clicking here and the HHS press release can be reviewed here.