Earlier this year, the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) issued its long-awaited omnibus regulations that make significant modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules. These modifications are the result of statutory changes required under the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA). Covered entities must update and post a revised Notice of Privacy Practices (NPP) prior to the September 23, 2013, compliance deadline.

Pursuant to the final omnibus rule, NPPs are to be updated to include the following:

  • A statement that most disclosures of psychotherapy notes, uses and disclosures for marketing purposes, and disclosures that constitute the sale of protected health information (PHI) require authorization. If a covered entity does not record or maintain psychotherapy notes, the covered entity is not required to include a reference to such notes within this statement.
  • A statement that other uses and disclosures not described in the covered entity’s NPP will be made only with the authorization of the individual. 
  • A statement regarding fundraising communications and an individual’s right to opt out of such communications in the event that the covered entity intends to engage in fundraising activities. The statement need not include the mechanism for opting out of such communications as each solicitation from the covered entity must reference the mechanism for opting out.
  •  A statement informing individuals of their right to restrict certain disclosures of PHI to a health plan where the individual or someone on his or her behalf pays out of pocket for the health care item or service provided.
  • A statement informing individuals of their right to be notified following a breach of their unsecured PHI. The statement is only required to be a simple statement of the right to breach notification, and a covered entity is not required to disclose how the entity will evaluate whether PHI has been compromised under the Breach Notification Rule or include a description of the regulatory requirements.
  • For health plans that perform underwriting, a statement that they are prohibited from using or disclosing genetic information for underwriting purposes. The underwriting prohibition under GINA does not include long-term care polices but applies to all other health plans as defined under HIPAA.

In addition to mandatory changes to the NPP, health care providers might consider whether other amendments to the final rule should be included within the provider’s notice. For example, the NPP might include a statement regarding (1) an individual’s right to a copy of PHI maintained electronically by the covered entity, (2) an individual’s ability to have immunization records sent directly by the covered entity to a school and (3) the applicable time frames for an individual’s access to his or her PHI.


The final rule, which became effective March 26, 2013, provides for an implementation grace period. Under the grace period, all covered entities have until September 23, 2013 to comply with all applicable requirements of the rule with the exception of the business associate requirements for which a longer period may apply.

With respect to a health plan that currently posts its NPP on its website, the plan must (1) post a revised NPP on its website on the date the revised notice becomes effective and (2) provide a copy of the revised notice or information on how to obtain one in its next annual mailing to individuals covered by the plan.

Health plans that do not have a customer service website are required to provide a copy of the revised NPP or information on how to obtain one to individuals covered by the plan within 60 days of the revision of the notice. Health plans should provide both paper and web-based copies of the NPP in a manner accessible to all beneficiaries of the plan, including those with disabilities.

Health care providers with an existing direct treatment relationship with an individual (1) are required to make their revised NPP available upon request on or after the effective date of the revised notice, (2) must comply with the requirement to have the NPP available at the delivery site and (3) must post the revised notice in a clear and prominent location. The revised notice should be given to all new patients and an acknowledgment of receipt of the NPP signed by the patient is to be maintained by the health care provider.

If a covered entity has previously revised and distributed its Notice of Privacy Practices in response to HITECH, GINA or the requirements of state law and such revisions satisfy the requirements of the final rule, the covered entity need not further revise and redistribute its Notice of Privacy Practices.