placeholder

HIPAA Final Rule: Notice of Privacy Practices for Protected Health Information: Content of Notice (1)

March 22, 2013.  Today, we continue going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

We begin a two-day examination of the modifications pertaining to 45 CFR 164.520:  Notice of Privacy Practices for Protected Health Information.  Today, we focus on modifications to 164.520(b): Implementation specifications:  Content of Notice, and Monday, March 25, on modifications to 164.520(c):  Implementation specifications: Provision of notice.

Modifications to 164.520(b):  Implementation specifications:  Content of notice

“(1) Required elements.

“(ii) Uses and disclosures.  The notice must contain:

“(E) A description of the types of uses and disclosures that require an authorization under 45 CFR 164.508(a)(2)–(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization, and a statement that the individual may revoke an authorization as provided by 164.508(b)(5).”

78 Federal Register 5701

Here are the provisions for 45 CFR 164.508 referenced in 164.520(b)(1)(ii)(E), with modifications shown in bold:

“(a)(2) Authorization required:  Psychotherapy notes.

“(a)(3) Authorization required:  Marketing.  (ii) If the marketing involves financial remuneration, as defined in paragraph (3) of the definition of marketing at 164.501, to the covered entity from a third party, the authorization must state that such remuneration is involved.

“(a)(4) Authorization required:  Sale of protected health information. (i) Notwithstanding any provision of [the HIPAA Privacy Rule], other than the transition provisions in 164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in 
164.501 of [the HIPAA Privacy Rule]. (ii) Such authorization must state that the disclosure will result in remuneration to the covered entity.

“(b)(5) Revocation of authorizations.”

78 Federal Register 5699

Continuing with the modifications to 45 CFR 164.520(b)(1):  Content of Notice:  Required elements:

“(iii) Separate statements for certain uses or disclosures.  If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) of this section must include a separate statement informing the individual of such activities, as applicable:

“(A) In accordance with 164.514(f)(1) [Fundraising communications: Standard:  Uses and disclosures for fundraising, as modified at 78 Federal Register 5700], the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications;

“(B) In accordance with 164.504(f) [Standard:  Requirements for group health plans, as modified at 78 Federal Register 5698], the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan; or

“(C) If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes.”

78 Federal Register 5701

Here are two references mentioned in the provisions immediately above:

In (iii), “(b)(1)(ii)(A)” is:  “ A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by [the HIPAA Privacy Rule] to make for each of the following purposes:  treatment, payment, and health care operations.”

In (C), “(1)(viii) of the definition of health plan” is:  “An issuer of a long-term care policy, excluding a nursing home fixed indemnity policy.”  78 Federal Register 5689

“(iv) Individual rights.

“(A) The right to request restrictions on certain uses and disclosures or protected health information as provided by 45 CFR 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under 164.522(a)(1)(vi); “

78 Federal Register 5701

Here is the content, as modified (in bold), for 164.522(a)(1)(vi), as referenced immediately above:

“A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if:

(A) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and

(B) The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.”

78 Federal Register 5701

“(v) Covered entity’s duties.

“(A) A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information;”

78 Federal Register 5701

We provide here the content of the Final Rule preamble that underpins the Notice of privacy practices for protected health information:  Implementation specifications—Content of Notice, with reference to the modified provisions above:

“First, the final rule adopts the modification to 45 CFR 164.520(b)(1)(ii)(E), which requires certain statements in the NPP regarding uses and disclosures that require authorization. We note that, contrary to some commenter concerns, the final rule does not require the NPP to include a list of all situations requiring authorization. Instead, the NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information require authorization, as well as a statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual.

“The final rule does not require the NPP to include a description of a covered entity’s recordkeeping practices with respect to psychotherapy notes; however, covered entities are free to include such additional information in their NPP if they choose. Additionally, in response to requests by some commenters, we clarify that covered entities that do not record or maintain psychotherapy notes are not required to include a statement in their NPPs about the authorization requirement for uses and disclosures of psychotherapy notes.

“Second, because the final rule treats all subsidized treatment communications as marketing communications, we have not adopted the proposal to require a statement in the NPP about such communications and the ability of an individual to opt out….

“The final rule, however, adopts the proposed requirement for a statement in the NPP regarding fundraising communications and an individual’s right to opt out of receiving such communications, if a covered entity intends to contact an individual to raise funds for the covered entity. Because individuals will be provided the opportunity to opt out of fundraising communications with each solicitation, the final rule does not require the NPP to include the mechanism for individuals to opt out of receiving fundraising communications, although covered entities are free to include such information if they choose to do so.

“The final rule also adopts the proposal that the NPP inform individuals of their new right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the health care item or service. Only health care providers are required to include such a statement in the NPP; other covered entities may retain the existing language indicating that a covered entity is not required to agree to a requested restriction.”

78 Federal Register 5624

On Monday, March 25, we present 45 CFR 164.520(c): Implementation specifications:  Provision of Notice.

Ed Jones, Author & Healthcare Authority

Filed Under: American Recovery and Reinvestment Act, HIPAA Law: Administrative Simplification, Health IT and HITECH, Privacy 
YY