Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search
Advisories
Benefits and Executive Compensation

Now Is the Time to Update Your Notices of Privacy Practices

By  Jason T. Froggatt, Sarah L. Bhagwandin, and Elizabeth J. Deckman
08.05.13
Share
Print this page

If you sponsor a group health plan that is subject to the HIPAA Privacy and Security Rules, it is time to review, revise, and redistribute your Notices of Privacy Practices.

On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued significant new guidance on the rules that govern protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Omnibus Rule implements most of the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act and extends the reach of HIPAA. It will require group health plans and their business associates to make changes to their policies and procedures, Notices of Privacy Practices, and business associate agreements. 

Group health plans must provide each participant with a Notice of Privacy Practices describing PHI, individuals’ rights with respect to their PHI, and the rules governing the use and disclosure of PHI. Under the Omnibus Rule, effective Sept. 23, 2013, the Notice of Privacy Practices must include certain new information, including: (a) a statement regarding an individual’s right to receive notifications when their PHI has been impermissibly used or disclosed; (b) if the covered entity engages in fundraising, a statement regarding the entity’s fundraising activities and the right to opt out of receiving further communications; (c) a statement that certain uses of PHI require individual authorization, including any use or disclosure for marketing purposes, any use or disclosure that constitutes a sale of PHI, most uses and disclosures of psychotherapy notes (to the extent the plan maintains psychotherapy notes), and any other use or disclosure not described in the Notice of Privacy Practices; and (d) a statement that the group health plan is prohibited from using genetic information for underwriting.

Once these changes are made to the Notice of Privacy Practice, employers must distribute the new notice. Employers with benefits websites must post the revised notice by Sept. 23, 2013, and include the revised notice in their next annual mailing to plan participants. Employers who do not maintain a benefits website have until Nov. 22, 2013 to distribute the updated notice.

For a further discussion of the changes made by the Omnibus Rule, please see our related advisory.

For a discussion of the small employer exception, please see our advisory on HIPAA compliance for small group health plans.

Related Articles

DWT logo
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employees
DWT Collaborate
EEO
Affiliations
Legal notices
Privacy policy
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.