Now Is the Time to Update Your Notices of Privacy Practices

If you sponsor a group health plan that is subject to the HIPAA Privacy and Security Rules, it is time to review, revise, and redistribute your Notices of Privacy Practices.

On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued significant new guidance on the rules that govern protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Omnibus Rule implements most of the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act and extends the reach of HIPAA. It will require group health plans and their business associates to make changes to their policies and procedures, Notices of Privacy Practices, and business associate agreements. 

Group health plans must provide each participant with a Notice of Privacy Practices describing PHI, individuals’ rights with respect to their PHI, and the rules governing the use and disclosure of PHI. Under the Omnibus Rule, effective Sept. 23, 2013, the Notice of Privacy Practices must include certain new information, including: (a) a statement regarding an individual’s right to receive notifications when their PHI has been impermissibly used or disclosed; (b) if the covered entity engages in fundraising, a statement regarding the entity’s fundraising activities and the right to opt out of receiving further communications; (c) a statement that certain uses of PHI require individual authorization, including any use or disclosure for marketing purposes, any use or disclosure that constitutes a sale of PHI, most uses and disclosures of psychotherapy notes (to the extent the plan maintains psychotherapy notes), and any other use or disclosure not described in the Notice of Privacy Practices; and (d) a statement that the group health plan is prohibited from using genetic information for underwriting.

Once these changes are made to the Notice of Privacy Practice, employers must distribute the new notice. Employers with benefits websites must post the revised notice by Sept. 23, 2013, and include the revised notice in their next annual mailing to plan participants. Employers who do not maintain a benefits website have until Nov. 22, 2013 to distribute the updated notice.

For a further discussion of the changes made by the Omnibus Rule, please see our related advisory.

For a discussion of the small employer exception, please see our advisory on HIPAA compliance for small group health plans.