The rules introduce new requirements for content of HIPAA privacy notices and requires the redistribution of the updated notices. This primarily applies directly to covered entities.
In additional to the existing HIPAA privacy rule requirements, the new rules require the HIPAA privacy notice to inform individuals that:
- They have a right to be notified following a breach of their unsecured PHI
- They may be contacted to raise funds and have the right to opt out of receiving such communications
- Most uses of and disclosures of PHI for marketing purposes and sales of PHI require the individual’s authorization (entities that record or maintain psychotherapy notes also must state specifically that most uses or disclosures of such notes require the individual’s authorization)
- Uses and disclosures not described in the privacy notice will be made only with the authorization from the individual
- Covered health care providers must state in their privacy notices that individuals have the right to restrict certain disclosures of PHI to a health plan when the individual (or any person other than the health plan) pays for treatment at issue out of pocket in full.
Breach Notification Requirement Update
The rules introduce comprehensive updates to the requirements surrounding the responses required in cases of potential breaches of PHI. the investigation and response to potential breaches of electronic PHI. Previously, a covered entity was only required to notify individuals if they were exposed to a “significant risk of financial, reputation or other harm”. However, breach notification must be delivered to individuals effected, unless a risk assessment can show that there is a low probability of compromise of the PHI.
The required risk assessment to determine the probability of PHI compromise must be thorough, completed in good faith, and reach conclusions that are reasonable. To meet these requirements, the risk assessment must consider at least:
Expansion of Individuals’ Rights
The Rules expand individuals’ rights to restrict certain disclosures of their PHI and enhance individuals’ access to their PHI. The Rules specifically require covered entities to comply with individuals’ requests to restrict the disclosure of their information; to the extent the disclosure satisfies three conditions:
- The disclosure is for purposes of carrying out payment or healthcare operations
- The disclosure is not otherwise required by law or regulations (including Medicare, Medicaid, and other requirements)
- The PHI subject to the request pertains solely to a health care item or service for which the individual (or family member, or anyone other than the health plan) paid in full.
The requirement to restrict disclosure would also bar disclosures to business associates. Under the rule, the individual retains the discretion to determine for which services he or she wants to pay out of pocket. A disclosure of PHI in violation of this requirement would violate the privacy rule and, therefore, potentially trigger breach response and notice obligations.
For more information on our Technology Partners HIPAA Compliance Services, contact Brian Rosenfelt by leaving a comment below or by calling 440-449-6800.