In addition to the many aspects of the new HIPAA rules modifying the existing HIPAA Privacy and Security Rules, if the proposed rules are finalized, covered entities will be required to make “material modifications” to their Notice of Privacy Practices (“Notice”) therefore triggering obligations to revise and distribute the “new” Notices. For example, covered entities will have to revise their Notices consistent with new changes to the patient rights portion of the rule. Specifically, although the current rules allow a covered entity to decline to accept a patient’s request for restrictions as stated in the Notice, the proposed rules require a covered entity to agree to a patient’s request not to disclose protected health information (“PHI”) to a health plan if the purpose of the disclosure to the plan is for carrying out payment or health care operations and the PHI pertains solely to health care services for which the patient or, another person on behalf of the patient, has paid the covered entity in full. In other words, a patient can restrict a health care provider from disclosing PHI to the patient’s health plan as long as the patient pays out of pocket for the service in full. Importantly, if the patient’s payment is not honored (e.g., the check bounces), the provider is permitted to submit the PHI to the health plan in order to be paid for the service. The health care provider need only comply with the restriction for services in which the provider is paid in full. The Office of Civil Rights (“OCR”) makes clear that it does not believe that the intent of the HITECH ACT was to allow patients to avoid their payment obligations to health care providers. The proposed regulations also would require changes to the Notice regarding notifying patients which uses and disclosures require an authorization. The proposed rules would also require covered entities to disclose to patients that most disclosures for PHI for which the covered entity receives remuneration require authorization. The Notice will also have to be revised to reflect the new requirements concerning marketing and subsidized treatment communications. The OCR is also soliciting comments on whether the Privacy Rule should require that the Notice contain a required statement advising patients of the new breach notification obligations with respect to breaches of unsecure information.
Notably, the OCR states that the change to the existing patient rights rule and other changes noted above are “material” thus requiring all covered entities who have Notice obligations to revise their Notices and reissue them. This means that although the handing out of a Notice to a patient is typically a one-time obligation (i.e., continuing patients need not be offered a Notice at every visit), the provider will now have to ensure that all patients are provided a new Notice at their next visit and maintain a copy of the patient’s acknowledgment that they have been given a copy of the new Notice. Many providers have not revised their Notices since inception of the Privacy Rule and thus have not had the burden of providing all existing and continuing patients with new Notices. Importantly for health plans, the OCR recognizes that revising and redistributing Notices within 60 days of material changes for health plans is a costly process and thus the OCR is seeking comments on ways in which plans could inform individuals of the changes without imposing a large burden. The OCR is considering many options such as replacing the current 60 day requirement with a requirement that the plan redistribute the new Notice in the next annual mailing such as at the beginning of the plan year or during the open enrollment period and is also considering whether it should make no changes. Obviously, it is in the best interest of plans to proactively comment to the OCR on this important issue.
For more information on HIPAA and the HITECH Act, please contact Abby Pendleton, Esq., Jessica L. Gustafson, Esq. or Esq.