Final Omnibus Rule Requires Updates to HIPAA Privacy Policies, Notices of Privacy Practices and Business Associate Agreements

September 23, 2013 is the deadline for covered entities and business associates to comply with the changes made to the HIPAA regulations as a result of the Final Ominbus HIPAA rule (“the Final Rule”). Some examples of policies that should be reviewed for compliance with the new regulations include the following:

The Final Rule includes new obligations and clarifications regarding uses or disclosures that require a signed authorization, removes certain exceptions to the definition of “marketing” and requires that any treatment or health care communications for which a covered entity receives remuneration be sent only after obtaining a signed authorization.

The exception for certain disclosures to friends and family members involved in the patient’s care has now been extended to allow the continuation of such communications after a patient’s death.

A new exception was created to allow for disclosure of proof of immunization to a school. Such disclosures may be made based on oral agreement by a student’s parent, guardian or other person acting in loco parentis to the child and do not require a signed authorization.

The Final Rule requires all fundraising communications, including telephone calls, to include instructions to allow patients to opt out of future communications. The opt-out can be for all fundraising campaigns or just a specific campaign. The Final Rule also allows a broader scope of information to be used for fundraising, including department of service information, treating physician information, and outcome information.

As required by the HITECH Act, patients now have the right to restrict a covered entity from disclosing information regarding the treatment to a health plan if the patient paid out of pocket.

For information that is maintained electronically, covered entities are required to provide patients with electronic access in a form and format requested, if readily producible. Alternatively, patients may receive the electronic copy in another form and format agreed to by the parties, such as a PDF. If appropriately requested by the patient, a request may be made that the information be provided to a designee of the patient.

The Final Rule changes the definition of Breach to include more objective standards. As revised by the Final Rule, an acquisition, access, use or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule will be presumed to be a breach unless the covered entity can demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2. The unauthorized person who used the protected health information or to whom the disclosure was made;

3. Whether the protected health information was actually acquired or viewed; and

4. The extent to which the risk to the protected health information has been mitigated.

To the extent that the information discussed above is also included in a covered entity’s Notice of Privacy Policies (the HIPAA Notice), the HIPAA Notice must also be updated. The Final Rule also requires that additional specific statements be made in the Notice of Privacy Policies, including statements that an authorization is required for the disclosure of psychotherapy notes, marketing, the sale of protected health information, and other uses or disclosures that are not specifically discussed in the Notice of Privacy Practices. Covered entities that use information for fundraising will also be required to include information regarding the patient’s ability to opt-out of such communications. Health plans must also include statements that genetic information will not be used for underwriting purposes.

The Final Rule also requires that certain changes be made to business associate agreements, including an explicit requirement that the business associate comply with the Security Rule and report any breaches of unsecured protected health information, as well as enter into agreements with the same terms with any “downstream” business associate.

To have one of our experienced attorneys review your HIPAA policies and other documents for continued compliance, please contact us today.