Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Ten Days, Ten Tips – Countdown to Omnibus Rule Compliance #2

Posted in HIPAA Enforcement

Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements.  Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as tips TWO through SEVEN if I run out of time!) –

TIP TWO:

Update your Notice of Privacy Practices. 

You can make this process easier by reviewing the Model Notices of Privacy Practices (NPP) released today by ONC and the HHS Office for Civil Rights.  You should customize the NPP to meet your specific needs, but note these key Omnibus Rule changes: 

*          You must point out that certain uses and disclosures of protected health information (“PHI”) require an individual’s written authorization (use or disclosure of psychotherapy notes, use or disclosure of PHI for marketing purposes, and the sale of PHI), and advise individuals that they have the right to revoke this authorization;

*          If you use PHI for fundraising purposes, you must separately state this fact and advise individuals of their right to opt out of receiving fundraising communications (note also that you can only use certain types of PHI for fundraising purposes, but this will be discussed in a separate tip);

*          You must state that affected individuals have a right to be notified of a breach;

*          If you are a health plan (other than a long-term care insurance plan) and you use PHI for underwriting purposes, you must include a statement that you are prohibited from using or disclosing genetic information that is PHI for these purposes; and

*          You must tell individuals that they have the right to request restrictions on disclosures of their PHI, and that you must honor this request in most circumstances where the individual (or someone else on behalf of the individual) pays out of pocket for a service or item and requests that PHI related to the service or item not be disclosed to a health plan (see TIP ONE, posted here).

  • Susan Sherred

    is there a specific part of the CFR that says I must have a statement regarding “marketing” in my notice? My old one had it and the statement reserving the right to change it but since we don’t engage in marketing can I remove it or is it best to keep it in just in the event that marketing situations change?