HIPAA Notice of Privacy Practices, Understanding Required Changes
By: Jennifer Kirschenbaum, Esquire
Effective as of September 23, 2013, your practice (whether hospital based or private) was and is required to have adopted changes to your current HIPAA policies and procedures. The required changes when reviewed objectively are arguably geared towards to the trend of moving a patient-centered, transparent healthcare delivery system. The purpose of this article is to highlight the most relevant requirements to each practitioner’s practice, and serve as a checklist of compliance. We will also briefly discuss the ramifications of noncompliance. Prior to delving further, be advised the required changes for many practice are far from onerous, however, compliance may easily be confirmed and noncompliance putatively punished.
The most overt change to the HIPAA rules is the requirement that each and every Notice of Privacy Practices nationwide be updated to include several new concepts notifying patients of how their protected health information may be utilized. Notice of Privacy Practices is already a required document for every “covered entity”, which is inclusive of physician practices (whether hospital based or private). Notice of Privacy Practices details how a practitioner or practice may use or disclose protected health information, including disclosures for treatment, payment and operation purposes, as well as disclosures to the patient and third parties such as the government. The Final Omnibus Rule published in January 2013 and effective September 23, 2013 requires the addition of several concepts to every Notice of Privacy Practices. The changes may not appear significant or relevant to your practice, but as will be discussed below, noncompliance may result in significant liability, and an unnecessary administrative process. Operating under the presumption that your practice’s Notice of Privacy Practices complies with prior requirements of delineated uses and disclosures mandated for such a policy, the following topics are now required for inclusion: (a) Marketing; (b) Sale; (c) Fundraising; and (d) Psychotherapy Notes, and shall be addressed in turn.
(a) Marketing. Every Notice of Privacy Practice must have a provision explaining that the Practice is required to obtain an authorization for any use or disclosure of protected health information for marketing purposes: except if the communication is (A) face to face; or (B) a promotional gift of nominal value. Mean the Omnibus Rule explains marketing to mean a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, except refill reminders or other communications about drugs or prescriptions the patient is on where the covered entity in exchange for making the communication is reasonably related to the Practitioner's cost of making the communication; and (ii) treatment purposes, case management or care. In addition, if the marketing involves financial remuneration to Practitioner from a third party, the subsequent authorization must disclose that such remuneration is involved.
(b) Sale. Notice of Privacy Practices must have a provision that Practitioner must obtain an authorization should the Practitioner sell patient protected health information and gain from such sale. Under the new HIPAA rules, a Practitioner may sell patient protected health information without getting authorization where used for research and the only remuneration is reasonable cost-based fee to cover the cost to prepare and transmit, and where transmitted for the sale, transfer, merger or consolidation of all or part of the Practice and for related due diligence.
(c) Fundraising. Notice of Privacy Practices must contain a provision addressing that patient protected health information may be used or disclosed for fundraising, and that during each fundraising communication the patient shall have an opportunity to opt-out of future requests.
(d) Psychotherapy Notes. Notice of Privacy Practices must have a statement regarding use and disclosure of Psychotherapy notes, regardless of whether you the Practitioner creating such notes or a Practitioner practicing Psychotherapy. Every Practitioner in practice is required to incorporate statutorily mandated language addressing permitted uses without additional authorization of psychotherapy notes as any patient may have such as part of their medical record transferred to such Practitioner.
Understanding each of the above mentioned required inclusions in your Notice of Privacy Practices is important, as each requirement may trigger an additional obligation for a separate authorization prior to use of patient protected health information for a particular purpose. Once your Notice of Privacy Practices has been updated, either through your own efforts or working with a qualified healthcare attorney or consultant, a crucial step is proper implementation. The updated Notice of Privacy Practices is required to be posted in a clear and prominent location where it is reasonable to expect patients to view it. The new Notice of Privacy Practices must also be available upon request on or after the effective date of any revision. For those Practitioners with websites, it is recommended to post your Notice of Privacy Practices to the site so patients may access. It is advisable to have printed versions available in your waiting room for patient distribution.
Patients are not required to sign your Notice of Privacy Practices, but it is certainly advisable that in the paperwork you are distributing to patients you require patients indicate in that paperwork they have had an opportunity to review the Notice of Privacy Practices and acknowledge such opportunity or receipt. Typically our office incorporates this consent into the document used confirming appropriate contact points for the patient – whether the Practitioner may contact the patient via email and/or phone, and whether the patient authorizes messages.
For many practitioners, the challenge with the new HIPAA requirements is recognizing an instance where additional protections are necessary for patient protected health information, as prior to this new requirement such vigilance was not their standard practice. That challenge may be best met by not only implementing a modified Notice of Privacy Practices at your office, but by providing education and training to your staff so that they understand the Practice’s obligation to identify those instances when an additional authorization may be required, and also know what form that authorization must be obtained in.
The stakes for HIPAA compliance are high, and the likelihood of potential discovery for noncompliance are now higher. The Office for Civil Rights (“OCR”), the arm of the Federal government responsible for HIPAA oversight is now required to impose monetary penalties for HIPAA noncompliance; the potential penalties incurred may vary based on the extent of the noncompliance and intent of any breach. OCR is also, as of September 23, 2013, mandated to begin auditing to confirm practitioners are in compliance. Prior to the new HIPAA rules, OCR would only initiate an inquiry upon complaint; minimizing audit exposure for many. Now, OCR is tasked with actively policing HIPAA compliance. Also disconcerting, OCR is now authorized to participate in “agency share”, meaning if OCR believes there is improper procedure by the Practitioner with regards to HIPAA and suspects other areas of the practice may not be in compliance, OCR may now refer the Practitioner to the Office of Inspector General for Medicare fraud issues or potentially to the Department of Justice.
Bottom line: HIPAA compliance, while previously more of an afterthought requiring basic patient cooperation and certain forms to be maintained on file, should now, with updated requirements and increased scrutiny by OCR, be considered a major priority. It is imperative for each Practitioner nationwide to abide by the new HIPAA rules and to take measures in their individual practices to conform and to ensure employee conformance. Importantly, while an additional administrative process, the changes to the HIPAA laws are not overly burdensome and begin with a proper Notice of Privacy Practice being implemented and followed accordingly.
This article summarizes the new requirements for Notice of Privacy Practices and does not exhaust HIPAA compliance requirements. To view a free HIPAA webinar discussing required changes visit: www.practicewebinars.com. To discuss your practice’s compliance needs contact Jennifer at 516-747-6700 x302 or Jennifer@Kirschenbaumesq.com. To view available policies visit www.healthcarepracticecompliance.com.
Jennifer Kirschenbaum, Esq., manages Kirschenbaum & Kirschenbaum’s healthcare department, which specializes in representing healthcare practitioners in regulatory compliance, audit defense, licensure, and transactional matters. She may be reached at 516-747-6700 x302 or by e-mail at Jennifer@kirschenbaumesq.com. For more information about our firm, visit www.kirschenbaumesq.com.
Download PDF version of this article: HIPAA Notice of Privacy Practices by Jennifer Kirschenbaum