September 23 Deadline to Comply with the New HITECH Regulations Is Fast Approaching
September 23 is the deadline for complying with most of the provisions of the final rule implementing the privacy and security provisions of the HITECH Act. The final rule was released in January of this year. Our summary is available here.
We would like to take this opportunity to remind our clients and friends that if you have not already done so, you should engage in the following activities, to the extent necessary, prior to September 23:
- Review and revise your privacy and security policies and procedures to comply with the final rule;
- Revise your Notice of Privacy Practices to comply with the final rule and your revised policies and procedures;
- Revise your BAA form to comply with the final rule. The revised BAA must be used for all new agreements entered into after January 25, 2013. However, the Final Rule allows additional time to amend BAAs entered into prior to January 25, 2013. Such BAAs need not be amended until September 22, 2014, unless they are modified sooner for other reasons – in which case the new changes must be incorporated.
As a service to our clients, we have prepared a basic BAA form that incorporates the required changes as we understand them. The form is available here.
It should not be used without review by legal counsel. Our form is intended to include all the required provisions, with optional provisions expressly contemplated by the Privacy Rule in brackets. Other provisions, such as indemnification provisions, may be added, as long as they are not inconsistent with the required provisions. The Department of Health & Human Services has also published a form, available here.
The final rule requires the following modifications to notices of privacy practices:
- If the covered entity uses protected health information (PHI) for fundraising, the notice of privacy practices must inform individuals that they have the right to opt out of fundraising solicitations. Currently, the notice of privacy practices must inform patients that they may be contacted for fundraising, and the solicitation itself must tell the individual how to opt out. Under the final rule, the notice of privacy practices must also explain the opt-out right.
- The notice must inform individuals of the covered entity’s obligation to notify them following a breach of unsecured protected health information.
- Currently, the notice must advise the individual of his or her right to request restrictions on use or disclosure. It must also include a statement that the covered entity is not required to comply with the request. This second statement must now state that the covered entity is required to comply with a request not to disclose health information to a health plan for treatment where the individual pays out-of-pocket for a service.
- If the covered entity intends to use or disclose psychotherapy notes in circumstances requiring authorization, or to use or disclose PHI for marketing, or to sell PHI, the notice of privacy practices must inform the individual that an authorization is required for these purposes.
- If the covered entity is a health plan that intends to use or disclose PHI for underwriting purposes, the notice must contain a statement that it is prohibited from using or disclosing genetic information for such purposes.
The notice of privacy practices no longer has to inform patients that the covered entity may contact them to provide appointment reminders or information about treatment alternatives or health-related benefits or services. However, there is no requirement that this be removed.
OCR says that these changes are material, and they therefore trigger the requirements for notification in the event of a material change. Currently, health plans are required to notify covered individuals within 60 days of a material revision.
For health plans that have a web site this is replaced with a requirement to post the revised notice on its web site, and to include it in its next annual mailing to covered individuals. A health plan that does not have a web site must still provide the revised notice, or information on how to obtain it, within 60 days. There is no change in the rule for health care providers: they must simply provide the revised notice to all new patients and to anyone else on request, and post it and make it available at their service delivery site.
Hooper, Lundy & Bookman assists clients with a range of HIPAA compliance activities, including compliance counseling, policies and procedures, workforce training and managing data breaches.
For more information, please contact: In San Francisco, Paul Smith, Steve Phillips, or Clark Stanton at 415.875.8500; in Los Angeles, Hope Levy-Biehl, Karl Schmitz, or Amy Joseph at 310.551.8111; and in Washington, D.C., Bob Roth at 202.580.7700.