The following information was submitted by Elizabeth Hogue, Esq:
The U.S. Department of Health and Human Services (HHS) has issued final rules to:
- Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information;
- Modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comments received on the interim final rule;
- Modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title 1 of the Genetic Information Nondiscrimination Act of 2008 (GINA); and
- Make other modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to improve their workability and effectiveness, and to increase flexibility and decrease burden on regulated entities.
The final rules were published in the Federal Register on January 25,2013, and will be effective on March 26, 2013. Covered entities and business associates must comply with the final rules by September 23, 2013. This is the third in a series of articles that will address key provisions of the rules, their impact on post-acute providers, and practical solutions for compliance.
With regard to disclosures, the new rules allow covered entities to disclose information about deceased patients to family members and others, in addition to personal representatives. Information may be disclosed to family members and others involved in the case or payment for the care of decedents prior to their deaths, unless such disclosures are inconsistent with prior expressed preferences of decedents known to providers.
Providers are now required to make changes to notices of privacy practices and to distribute new notices that include changes required by the final rules. Providers are required, for example, to include uses and disclosure of protected health information, but should not specify a list of all circumstances in which authorization is required. Instead, covered entities can list categories that require authorization, such as:
- Psychotherapy notes;
- Marketing; or
- Sale of protected health information.
Revised notices must include a statement that other uses and disclosures not described in the Notice of Privacy Practices will be made only with authorization from individuals. Notices must also include statements related to individuals’ right to opt out of fundraising communications and the right to restrict disclosures of protected health information to health plans when individuals pay out of pocket in full for items or services.
Still more information to come about the final rules.
©2013 Elizabeth E. Hogue, Esq. All rights reserved.
NOTE: the Alliance is sponsoring a conference on these new regulations on March 27th at the Best Western Royal Plaza in Marlborough. Register here.