The omnibus final rule, modifying and implementing certain regulations promulgated pursuant to HIPAA and HITECH (hereafter, the Final Rule), became effective March 23, 2013, with the compliance date for most provisions being September 23, 2013. While there are many aspects of HIPAA and HITECH addressed by the Final Rule, this client alert is intended to address certain healthcare provider patient practices and notices that will need to be assessed and modified prior to the Final Rule compliance date.
Patients Are Now Permitted to Restrict Disclosures of Certain PHI
Pursuant to the Final Rule, patients may now self-pay for services and then restrict the disclosure of those services to insurers and health plans. This allows patients to control the release of certain of their PHI and places the burden upon covered entities that are healthcare providers to ensure that documentation pertaining to such services is not so disclosed. As this requirement goes into effect as of September 23, 2013, healthcare providers must assess now and consider the best ways to flag and segregate such information.
Related and Additional Changes to the NPP Necessitated by the Final Rule
Related to this restriction on the disclosure of certain self-pay services is the Final Rule requirement that healthcare providers modify their Notice of Privacy Practices (NPP) in order to provide patients with notice that they have this right. This change to the NPP is one of several established by the Final Rule.  Under the Final Rule, a covered entity’s NPP must:
- Contain a statement that an authorization is required for most uses/disclosures of psychotherapy notes, uses and disclosures of PHI for marketing and disclosures for the sale of PHI.
- Provide that if a covered entity intends to send fundraising communications, the individual has the right to opt out of receiving such fundraising communications, and this opt-out option must be clear and conspicuous, it and must not cause an undue burden on the individual (e.g., treatment or payment may not be conditioned upon the waiver of this option) and the covered entity must take reasonable measures to ensure that there are no further fundraising communications delivered after the opt-out option has been exercised.
- Advise the individual that he/she is entitled to be notified following a breach of his/her unsecured PHI.
- Where the covered entity is a health plan, provide (pursuant to GINA) that, except in the case of long-term care insurers, the individual’s genetic information will not be used/disclosed for underwriting purposes.
These changes are deemed material under the Final Rule and, hence, require covered entities to deliver modified NPPs to new patients, make them available on request, and post them in prominent locations and on their websites.
 The Health Insurance Portability and Accountability Act (“HIPAA”) was originally signed into law August 21, 1996 and required the United States Department of Health and Human Services to adopt national standards to enable the electronic exchange of protected health information (“PHI”) if Congress did not do so within three years. Congress failed to do so; as a result, the Privacy, Security, Enforcement and Breach Notification Rules were promulgated.
 HIPAA was dramatically altered by the Health Information Technology for Economic and Clinical Health Act (“HITECH”). While signed into law February 17, 2009, many of its requirements were not implemented until the Final Rule.
 This requirement is only applicable to healthcare providers. Other covered entities are not required to agree to such restrictions.
 Likewise, covered entities who are not healthcare providers can put in their NPP that they are not required to agree to such an individual’s requested restriction.
 The Privacy Rule sets forth other NPP requirements not modified by the Final Rule with which healthcare providers must also comply.
 The Genetic Information Nondiscrimination Act of 2008.
Stephanie A. Hood