A physician practice’s Notice of Privacy Practices (“NPP”) acts as the “roadmap” to the practice’s permitted uses and disclosures of their patients’ protected health information (“PHI”). September 23, 2013 was the deadline for revising NPPs to comply with the changes set forth in the 2013 HIPAA Omnibus Final Rule, meaning that any NPPs not so revised as of the date of this article are already past due. This article explains some of the changes made to the content of NPPs under the Final Rule, to assist the physician practice with confirming that necessary changes have been made.
- Each NPP must expressly state that the following actions require an individual’s written authorization: (i) any uses and disclosures of PHI for marketing purposes and (ii) any sale of PHI by the practice.
- If the practice records or maintains psychotherapy notes, then its NPP must include a statement that uses and disclosures of psychotherapy notes require an individual’s written authorization.
- If the physician practice intends to contact an individual for fundraising purposes, the physician practice must disclose in its NPP that it may contact the individual to raise funds, and specify that the individual has the right to opt out of receiving such communications.
- The NPP must include a statement that the affected individuals will be notified in the event of a breach of their unsecured PHI.
- The NPP must inform individuals of their right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service.
Additionally, because these revisions are considered “material”, upon making these changes each practice must advise their existing patients of the change by providing a copy of the revised version at the patient’s next appointment. If the practice maintains the NPP on its website, the revised version at the patient’s next appointment. If the practice maintains the NPP on its website, the revised version must be promptly posted.