HHS Makes Final Updates to HIPAA Privacy and Security Rules

The HIPAA Omnibus Rule becomes enforceable this coming Monday, although the Department of Health and Human Services’ Office for Civil Rights has just announced that there will be a an enforcement delay for certain covered entities to give them more time to update their Notices of Privacy Practices.

The introduction of the Omnibus Rule requires laboratories covered under HIPAA to update NPPs, although entities certified or exempt under the Clinical Laboratory Improvement Amendments (CLIA) will be given more time to update their NPPs, in addition to those organizations which have been relieved from the HIPAA Privacy Rule requirement to provide patients with access to their laboratory test results.

The delay will not apply to laboratories which are part of larger healthcare organizations that do not have their own laboratory-specific NPPs.

The delay was deemed necessary due to the requirement to update NPPs as part of the Omnibus Rule and CLIA, because of the proximity of the two rules. The Omnibus Ruling comes into force today, September 23, and CLIA, which amends § 164.524 of the Privacy Rule, is due to come into force in the near future. The HHS decided that having to make two amendments in quick succession would place too much of a burden on these covered entities.

The OCR will therefore not be enforcing this aspect of HIPAA with the above entities and will issue a notice 30 days prior to the enforcement deadline for these covered organizations. All other covered entities are required to have updated their NPPs by today.

The Omnibus Rule and Refill Reminders

The Privacy Rule places restrictions on covered entities wishing to use ePHI for marketing purposes, and communications are only permitted if the individual in question has “opted in” to receive marketing communications.

In the case of refill reminders, there is an overlap between “marketing” and the “sending communications for healthcare purposes and treatment of medical conditions”. Refill reminders, and other communications relating to treatment already being received by the individual, are therefore excluded provided that “financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication.”

The problem with the terminology is that it can be ambiguous at times, and the Department of Health and Human Services has clarified this aspect of the Privacy Rule to prevent confusion.

If the communication does not involve any financial remuneration, involves in-kind remuneration (non-financial) such as the provision of computers or supplies, or involves a payment which is provided by an alternate entity to the one whose drugs are being supplied, are within this exception.

If a pharmaceutical manufacturer or other third party provides remuneration which covers reasonable costs related to the marketing of refill reminders (the cost of printing, mailing, labor and other overheads for example), they will also be included under this exemption, as will payments made to a Business Associate tasked with issuing the reminders on behalf of the covered entity (up to the fair market value of the business associate’s services).

Other Exemptions

The Privacy Rule permits organizations to “Disclose proof of immunization about a student or prospective student to a school that is required by State or other law to have such proof prior to admitting the student.” However, in the case of students that are unemancipated minors, an agreement document must be obtained from a parent, guardian, or other person acting in loco parentis of the student.

Disclosure of Health Information of Deceased Individuals

The health information of individuals is protected for 50 years following their death under the Privacy Rule; however the HHS has issued further clarification on when this information can be disclosed.

Organizations are permitted to disclose this PHI to law enforcement in cases where there is suspicion about the cause of death or if the death was the result of criminal conduct. Information can also be disclosed to coroners, medical examiners and funeral directors and it is permitted to disclose PHI for the purposes of research solely on the PHI of of decedents.

It is also permissible to disclose information to organ procurement organizations “engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.

Protected Health Information can be disclosed “to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.