HIPAA Final Rule - What's a Covered Entity Supposed to Do?
Part Two of a Four Part Series
As anticipated, the Final Rule makes several changes to the HIPAA Privacy Rule including enhanced restrictions on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes. The rule also implements a prohibition against selling PHI, and it includes several new Notice of Privacy Practices (NPP) requirements which will require distribution of a new NPP.
One of the more notable aspects of the Final Rule involves modification of HIPAA's marketing restrictions. Marketing is defined as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. In a significant change from the Proposed Rule, the marketing definition does not require the communication to be made in exchange for financial remuneration in order to be regulated by the Final Rule.
The following types of communications are not considered to be marketing under the Final Rule:
- Refill reminders and certain communications regarding a drug or biologic currently being prescribed provided any financial remuneration received is reasonably related to the cost of making the communication.
- When no financial remuneration is received, communications for treatment and health care operation purposes:
- For treatment of an individual by a health care provider or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;
- To describe certain health-related products or services that are provided by, or included in a plan of benefits of, the Covered Entity making the communication; or
- For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
In another significant change from the Proposed Rule, a Covered Entity must now obtain a patient's authorization prior to sending any marketing communications subsidized by third parties. Since authorization is required for all such communications, the Final Rule eliminates the proposed opt-out requirements. No authorization is required, however, if the communication is made face-to-face by the Covered Entity to the individual or consists of a promotional gift of nominal value provided by the Covered Entity.
The Final Rule implements fundraising requirements similar to those found in the Proposed Rule. Thus, Covered Entities may continue to use PHI to further fundraising efforts provided:
- The recipient is given a clear and conspicuous opportunity that does not cause undue burden to opt out of further communications;
- Treatment or payment cannot be conditioned on the individual agreeing to receive such communications; and
- The Covered Entity must ensure that such communications are not sent to individuals who opt out, rather than simply make a reasonable effort in that regard as is currently required.
Prohibition Against Selling Information
The Final Rule requires an individual's authorization before a Covered Entity discloses PHI in exchange for remuneration. Among other things, the sale of PHI does not include disclosure for the purposes of: (i) public health, (ii) treatment, and (iii) due diligence review of PHI related to the sale, transfer or consolidation of the Covered Entity. In order to sell any PHI, a Covered Entity must obtain authorization, and such authorization must clearly state that the transaction will result in remuneration to the Covered Entity.
Notice of Privacy Practices
In general, a Notice of Privacy Practices (NPP) describes the uses and disclosures of PHI that the Covered Entity is permitted to make, the Covered Entity's legal duties and privacy practices with respect to PHI, and the individual's rights concerning PHI. The Final Rule requires NPPs to contain disclosures regarding, among other things, fundraising efforts, the right to a breach notification, and the new Genetic Information Nondiscrimination Act of 2008 (GINA) requirements. (GINA requirements will be covered in a future update.)
Since the Final Rule treats subsidized treatment communications as marketing, the Final Rule does not implement certain NPP requirements found in the Proposed Rule. For example, there is no requirement to include a statement that the provider may send treatment communications to the individual concerning treatment alternatives or other health-related products or services where the provider receives financial remuneration from a third party in exchange for making the communication.
Implementation of the Final Rule will require Covered Entities to review their NPPs and likely make several material changes. Such changes will require individuals to be notified, and the revised NPP to be redistributed and posted to any website.