Summer is right around the corner, so you are probably thinking about cookouts, pool parties, and vacations. HIPAA is probably the furthest thing from your mind (if not, you probably wish it was). However, before you book those beach vacations, do not forget to mark September 23, 2013 on your calendars, as this is the general deadline for compliance with the new HIPAA Omnibus Rule.
In a recent blog post, we explained how the HIPAA Omnibus Rule alters business associate agreement requirements. Unfortunately for plan sponsors, the impact of these new rules extends beyond business associate agreements. For example, plan sponsors will need to update their Notice of Privacy Practices (“NPP”) to include:
- A description of the types of uses and disclosures of protected health information (“PHI”) that require an authorization;
- A statement that the covered entity is required by law to notify affected individuals following a breach of unsecured PHI;
- A statement informing individuals that a covered entity may contact them to raise funds for the covered entity and an individual has a right to opt out of receiving such communications; and
- A statement that the plan is prohibited from using genetic information for underwriting purposes.
NPPs must be revised by September 23, 2013 for compliance with these new requirements. With respect to the timing and medium of distribution, plan sponsors that generally post NPPs to their websites must (1) post the revised NPP by September 23, 2013 and (2) provide the revised NPP, or information about the material change and how to obtain the revised notice, in the next annual mailing to covered individuals (i.e., during open enrollment). Plan sponsors that do not post the NPP on their website must distribute the revised NPP (or information about the changes and how to obtain the revised NPP) to individuals within 60 days of the changes.
Plan sponsors will also need to update their HIPAA Privacy Policies and Procedures to address these new requirements. For example, you may need to update your HIPAA Privacy Policies and Procedures to:
- Revise the definition of PHI (this should now include genetic information);
- Clarify your policies regarding individuals’ rights concerning their PHI, such as access to records;
- Generally prohibit the sale of PHI (subject to limited exceptions);
- Generally prohibit the use of PHI for marketing purposes (subject to limited exceptions); and
- Generally prohibit the use of PHI for fundraising communications (subject to limited exceptions).
The good news is that the September 23, 2013 deadline is still a ways off, which means you do not have to take your HIPAA compliance materials with you to the beach. However, you should circle this date on your calendar so that you can address these issues when you return. Or, better yet, you can address these issues now so that you have one less thing to trouble your mind while you are soaking up the sun.