Modify Notice of Privacy Practices

The Department of Health and Human Services recently finalized rules related HIPAA privacy and security. In general, these are changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Non-Discrimination Act (GINA). There are numerous changes in the rule that will require compliance activities on the part of certain employers. This activity focuses on obligations related to a group health plan’s Notice of Privacy Practices (NPP).

Employers Affected

The changes will affect any employer that sponsors a self-insured health plan subject to HIPAA (our FAQs provide more information about the delicate relationship between employers and their self-insured health plans). This includes major medical plans, dental and vision plans, HRAs and Health FSAs and certain types of wellness programs¹. The extent of the changes will depend on the existing language in a plan’s NPP and the nature of the plan’s activities as described below.

Timing Requirements

The rule is effective September 23, 2013. Any required modifications to an NPP must be made by that date.

A health plan that posts its notice on its web site must prominently post the change or its revised notice on its web site by the effective date of the change. It must also provide the revised notice or information about the change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan.

A health plan that does not post its notice on a web site must provide the revised notice or information about the change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the revision to the notice.

Summary of HITECH Changes to the Privacy Rule Affecting the Content of NPPs²

The NPP must contain a statement indicating that the following require authorization:

• Most uses and disclosures of psychotherapy notes (but only if the plan does, in fact, record or maintain psychotherapy notes);
• Uses and disclosures of protected health information for marketing purposes; and
• Disclosures that constitute a sale of protected health information.

It must also include statements that:

• Other uses and disclosures not described in the NPP will be made only with authorization from the individual; and
• Affected individuals have a right to be notified following a breach of unsecured protected health information.

While it is unlikely that a health plan will engage in fundraising activities, should it wish to do so, the NPP must include notice of an individual’s right to opt out of receiving communications related to such activities.

Summary of GINA Changes to the Privacy Rule Affecting the Content of NPPs

Health plans that perform underwriting must include a statement in their NPPs that they are prohibited from using or disclosing genetic information for such purposes.

Here the key activity for an employer will be to assess which of its plans perform underwriting. “Underwriting” is defined very broadly under the final rule. It specifically includes:

• Rules for determining plan eligibility or benefits including changes in deductibles or other cost-sharing mechanisms in return for activities, such as completing a health risk assessment or participating in a wellness program); and
• The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program).

Consequently, many common wellness program designs will require amendments to an NPP.

Click here for a sample notice that incorporates these changes.