The Omnibus changes to the HIPAA Rules require that the HIPAA Notice of Privacy practices be updated and re-distributed to plan participants. Group health plans will want to pay attention to the required changes and revise their Privacy Notice appropriately.
The Final Rule requires that the Privacy Notice explain that an authorization is required for a use or disclosure of psychotherapy notes, for marketing purposes, and for the sale of PHI. The notice must also inform individuals that they have a right to be notified of a breach of their unsecured electronic protected health information. A health plan uses protected health information for underwriting purposes must indicate in the Privacy Notice that the plan will not disclose genetic information for those purposes.
Timing of Distribution
If the Notice of Privacy Practices is posted on a website, the revised notice must be posted by September 23, 2013. The notice should also be provided (or information on how to get the revised notice provided) with the next mailing to participants, presumably with open enrollment materials.
If there is no website for posting, the revised notice must be distributed by September 23, 2013 or within 60 days of a material change to the notice. The notice may be distributed by email only if the distribution meets the Department of Labor’s communication requirements, which generally require that the individual have regular access to a computer as part of his or her regular work duties and that the individual consent to receive the notice by email. A hard copy must always be available upon request.