[ Friday, January 08, 2010 ]
Changing your NoPP?
As you know, the original Privacy Rule requried covered entities to adopt a "Notice of Privacy Practices" to tell patients (or beneficiaries if you're a health plan) how they plan to use and disclose the individuals' PHI. You get this sheet each time you go to a doctor for the first time (it says, almost always in caps and usually bold, "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." That's because that's how it was written into the Privacy Rule regs).
The question rattling around the AHLA HIT list today was whether HITECH will require covered entities to revise their NoPPs. There are only 2 areas within HITECH that I can think of that might impact what's disclosed in your NoPP: the "hide" rule and the changes to marketing.
The "hide" rule (as I call it) says that if a patient pays for a service completely out of pocket and asks the provider not to tell his/her insurance company about it, the provider must abide by that wish (and "hide" the service/procedure from the insurance company). Most NoPPs generically state that (i) the covered entity will disclose information to payors and (ii) the patient may request that the covered entity not make certain disclosures and, if the covered entity agrees, it will abide by the request; that would normally be sufficient to meet the "hide" rule requirements.
Most NoPPs either are completely silent on marketing (normally because the covered entity doesn't use the PHI for marketing) or have generic information about possibly using PHI for marketing if legally allowed to do so. In either instance, unless the covered entity has changed its mind and wants to start marketing (in which case a change to the NoPP would be required with or without HITECH), no change to the NoPP would be necessary.
All that said, if you're a covered entity, you probably ought to take a look at your NoPP and make sure it still works for you. It might be that you've changed something about your operations since 2003 and really should catch it up. HOWEVER, if you change your NoPP, just remember that you need to start giving out the new one to all patients; you don't have to actively seek out old patients, unless you're going to use their PHI in a way not allowed under the old NoPP, in which case you do need to send it to them.
Jeff [5:00 PM]
Blogger: HIPAA Blog - Edit your Template