Another HIPAA Deadline Looms Health Plans Must Provide Notice On How Information Will Be Protected By April 14

Just when you thought it was safe to put HIPAA aside, another deadline looms just around the corner.

The privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) became effective for most health care providers, health care clearinghouses, and health plans on April 14, 2003. Now, three years later, those health plans that had to comply with the HIPAA privacy rule by April 14, 2003 will need to send a notice to its members by April 14, 2006 of the availability of its Notice of Privacy Practices.

Defining Privacy

The privacy rule protects health information from being disclosed without the individual’s authorization in most instances. There are several exceptions. These exceptions include a disclosure that must be made by the health care provider or the health plan for 1) treatment (i.e. a doctor may disclose an individual’s health information to another health care provider), 2) payment (i.e. a doctor may disclose health information to obtain payment from the health plan), or 3) health care operations (i.e. a health plan may disclose health information to its attorney when defending a claim for denial of coverage).

HIPAA allows disclosure of health information in other limited instances such as when: there is a threat to health or safety; the disclosure is needed to comply with legal duties; a government agency enforces state or federal regulations; the disclosure is needed during judicial and administrative proceedings, etc. These exceptions have additional safeguards that prevent unnecessary disclosures. Health care providers, health care clearinghouses, and health plans must provide a notice to the individual about how and when certain disclosures may occur. This notice is called the Notice of Privacy Practices.

Giving Notice

The Notice of Privacy Practices is a list of how the health plan will use and protect the patient’s health information. An individual has a right to adequate notice of the health plan’s legal duties with respect to the individual’s health information. The health plan must provide notification to the individual through the Notice of Privacy Practices.

A health plan is defined under HIPAA as an individual or a group plan that provides or pays the cost of medical care. Examples of health plans include employee benefit plans, health insurance companies, health maintenance organizations, nursing home insurance companies, Medicaid, Medicare, and state child health plans. Under HIPAA, these organizations had to send an initial Notice of Privacy Practices to their enrollees by April 14, 2003. Thereafter, the health plan must notify individuals at least every three years of the availability of the Notice of Privacy Practices and how to obtain it. If you are responsible for an entity that must comply with the privacy rule, now is a good time to re-examine the entity’s Notice of Privacy Practices and make any revisions that might be needed. The following is a review of the requirements for the Notice of Privacy Practices.

The Notice of Privacy Practices must have a header that states “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION PLEASE READ IT CAREFULLY.” It also must contain a description and one example of the disclosure of health information for treatment, payment, and heath care operations and a description of other purposes that HIPAA permits the health plan to disclose health information without the individual’s written authorization.

The Notice of Privacy Practices must contain a statement that other uses and disclosures will be made only with the individual’s written authorization and that the individual may revoke such authorization to the extent that it has not been relied on.

Additionally, if the entity intends to use the individual’s health information for appointment reminders, information about treatment alternatives,or other health-related benefits and services that may be of interest to the individual, raising funds, disclosure to the plan sponsor (i.e. employer), then the Notice of Privacy Practices must have individual statements that specifically explain that these disclosures may occur.

The Notice of Privacy Practices must also describe the individual’s rights and how the individual may exercise these rights. In this respect, the notice must contain statements that the individual has a right to: 1) place restrictions on the disclosure of health information but that the health plan is not required to agree to a requested restriction; 2) receive confidential communications of health information; 3) inspect and copy his or her health information; 4) amend his or her health information; 5) receive an accounting of disclosures; 6) request and receive a paper copy of the Notice of Privacy Practices.

Furthermore, the Notice of Privacy Practices must contain statements that the health plan is required by law to maintain the privacy of the individual’s health information and provide notice to the individual of its legal duties and privacy practices. The document must also explain that the health plan is required to abide by the terms of its Notice of Privacy Practices currently in effect. The health plan must describe how it will provide a revised notice, if there is a change in the health plan’s privacy practices. Also, if the health plan intends to apply a change to the health information that was created prior to a revised notice, the Notice of Privacy Practices must reserve the right to change the terms of its notice and to make the new notice provisions effective for all health information that it maintains.

Other mandatory statements include: the name or title and telephone number of a person or office to contact for further information or to file a complaint; how to file a complaint with the Secretary of Health and Human Services; and the date on which the notice becomes effective, which cannot be earlier than the date on which the notice is printed or published.

If the health plan, health care provider, or health clearinghouse makes a material change to either its uses or disclosures; the individual’s rights; the health plan’s legal duties; or other privacy practices, the Notice of Privacy Practices must promptly be revised to reflect the change.

A material change may not be put into practice before the effective date of the revised notice. If there is a material revision to the Notice of Privacy Practices, the entity must provide a revised Notice to individuals within 60 days of the material revision.

Sticking to the Plan

A health plan must provide a Notice of Privacy Practice to each new enrollee. The health plan satisfies the notice requirement by providing the Notice to the named insured of a policy. If a health plan has more than one Notice of Privacy Practice, it must provide the Notice that is relevant to the individual or other person who requests the Notice.

A group health plan that provides health benefits only through an insurance contract with a health insurance issuer or HMO and receives or creates health information, summary health information, or information on whether the individual is participating in the group health plan, must maintain a Notice of Privacy Practice and provide the notice to the individual upon request. A group health plan that provides health benefits only through an insurance contract with a health insurance issuer or HMO and does not create or receive health information is not required to maintain or provide a Notice of Privacy Practice. Both of these types of group health plans are exempt from providing notice every three years.

It is prudent to review your Notice of Privacy Practices on a routine interval to be sure it accurately reflects your entity’s information. The entity will need to revise its Notice of Privacy Practices if the entity moved to a different location, merged with another entity, changed ownership, changed privacy practices, designated a new contact person for HIPAA privacy issues or made other significant changes.

Minding Your Business

If your business is a health plan, you need to provide notice to enrollees by April 14, 2006 of the availability of your Notice of Privacy Practices. It is important to have a Notice of Privacy Practices that contains the correct information for the entity. The penalties for HIPAA violations can amount to thousands of dollars per incident. Don’t be caught off guard.

June M. Sullivan, Esq. is an attorney with the Hartford-based firm Halloran & Sage LLP specializing in health care law, specifically the defense of health care providers, risk managment, and HIPAA compliance; (860) 241-4077.