Hogan Lovells 2024 Election Impact and Congressional Outlook Report
HIPAA covered entities will be required to change their HIPAA Notices of Privacy Practices (NPPs) if a recent proposed rule by the US Department of Health and Human Services is finalized. The Proposed Rule is designed to better align the Substance Use Disorder (SUD) Regulations (“Part 2”) with the HIPAA Privacy Rules and include a number of broader changes to the NPP requirements for all covered entities. Although most of the changes will have only a minor impact for entities that are not subject to the SUD Rules or receive SUD data, one particularly problematic proposal could significantly affect the ability of any HIPAA covered entity to make a material change to their NPP.
The broader proposed changes to the NPP requirements include:
Revisions. The NPRM proposes to caveat the statement in an NPP that the covered entity reserves the right to change the terms of its NPP and make the new NPP effective for all protected health information (“PHI”) it maintains. If the proposal is finalized, the covered entity can change the terms of its NPP “provided that such terms are not material or contrary to law”. While, of course, modifications to the NPP should not be contrary to law, some may be material. For example, the revisions needed to implement the NPRM (if finalized) would likely be deemed material, as would any revisions necessary to address changes in law that restrict or affect certain uses and disclosures of PHI or rights that individuals have. It is not clear whether the proposed modification would essentially prohibit all material changes to the NPP or prohibit making any material changes apply to all PHI the entity maintains. Either way, this would be challenging, if not impossible, for covered entities to implement particularly where material changes are made to comply with changes in law.
Header. NPPs would need to include a new header with significantly more content in all caps, describing the NPP content. The new header would highlight that the NPP describes how to file a complaint concerning a privacy or security violation or violation of rights and how to exercise the right to get copies of records free or at limited cost, among other points. The header also would need to include the name of the covered entity, affiliated covered entity, or organized health care arrangement to which it applies. Given that affiliated covered entities and organized health care arrangements are HIPAA legal terms not commonly used to communicate with patients, using them in the NPP header may be confusing.
Rights. NPPs would be required to describe the individual’s right to access and obtain a copy of PHI at limited cost or, in some cases, free of charge, and the right to direct a health care provider to transmit an electronic copy of PHI in an electronic health record to a third party. Covered entities also can include information about how an individual seeking to make a directed disclosure may do so when PHI is not in an electronic health record or is in non-electronic format, such as obtaining the information through an access request and making the disclosure of PHI to the third party themselves, or through an authorization meeting HIPAA requirements. The NPP also would need to add a right to discuss the NPP with a designated contact person identified by the covered entity. Although NPPs currently have to identify a person to contact for more information, it was not previously included as a right or described as such in the NPP.
HIPAA covered entities that also are subject to the Part 2 Rules will have additional content requirements for their NPP to address those rules specifically. Comments on the NPRM are due January 31, 2023. The proposed effective date of the final regulations is 60 days after the publication of the Final Rule, but HHS would not begin enforcement until 24 months after the publication of the Final Rule, giving regulated entities 22 months to update the NPP.
Authored by Melissa Bianchi, Marcy Wilder, and Melissa Levine