Everybody 'loves' HIPAA

The requirement of certain covered entities to provide a Notice of Privacy Practices (NPP), pursuant to 45 CFR 164.520 is not new because it stems back to the implementation of the Privacy Rule, approximately twenty-three years ago. Health care clearinghouses are exempt only if the sole type of protected health information (PHI) they create or receive is as a business associate of another covered entity. See 45 CFR 164.500(b)(1). The other two general types of covered entities – providers and health plans – are required to provide NPPs to patients, unless a separate exception exists and one does not for providers.

According to the U.S. Department of Health and Human Services (HHS), “[t]he Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information.” The NPP is provided anytime you, I or any individual checks in to obtain medical care or health care from a doctor, dentist, hospital, lab, etc.

Historically, the following items were required in the NPP:

“Content of the Notice. Covered entities are required to provide a notice in plain language that describes:

• How the covered entity may use and disclose protected health information about an individual.
• The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
• The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
• Whom individuals can contact for further information about the covered entity’s privacy policies.

The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals.” HHS also provided a template for the pre-Feb. 16, 2025, updates; however, this has not been updated to reflect the new combined 42 CFR Part 2 and HIPAA requirements. (89 Fed. Reg. 12472 (Feb. 16, 2024).

For the first time in recent memory, HHS- Office for Civil Rights (HHS-OCR) in conjunction with the Substance Abuse and Mental Health Services Administration (SAMHSA), announced that 42 CFR Part 2 was going to align with HIPAA NPPs and the effective date is Feb. 16. Substance Use Disorder (SUD) records have a heightened level of sensitivity and require stricter, consent-driven protections than standard protected health information (PHI) under HIPAA. Psychotherapy notes are also given heightened protections and access is limited to both patients and other providers alike. 45 CFR 164.508(a)(2). “A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory “duty to warn” situations regarding threats of serious and imminent harm made by the patient (State laws vary as to whether such a warning is mandatory or permissible).”

So what now needs to be addressed by Feb. 16? Updated NPPs must now address how entities use and disclose SUD records originating from federally assisted treatment programs. A SAMHSA publication, Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data? is an item that should be read and included, even by covered entities who are not considered “programs” under 42 CFR Part 2, §2.11.

In sum, there is a lot to parse through, and organizations should have counsel review their updated NPPs in time to meet the Feb. 16 deadline.

Rachel V. Rose, J.D., MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving health care, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rose can be reached through her website, www.rvrose.com.