The HIPAA Omnibus Rule goes into effect on Monday, but there is already enforcement delay news and additional guidance coming from the Department of Health and Human Services (HHS) on HIPAA compliance.
First, the Office for Civil Rights (OCR) announced a delay in enforcing the requirement that certain HIPAA–covered laboratories revise their notices of privacy practices (NPPs)
to comply with HIPAA omnibus modifications until further notice. The delay applies only to Clinical Laboratory Improvement Amendments (CLIA) certified or exempt and those entities in which the HIPAA Privacy Rule has relieved them from having to provide an individual with access to his or her laboratory test. HHS noted that the delay does not affect labs that are part of larger healthcare organizations that don’t have their own lab-specific NPPs.
Given the potential proximity of the two rulemakings, OCR is exercising its enforcement discretion to relieve the possible burden on and expense to the HIPAA-covered laboratories identified above of having to revise their NPPs twice within a short period of time, once by September 23, 2013, to comply with the Omnibus Rule, and again by the impending issuance of any CLIA-related amendment to the individual access requirements under § 164.524 of the Privacy Rule. Specifically, with respect to the HIPAA-covered laboratories identified above, OCR will not take enforcement action or seek to impose civil money penalties where the HIPAA-covered laboratory has not revised its NPP by September 23, 2013, to comply with the Omnibus Rule. OCR will issue a notice at least 30 days in advance to advise the public when this enforcement delay will end.
HIPAA refill reminder exception specifics
Next, HHS presented some more details on marketing refill reminders
, as the Privacy Rule excludes these reminders from prohibited communications, assuming that the financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication. The critical component to that language is “reasonably related”, which is both hard to define an can be ambiguous at times. HHS attempts to clear up any confusion here:
Does the Communication Involve Financial Remuneration, and If So, Is It Reasonable?
- Communication does not involve remuneration.
- Communication involves only non-financial or in-kind remuneration, such as supplies, computers, or other materials.
- Communication involves only payment from a party other than the third party (or other than on behalf of the third party) whose product or service is being described in the communication, such as payment from a health plan.
- Remuneration involves payments to the covered entity by a pharmaceutical manufacturer or other third party whose product is being described that cover the reasonable direct and indirect costs related to the refill reminder or medication adherence program, or other excepted communications, including labor, materials, and supplies, as well as capital and overhead costs.
- Remuneration involves payments to a business associate
assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications, up to the fair market value of the business associate’s services. The payments may be made by a third party whose product is being described directly to the business associate or through the covered entity to the business associate.
The Privacy Rule allows a covered healthcare provider to “disclose proof of immunization
about a student or prospective student to a school that is required by State or other law to have such proof prior to admitting the student,” assuming the provider gets the agreement documents from either a parent, guardian, or other person acting in loco parentis
of the student, if the student is an unemancipated minor or the unemancipated student himself or herself.
Health Information of Deceased Individuals
While the HIPAA Privacy Rule protects the individually identifiable health information about a decedent
for 50 years following the date of death of the individual, HHS wanted to point out some provisions:
(1) to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (§ 164.512(f)(4)); (2) to coroners or medical examiners and funeral directors (§ 164.512(g)); (3) for research that is solely on the protected health information
of decedents (§ 164.512(i)(1)(iii)); and (4) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation (§ 164.512(h)). In addition, the Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity.