Healthcare Information Security

HIPAA and Compliance News

HHS posts new HIPAA guidance prior to Sept. 23 deadline

By Patrick Ouellette

- The HIPAA Omnibus Rule goes into effect on Monday, but there is already enforcement delay news and additional guidance coming from the Department of Health and Human Services (HHS) on HIPAA compliance.

First, the Office for Civil Rights (OCR) announced a delay in enforcing the requirement that certain HIPAA–covered laboratories revise their notices of privacy practices (NPPs) to comply with HIPAA omnibus modifications until further notice. The delay applies only to Clinical Laboratory Improvement Amendments (CLIA) certified or exempt and those entities in which the HIPAA Privacy Rule has relieved them from having to provide an individual with access to his or her laboratory test. HHS noted that the delay does not affect labs that are part of larger healthcare organizations that don’t have their own lab-specific NPPs.

Given the potential proximity of the two rulemakings, OCR is exercising its enforcement discretion to relieve the possible burden on and expense to the HIPAA-covered laboratories identified above of having to revise their NPPs twice within a short period of time, once by September 23, 2013, to comply with the Omnibus Rule, and again by the impending issuance of any CLIA-related amendment to the individual access requirements under § 164.524 of the Privacy Rule.  Specifically, with respect to the HIPAA-covered laboratories identified above, OCR will not take enforcement action or seek to impose civil money penalties where the HIPAA-covered laboratory has not revised its NPP by September 23, 2013, to comply with the Omnibus Rule.  OCR will issue a notice at least 30 days in advance to advise the public when this enforcement delay will end.

HIPAA refill reminder exception specifics

Next, HHS presented some more details on marketing refill reminders, as the Privacy Rule excludes these reminders from prohibited communications, assuming that the financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication. The critical component to that language is “reasonably related”, which is both hard to define an can be ambiguous at times. HHS attempts to clear up any confusion here:

READ MORE: The Role of HIM Professionals in HIPAA Compliance

Does the Communication Involve Financial Remuneration, and If So, Is It Reasonable?

Within exception:

- Communication does not involve remuneration.

- Communication involves only non-financial or in-kind remuneration, such as supplies, computers, or other materials.

- Communication involves only payment from a party other than the third party (or other than on behalf of the third party) whose product or service is being described in the communication, such as payment from a health plan.

READ MORE: Kathryn Marchesini Named New ONC Chief Privacy Officer

- Remuneration involves payments to the covered entity by a pharmaceutical manufacturer or other third party whose product is being described that cover the reasonable direct and indirect costs related to the refill reminder or medication adherence program, or other excepted communications, including labor, materials, and supplies, as well as capital and overhead costs.

- Remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications, up to the fair market value of the business associate’s services.  The payments may be made by a third party whose product is being described directly to the business associate or through the covered entity to the business associate.

Student immunizations

The Privacy Rule allows a covered healthcare provider to “disclose proof of immunization about a student or prospective student to a school that is required by State or other law to have such proof prior to admitting the student,” assuming the provider gets the agreement documents from either a parent, guardian, or other person acting in loco parentis of the student, if the student is an unemancipated minor or the unemancipated student himself or herself.

Health Information of Deceased Individuals

READ MORE: How Do HIPAA Regulations Apply to Wearable Devices?

While the HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual, HHS wanted to point out some provisions:

(1) to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (§ 164.512(f)(4)); (2) to coroners or medical examiners and funeral directors (§ 164.512(g)); (3) for research that is solely on the protected health information of decedents (§ 164.512(i)(1)(iii)); and (4) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation (§ 164.512(h)).  In addition, the Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks