The Privacy Rule prescribes certain information that must be included in a covered entity’s NPP, including a statement advising individuals that any use or disclosure of PHI other than those permitted by the Privacy Rule will be made only with written authorization of the individual, and that the individual has the right to revoke an authorization. The Final Rule expands a covered entity’s disclosure obligations by requiring that the NPP specifically state that uses and disclosures of PHI for marketing purposes and the sale of PHI will require an individual’s written authorization. Also, if the covered entity records or maintains psychotherapy notes, then its NPP must include a statement that uses and disclosures of psychotherapy notes will require an individual’s written authorization.
Besides the specific disclosures regarding written authorization, the Final Rule requires that a covered entity that intends to contact an individual for fundraising purposes must disclose in its NPP that it may contact the individual to raise funds, and that the individual has the right to opt out of receiving such communications. If the covered entity is a health plan uses or discloses PHI for underwriting purposes, then its NPP must state that the covered entity is prohibited from using or disclosing genetic information for such purposes. All covered entities must include in their NPP a statement of the right of affected individuals to be notified following improper disclosure of unsecured PHI. Finally, for a covered entity other than a group health plan, the NPP must inform individuals of their right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service.
The Department has determined that these changes are material, and each covered entity must take certain actions to advise the individual of the change in the NPP and make available the revised NPPs. If the covered entity is a group health plan that currently posts its NPP on its website, then it must prominently post information about the material changes or its revised NPP on its website by the compliance date, September 23, 2013, and it must provide the revised NPP or information about the material changes and how to obtain the revised NPP in its next annual mailing to the individuals covered by the plan or during the next open enrollment period. Group health plans that do not maintain customer service websites must provide the revised NPP or information describing the material changes and how to obtain the revised NPP to individuals covered by the plan within 60 days of the compliance date.