Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Notice of Privacy Practices: Provision of the Notice - § 164.520(c)

    As Contained in the HHS HIPAA Privacy Rules

    HHS Guidance: Notice of Privacy Practices

     

    HHS Regulations as Amended January 2013
    Notice of Privacy Practices: Provision of the Notice - § 164.520(c)

     

    (c) Implementation specifications: Provision of notice. A covered entity must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable.

    (1) Specific requirements for health plans. (i) A health plan must provide the notice:

    (A) No later than the compliance date for the health plan, to individuals then covered by the plan;

    (B) Thereafter, at the time of enrollment, to individuals who are new enrollees.

    (ii) No less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice.

    (iii) The health plan satisfies the requirements of paragraph (c)(1) of this section if notice is provided to the named insured of a policy under which coverage is provided to the named insured and one or more dependents.

    (iv) If a health plan has more than one notice, it satisfies the requirements of paragraph (c)(1) of this section by providing the notice that is relevant to the individual or other person requesting the notice.

    (v) If there is a material change to the notice:

    (A) A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan.

    (B) A health plan that does not post its notice on a web site pursuant to paragraph (c)(3)(i) of this section must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the material revision to the notice.

    (2) Specific requirements for certain covered health care providers. A covered health care provider that has a direct treatment relationship with an individual must:

    (i) Provide the notice:

    (A) No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or

    (B) In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.

    (ii) Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained;

    (iii) If the covered health care provider maintains a physical service delivery site:

    (A) Have the notice available at the service delivery site for individuals to request to take with them; and

    (B) Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice; and

    (iv) Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section, if applicable.

    (3) Specific requirements for electronic notice. (i) A covered entity that maintains a web site that provides information about the covered entity's customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site.

    (ii) A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section.

    (iii) For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice.

    (iv) The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request.

     

    HHS Description and Commentary From the January 2013 Amendments
    Notice of Privacy Practices: Content of the Notice

     

    Proposed Rule

    The NPRM stated that modifications to § 164.520 would represent material changes to covered entities’ NPPs. Section 164.520(b)(3) requires that when there is a material change to the NPP, covered entities must promptly revise and distribute the NPP as outlined at § 164.520(c). Section 164.520(c)(1)(i)(C) requires that health plans provide notice to individuals covered by the plan within 60 days of any material revision to the NPP. Because we acknowledged that revising and redistributing a NPP may be costly for health plans, we requested comment on ways to inform individuals of this change to privacy practices without unduly burdening health plans. We requested comment on options for informing individuals in a timely manner of this proposed or other material changes to the NPP. We also requested comment on this issue in the proposed changes to the Privacy Rule pursuant to the Genetic Information Nondiscrimination Act (GINA), as discussed below in Section VI. In particular, the Department requested comment on the following options: (1) replace the 60-day requirement with a requirement for health plans to revise their NPPs and redistribute them (or at least notify members of the material change to the NPP and how to obtain the revised NPP) in their next annual mailing to members after a material revision to the NPP, such as at the beginning of the plan year or during the open enrollment period; (2) provide a specified delay or extension of the 60-day timeframe for health plans (3) retain the provision generally to require health plans to provide notice within 60 days of a material revision but provide that the Secretary will waive the 60-day timeframe in cases where the timing or substance of modifications to the Privacy Rule call for such a waiver; or (4) make no change and thus, require that health plans that perform underwriting provide notice to individuals within 60 days of the material change to the NPP that would be required by this proposed rule. The Department requested comment on these options, as well as any other options for informing individuals in a timely manner of material changes to the NPP.

    Section 164.520(c)(2)(iv) requires that when a health care provider with a direct treatment relationship with an individual revises the NPP, the health care provider must make the NPP available upon request on or after the effective date of the revision and must comply with the requirements of § 164.520(c)(2)(iii) to have the NPP available at the delivery site and to post the notice in a clear and prominent location. We did not propose changes to these provisions because we did not believe these requirements to be overly burdensome but we requested comment on the issue.

    Overview of Public Comments

    We also received several comments arguing that the proposed changes should not constitute material changes to privacy practices requiring a new NPP, particularly where covered entities have already revised their NPPs to comply with the HITECH Act or State law requirements. Two additional commenters argued that each covered entity should determine whether a change is material or not, depending on its existing privacy practices.

    We received a number of comments regarding the appropriate timing and manner for distributing new NPPs. The majority of the comments received generally fell into three categories: (1) support for a requirement to revise and distribute notices within 60 days of a material change; (2) a recommendation for HHS to require that covered entities promptly post a revised NPP on their website in conjunction with a requirement to send a notice of the change by mail within a specified period; and (3) a request for HHS to extend the compliance deadline and permit the distribution of the revised NPP through a quarterly newsletter, annual mailing, after 18 months of transition, or in a triennial mailing. In addition, many commenters supported electronic distribution of an NPP or a notice of material changes to the NPP.

    While not proposed, some commenters suggested eliminating or alternatives to the current requirements for health care providers with direct treatment relationships to hand the NPP to every individual patient and make a good faith attempt to obtain acknowledgement of receipt.

    A few commenters also expressed concern regarding the cost burden associated with revising and distributing a new NPP. One commenter argued that considerations of cost do not justify a delay in distributing a revised NPP.

    Final Rule

    These changes represent material changes to the NPP of covered entities. We disagree with the few commenters who argued that such modifications to § 164.520 do not constitute material changes of privacy practices requiring the distribution of new NPPs. The modifications to § 164.520 are significant and are important to ensure that individuals are aware of the HITECH Act changes that affect privacy protections and individual rights regarding protected health information.

    Section 164.520(c)(1) of the final rule requires a health plan that currently posts its NPP on its web site in accordance with § 164.520(c)(3)(i) to: (1) prominently post the material change or its revised notice on its web site by the effective date of the material change to the notice (e.g., the compliance date of this final rule) and (2) provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan, such as at the beginning of the plan year or during the open enrollment period. Health plans that do not have customer service web sites are required to provide the revised NPP, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of the material revision to the notice. These requirements apply to all material changes including, where applicable, the rule change adopted pursuant to GINA to prohibit most health plans from using or disclosing genetic information for underwriting purposes.

    We believe these distribution requirements best balance the right of individuals to be informed of their privacy rights with the burden on health plans to provide the revised NPP. We also note that health plans should provide both paper- and web-based notices in a way accessible to all beneficiaries, including those individuals with disabilities. These modifications provide an avenue for an individual to be informed of material changes upon their effective date while better aligning the NPP distribution with health plans’ normal mailings to individuals.

    For health care providers, the final rule does not modify the current requirements to distribute revisions to the NPP. As such, § 164.520(c)(2)(iv) requires that when a health care provider with a direct treatment relationship with an individual revises the NPP, the health care provider must make the NPP available upon request on or after the effective date of the revision and must comply with the requirements of § 164.520(c)(2)(iii) to have the NPP available at the delivery site and to post the notice in a clear and prominent location. In response to several comments expressing concern about printing costs for new NPPs, we clarify that providers are not required to print and hand out a revised NPP to all individuals seeking treatment; providers must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site for individuals to request to take with them. Providers are only required to give a copy of the NPP to, and obtain a good faith acknowledgment of receipt from, new patients. As a result, we do not believe that the current requirement is overly burdensome to providers, nor is it overly costly.

    We also clarify that while health care providers are required to post the NPP in a clear and prominent location at the delivery site, providers may post a summary of the notice in such a location as long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up without any additional burden on their part. It would not be appropriate, however, to require the individual to have to ask the receptionist for a copy of the full NPP.

    To the extent that some covered entities have already revised their NPPs in response to the enactment of the HITECH Act or State law requirements, we clarify that as long as a covered entity’s current NPP is consistent with this final rule and individuals have been informed of all material revisions made to the NPP, the covered entity is not required to revise and distribute another NPP upon publication of this final rule.

    Finally, we note that to the extent a covered entity is required to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, the covered entity has an obligation to take steps that may be necessary to ensure effective communication with individuals with disabilities, which could include making the revised NPP or notice of material changes to the NPP available in alternate formats, such as Braille, large print, or audio.

    Response to Other Public Comments

    Comment: One commenter requested elimination of the requirement that covered entities obtain agreement from individuals (an opt in) before electronic distribution while another commenter requested that HHS clarify that a covered entity may obtain an electronic agreement from an individual to receive an NPP electronically.

    Response: The Privacy Rule permits covered entities to distribute their NPPs or notices of material changes by e-mail, provided the individual has agreed to receive an electronic copy. Although internet access is a convenience of daily life for many individuals, maintaining the opt-in requirement ensures that individuals who are not able to or choose not to receive information electronically are fully informed of how their protected health information is being used and disclosed and of their individual rights with respect to this information. We clarify that agreement to receive electronic notice can be obtained electronically pursuant to the requirements at § 164.520(c)(3).

     

    HHS Description of and Commentary From the August 2002 Revisions
    Notice of Privacy Practices: Provision of the Notice - § 164.520(c)

     

    The commentary for the Provision of Notice requirement is contained in the commentary for the Content of Notice section.

     

    HHS Description of and Commentary From the August 2002 Revisions
    Notice of Privacy Practices: Provision of the Notice - § 164.520(c)

     

    December 2000 Privacy Rule. The Privacy Rule at § 164.520 requires most covered entities to provide individuals with adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s responsibilities with respect to protected health information. The Rule delineates specific requirements for the content of the notice, as well as for provision of the notice. The requirements for providing notice to individuals vary based on type of covered entity and method of service delivery. For example, a covered health care provider that has a direct treatment relationship with an individual must provide the notice no later than the date of first service delivery and, if the provider maintains a physical service delivery site, must post the notice in a clear and prominent location and have it available upon request for individuals to take with them. If the first service delivery to an individual is electronic, the covered provider must furnish electronic notice automatically and contemporaneously in response to the individual’s first request for service. In addition, if a covered entity maintains a website, the notice must be available electronically through the web site.

    March 2002 NPRM. The Department proposed to modify the notice requirements at § 164.520(c)(2) to require that a covered health care provider with a direct treatment relationship make a good faith effort to obtain an individual’s written acknowledgment of receipt of the provider’s notice of privacy practices. Other covered entities, such as health plans, would not be required to obtain this acknowledgment from individuals, but could do so if they chose.

    The Department proposed to strengthen the notice requirements in order to preserve a valuable aspect of the consent process. The notice acknowledgment proposal was intended to create the “initial moment” between a covered health care provider and an individual, formerly a result of the consent requirement, when individuals may focus on information practices and privacy rights and discuss with the provider any concerns related to the privacy of their protected health information. This “initial moment” also would provide an opportunity for an individual to make a request for additional restrictions on the use or disclosure of his or her protected health information or for additional confidential treatment of communications, as permitted under § 164.522.

    With one exception for emergency treatment situations, the proposal would require that the good faith effort to obtain the written acknowledgment be made no later than the date of first service delivery, including service delivered electronically. To address potential operational difficulties with implementing these notice requirements in emergency treatment situations, the Department proposed in § 164.520(c)(2) to delay the requirement for provision of notice until reasonably practicable after the emergency treatment situation, and exempt health care providers with a direct treatment relationship with the individual from having to make a good faith effort to obtain the acknowledgment altogether in such situations.

    Other than requiring that the acknowledgment be in writing, the proposal would not prescribe other details of the form of the acknowledgment or limit the manner in which a covered health care provider could obtain the acknowledgment.

    The proposal also provided that, if the individual’s acknowledgment of receipt of the notice could not be obtained, the covered health care provider would be required to document its good faith efforts to obtain the acknowledgment and the reason why the acknowledgment was not obtained. Failure by a covered entity to obtain an individual’s acknowledgment, assuming it otherwise documented its good faith effort, would not be considered a violation of the Privacy Rule.

    Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, “Response to Other Public Comments.”

    In general, many commenters expressed support for the proposal to require that certain health care providers, as an alternative to obtaining prior consent, make a good faith effort to obtain a written acknowledgment from the individual of receipt of the notice. Commenters stated that even though the requirement would place some burden on certain health care providers, the proposed policy was a reasonable and workable alternative to the Rule’s prior consent requirement. A number of these commenters conveyed support for the proposed flexibility of the requirement that would allow covered entities to implement the requirement in accordance with their own practices. Commenters urged that the Department not prescribe (other than that the acknowledgment be in writing) the form or content of the acknowledgment, or other requirements that would further burden the acknowledgment process. In addition, commenters viewed the proposed exception for emergency treatment situations as a practical policy.

    A number of other commenters, while supportive of the Department’s proposal to make the obtaining of consent optional for all covered entities, expressed concern over the administrative burden the proposed notice acknowledgment requirements would impose on certain health care providers. Some of these commenters viewed the notice acknowledgment as an unnecessary burden on providers that would not afford individuals with any additional privacy rights or protections. Thus, some commenters urged that the good faith acknowledgment not be adopted in the final Rule. As an alternative, it was suggested by some that covered entities instead be required to make a good faith effort to make the notice available to consumers.

    Several commenters expressed concerns that the notice acknowledgment process would reestablish some of the same operational problems associated with the prior consent requirement. For example, commenters questioned how the requirement should be implemented when the provider’s first contact with the patient is over the phone, electronically, or otherwise not face-to-face, such as with telemedecine. Accordingly, it was suggested that the good faith acknowledgment of the notice be required no later than the date of first face-to-face encounter with the patient rather than first service delivery to eliminate these perceived problems.

    A few others urged that the proposed notice acknowledgment requirement be modified to allow for an individual’s oral acknowledgment of the notice, so long as the provider maintained a record that the individual’s acknowledgment was obtained.

    Some commenters did not support the proposal’s written notice acknowledgment as a suitable alternative to the consent requirement, stating that such a requirement would not provide individuals with comparable privacy protections or rights. It was stated that there are a number of fundamental differences between a consent and an acknowledgment of the notice. For example, one commenter argued that asking individuals to acknowledge receipt of the notice does not provide a comparable “initial moment” between the provider and the individual, especially when the individual is only asked to acknowledge receipt of the notice, and not whether they have read or understood it, or have questions. Further, commenters argued that the notice acknowledgment process would not be the same as seeking the individual’s permission through a consent process. Some of these commenters urged that the Department retain the consent requirements and make appropriate modifications to fix the known operational problems associated with the requirement.

    A few commenters urged that the Department strengthen the notice acknowledgment process. Some commenters suggested that the Department do so by eliminating the “good faith” aspect of the standard and simply requiring certain health care providers to obtain the written acknowledgment, with appropriate exceptions for emergencies and other situations where it may not be practical to do so. It was also suggested that the Department require providers to ensure that the consumer has an understanding of the information provided in the notice. One commenter suggested that this may be achieved by having individuals not only indicate whether they have received the notice, but also be asked on separate lines after each section of the notice whether they have read that section. Another commenter argued that consumers should be asked to sign something more meaningful than a notice acknowledgment, such as a “Summary of Consumer Rights,” which clearly and briefly summarizes the ways in which their information may be used by covered entities, as well as the key rights consumers have under the Privacy Rule.

    Final Modifications. After consideration of the public comment, the Department adopts in this final Rule at § 164.520(c)(2)(ii), the proposed requirement that a covered health care provider with a direct treatment relationship with an individual make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. Other covered entities, such as health plans, are not required to obtain this acknowledgment from individuals, but may do so if they choose. The Department agrees with those commenters who stated that the notice acknowledgment process is a workable alternative to the prior consent process, retaining the beneficial aspects of the consent without impeding timely access to quality health care. The Department continues to believe strongly that promoting individuals’ understanding of privacy practices is an essential component of providing notice to individuals. Through this requirement, the Department facilitates achieving this goal by retaining the opportunity for individuals to discuss privacy practices and concerns with their health care providers. Additionally, the requirement provides individuals with an opportunity to request any additional restrictions on uses and disclosures of their health information or confidential communications, as permitted by § 164.522.

    As proposed in the NPRM, the final Rule requires, with one exception, that a covered direct treatment provider make a good faith effort to obtain the written acknowledgment no later than the date of first service delivery, including service delivered electronically, that is, at the time the notice is required to be provided. During emergency treatment situations, the final Rule at § 164.520(c)(2)(i)(B) delays the requirement for provision of the notice until reasonably practicable after the emergency situation, and at § 164.520(c)(2)(ii) exempts health care providers from having to make a good faith effort to obtain an individual’s acknowledgment in such emergency situations. The Department agrees with commenters that such exceptions are practical and necessary to ensure that the notice and acknowledgment requirements do not impede an individual’s timely access to quality health care.

    The Department also agrees with commenters that the notice acknowledgment process must be flexible and provide covered entities with discretion in order to be workable. Therefore, the final modification adopts the flexibility proposed in the NPRM for the acknowledgment requirement. The Rule requires only that the acknowledgment be in writing, and does not prescribe other details such as the form that the acknowledgment must take or the process for obtaining the acknowledgment. For example, the final Rule does not require an individual’s signature to be on the notice. Instead, a covered health provider is permitted, for example, to have the individual sign a separate sheet or list, or to simply initial a cover sheet of the notice to be retained by the provider. Alternatively, a pharmacist is permitted to have the individual sign or initial an acknowledgment within the log book that patients already sign when they pick up prescriptions, so long as the individual is clearly informed on the log book of what they are acknowledging and the acknowledgment is not also used as a waiver or permission for something else (such as a waiver to consult with the pharmacist). For notice that is delivered electronically as part of first service delivery, the Department believes the provider’s system should be capable of capturing the individual’s acknowledgment of receipt electronically. In addition, those covered health care providers that choose to obtain consent from an individual may design one form that includes both a consent and the acknowledgment of receipt of the notice. Covered health care providers are provided discretion to design the acknowledgment process best suited to their practices.

    While the Department believes that the notice acknowledgment process must remain flexible, the Department does not consider oral acknowledgment by the individual to be either a meaningful or appropriate manner by which a covered health care provider may implement these provisions. The notice acknowledgment process is intended to provide a formal opportunity for the individual to engage in a discussion with a health care provider about privacy. At the very least, the process is intended to draw the individual’s attention to the importance of the notice. The Department believes these goals are better accomplished by requiring a written acknowledgment and, therefore, adopts such provision in this final modification.

    Under the final modification, if an individual refuses to sign or otherwise fails to provide an acknowledgment, a covered health care provider is required to document its good faith efforts to obtain the acknowledgment and the reason why the acknowledgment was not obtained. Failure by a covered entity to obtain an individual’s acknowledgment, assuming it otherwise documented its good faith effort, is not a violation of this Rule. Such reason for failure simply may be, for example, that the individual refused to sign the acknowledgment after being requested to do so. This provision also is intended to allow covered health care providers flexibility to deal with a variety of circumstances in which obtaining an acknowledgment is problematic. In response to commenters requests for examples of good faith efforts, the Department intends to provide future guidance on this and other modifications.

    A covered entity is required by § 164.530(j) to document compliance with these provisions by retaining copies of any written acknowledgments of receipt of the notice or, if not obtained, documentation of its good faith efforts to obtain such written acknowledgment.

    The Department was not persuaded by those commenters who urged that the Department eliminate the proposed notice acknowledgment requirements because of concerns about burden. The Department believes that the final modification is simple and flexible enough so as not to impose a significant burden on covered health care providers. Covered entities are provided much discretion to design the notice acknowledgment process that works best for their business. Further, as described above, the Department believes that the notice acknowledgment requirements are important in that they retain the important aspects of the prior consent process that otherwise would be lost in the final modifications.

    In response to commenters’ operational concerns about the proposed notice acknowledgment requirements, the Department clarifies that the modification as proposed and now adopted as final is intended to be flexible enough to address the various types of relationships that covered health care providers may have with the individuals to whom they provide treatment, including those treatment situations that are not face-to-face.

    For example, a health care provider whose first treatment encounter with a patient is over the phone satisfies the notice provision requirements of the Rule by mailing the notice to the individual no later than the day of that service delivery. To satisfy the requirement that the provider also make a good faith effort to obtain the individual’s acknowledgment of the notice, the provider may include a tear-off sheet or other document with the notice that requests such acknowledgment be mailed back to the provider. The Department would not consider the health care provider in violation of the Rule if the individual chooses not to mail back an acknowledgment. The Department clarifies, however, that where a health care provider’s initial contact with the patient is simply to schedule an appointment, the notice provision and acknowledgment requirements may be satisfied at the time the individual arrives at the provider’s facility for his or her appointment. For service provided electronically, the Department believes that, just as a notice may be delivered electronically, a provider should be capable of capturing the individual’s acknowledgment of receipt electronically in response to that transmission.

    Finally, the Department does not agree with those commenters who argued that the proposed notice acknowledgment requirements are not an adequate alternative to the prior consent requirements, nor with those who argued that the proposed acknowledgment process should be strengthened if an individual’s consent is no longer required. The Department believes that the notice acknowledgment process retains the important aspects of the consent process, such as creating an opportunity for a discussion between the individual and the provider of privacy issues, including the opportunity for the individual to request restrictions on how her information may be used and disclosed as permitted by § 164.522.

    Additionally, the Department believes that requiring certain health care providers to obtain the individual’s acknowledgment of receipt of the notice, rather than make a good faith effort to do so, would remove the flexibility of the standard and increase the burden substantially on covered entities. Such a modification, therefore, would have the potential to cause workability and operational problems similar to those caused by the prior consent requirements. Prescribing the form or content of the acknowledgment could have the same effect. The Department believes that the notice acknowledgment process must not negatively impact timely access to quality health care.

    Also, the Department agrees that it will not be easy for every individual to understand fully the information in the notice, and acknowledges that the onus of ensuring that individuals have an understanding of the notice should not be placed solely on health care providers. The Rule ensures that individuals are provided with a notice in plain language but leaves it to each individual’s discretion to review the notice and to initiate a discussion with the covered entity about the use and disclosure of his or her health information or the individual’s rights. However, the Department continues to believe strongly that promoting individuals’ understanding of privacy practices is an essential component of providing notice to individuals. The Department anticipates that many stakeholders, including the Department, covered entities, consumer organizations, health educators, the mass media and journalists, and a host of other organizations and individuals, will be involved in educating individuals about privacy notices and practices.

    Response to Other Public Comments.

    Comment: Several commenters requested clarification as to whether a health care provider is required to obtain from individuals a new acknowledgment of receipt of the notice if the facility changes its privacy policy.

    Response: The Department clarifies that this is not required. To minimize burden on the covered direct treatment provider, the final modification intends the obtaining of the individual’s acknowledgment to be consistent with the timing for provision of the notice to the individual, that is, no later than the date of first service delivery. Upon revision of the notice, the Privacy Rule requires only that the direct treatment provider make the notice available upon request on or after the effective date of the revision, and, if he maintains a physical service delivery site, to post the revised notice in a clear and prominent location in his facility. See § 164.520(c)(2)(iii). As the Rule does not require a health care provider to provide the revised notice directly to the individual, unless requested by the individual, a new written acknowledgment is not required at the time of revision of the notice.

    Comment: A few commenters requested clarification as to how the Department intended the notice acknowledgment process to be implemented within an affiliated covered entity or an organized health care arrangement (OHCA).

    Response: The requirement for an individual’s written acknowledgment of the notice corresponds with the requirement that the notice be provided to the individual by certain health care providers at first service delivery, regardless of whether the notice itself is the joint notice of an OHCA, the notice of an affiliated covered entity, or the notice of one entity. With respect to an OHCA, the Privacy Rule permits covered entities that participate in an OHCA to satisfy the notice requirements through the use of a joint notice, provided that the relevant conditions of § 164.520(d) are met. Section 164.520(d)(3) further provides that provision of a joint notice to an individual by any one of the covered entities included in the joint notice satisfies the notice provision requirements at § 164.520(c) with respect to all others covered by the joint notice. Thus, a health care provider with a direct treatment relationship with an individual that is participating in an OHCA only need make a good faith effort to obtain the individual’s acknowledgment of the joint notice if that provider is the covered entity within the OHCA that is providing the joint notice to the individual. Where the joint notice is provided to the individual by a participating covered entity other than a provider with a direct treatment relationship with the individual, no acknowledgment need be obtained. However, covered entities that participate in an OHCA are not required to utilize a joint notice and may maintain separate notices. In such case, each covered health care provider with a direct treatment relationship within the OHCA must make a good faith effort to obtain the individual’s acknowledgment of the notice he or she provides.

    Similarly, an affiliated covered entity may have one single notice that covers all of its affiliates. Thus, if the affiliated covered entity’s notice is provided to the individual by a health care provider with which the individual has a direct treatment relationship, the health care provider must make a good faith effort to obtain the individual’s acknowledgment of receipt of the notice. Alternatively, where the affiliated entity’s notice is provided to the individual by a participating entity other than a provider with a direct treatment relationship with the individual, no acknowledgment need be obtained. However, as with the OHCA, the Department clarifies that covered entities that are part of an affiliated covered entity may maintain separate notices if they choose to do so; if they do so, each provider with a direct treatment relationship with the individual must make a good faith effort to obtain the individual’s acknowledgment of the notice he or she provides.

    Comment: It was suggested that if a provider chooses to obtain consent, the provider should not also be required to obtain the individual’s acknowledgment of the notice.

    Response: For those covered entities that choose to obtain consent, the Rule does not prescribe any details of the form or manner in which the consent must be obtained. Given this discretion, the Department does not believe that all consents will provide the same benefits to the individual as those afforded by the notice acknowledgment process. The Rule, therefore, does not relieve a covered health care provider of his obligations with respect to obtaining an individual’s acknowledgment of the notice if that provider also obtains the individual’s consent. However, the Rule provides those covered health care providers that choose to obtain consent from an individual the discretion to design one form that includes both a consent and the acknowledgment of receipt of the notice.

    Comment: Some commenters asked that the Privacy Rule allow the written acknowledgment of the notice to be obtained electronically without regard to channel of delivery (electronically or on paper) of the notice.

    Response: Generally, the Privacy Rule allows for electronic documents to qualify as written documents for purposes of meeting the Rule’s requirements. This also applies with respect to the notice acknowledgment. For notice delivered electronically, the Department intends a return receipt or other transmission from the individual to suffice as the notice acknowledgment.

    For notice delivered on paper in a face-to-face encounter with the provider, although it is unclear to the Department how exactly the provider may do so, the Rule does not preclude providers from obtaining the individual’s written acknowledgment electronically. The Department cautions, however, that the notice acknowledgment process is intended to alert individuals to the importance of the notice and provide them the opportunity to discuss privacy issues with their providers. To ensure that individuals are aware of the importance of the notice, the Rule requires that the individual’s acknowledgment be in writing. Thus, the Department would not consider a receptionist’s notation in a computer system to be an individual’s written acknowledgment.

    Comment: One commenter expressed concern that the Rule did not define “emergency” as it applies to ambulance services given the Rule’s exceptions to the notice requirements for such situations. This commenter also urged that the Rule’s notice provisions at § 164.520(c)(2) with respect to emergency treatment situations be expanded also to apply to non-emergency trips of ambulance providers. The commenter explained that even in non-emergency circumstances, patients, especially the elderly, often suffer from incapacitating or stressful conditions when they need to be transferred by ambulance, at which time it may not be effective or appropriate to provide the notice and obtain the individual’s acknowledgment of receipt of the notice.

    Response: During emergency treatment situations, the final Rule at § 164.520(c)(2)(i)(B) delays the requirement for provision of the notice until reasonably practicable after the emergency situation, and exempts health care providers from having to make a good faith effort to obtain an individual’s acknowledgment. As the provisions are not intended to apply only to ambulance providers, the Department does not believe that defining emergency with respect to such providers is appropriate or necessary. Nor does the Department believe that expanding these provisions to cover non-emergency trips of ambulance providers is appropriate. The provisions are intended to provide exceptions for those situations where providing the notice and obtaining an individual’s acknowledgment may not be feasible or practicable. Where such extenuating circumstances do not exist, the Department expects that covered health care providers are able to provide individuals with a notice and make a good faith effort to obtain their acknowledgment of receipt. Where an individual does not provide an acknowledgment, the Rule requires only that the provider document his good faith effort to obtain the acknowledgment.

    Comment: A number of commenters requested clarification on how to implement the “good faith” standard and urged the Department to provide more specific guidance and examples. Some commenters expressed concern over the perceived liability that would arise from such a discretionary standard.

    Response: Covered entities are provided much discretion to implement the notice acknowledgment process as best suited to their specific business practices. The standard is designed as a “good faith effort” standard because the Department understands that obtaining an individual’s acknowledgment of the notice may not always be feasible or practical, in spite of a covered entity’s efforts. Thus, the standard is intended to account for those difficult situations, including where an individual simply refuses to provide the written acknowledgment. Given the discretion covered health care providers have in implementing these standards and the various ways such providers interact with their patients, it is difficult for the Department to provide specific guidance in this area that is generally applicable to many covered health care providers. However, the Department intends to provide future guidance through frequently asked questions or other materials in response to specific scenarios that are raised by industry.

    With respect to commenters’ concerns regarding potential liability, the Department’s position is that a failure by a covered entity to obtain an individual’s acknowledgment, assuming it otherwise documented its good faith effort (as required by § 164.520(c)(2)(ii)), will not be considered a violation of this Rule.

    Comment: Many commenters generally urged that the Department modify the Rule to allow for a simpler, shorter, and, therefore, more readable notice. Some of the commenters explained that a shorter notice would assure that more individuals would take the time to read and be able to understand the information. Others suggested that a shorter notice would help to alleviate burden on the covered entity. A number of these commenters suggested that the Department allow for a shorter summary or 1-page notice to replace the prescriptive notice required by the Privacy Rule. It was recommended that such a notice could refer individuals to a more detailed notice, available on request, or to an HHS web site, for additional information about an individual’s rights under the Privacy Rule. Others recommended that the Department allow for a layered notice that contains: (1) a short notice that briefly describes, for example, the entity’s principal uses and disclosures of an individual’s health information, as well as the individual’s rights with respect to that information; and (2) a longer notice, layered beneath the short notice, that contains all the elements required by the Rule.

    Certain other commenters urged that one way to make the notice shorter, as well as to alleviate burden on the covered entity, would be to eliminate the requirement that the notice explain the more stringent State privacy laws. Commenters stated that companies that operate in multiple States will have to develop and print up to 50 different notices, and then update and reissue those notices whenever a material change is made to the State law. These commenters recommended instead that the notice simply state that State law may provide additional protections.

    A few commenters urged that the Department provide a model notice that covered entities could use in their implementation efforts.

    Response: The Department does not modify the notice content provisions at § 164.520(b). The Department believes that the elements required by § 164.520(b) are important to fully inform the individual of the a covered entity’s privacy practices, as well as his or her rights. However, the Department agrees that such information must be provided in a clear, concise, and easy to understand manner. Therefore, the Department clarifies that covered entities may utilize a “layered notice” to implement the Rule’s provisions, so long as the elements required by § 164.520(b) are included in the document that is provided to the individual. For example, a covered entity may satisfy the notice provisions by providing the individual with both a short notice that briefly summarizes the individual’s rights, as well as other information; and a longer notice, layered beneath the short notice, that contains all the elements required by the Privacy Rule. Covered entities, however, while encouraged to use a layered notice, are not required to do so. Nothing in the final modifications relieve a covered entity of its duty to provide the entire notice in plain language so the average reader can understand it. See § 164.520(b)(1).

    In response to comments regarding a model notice, it would be difficult for the Department to develop a document that would be generally useful to many different types of covered entities. A covered entity’s notice must reflect in sufficient detail the particular uses and disclosures that entity may make. Such uses and disclosures likely will be very different for each type of covered entity. Thus, a uniform, model notice could not capture the wide variation in information practices across covered entities. The Department intends, however, to issue further general guidance to help covered entities implement the notice provisions of the Rule.

    Comment: A number of commenters also requested that the Department lessen the burden associated with distributing the notice. For example, some commenters asked that covered entities be permitted to satisfy the notice provision requirements by posting the notice at the facility or on a web site and by providing a copy only to those consumers who request one, or by placing copies on display where an interested consumer may take one.

    Response: The Department’s position that making the notice available to individuals, either on request, by posting it at a facility or on a web site, or by placing copies on display, does not substitute for physically providing the notice directly to individuals. Adequate notice of privacy practices is a fundamental right afforded individuals by the Rule. As such, the Department does not believe that the burden of obtaining such information should be placed on the individual. Covered entities are required to distribute the notice in the manner described under § 164.520(c).

    Comment: A few commenters requested that the Department make clear that no special mailings are required to provide individuals with a covered entity’s notice; rather, that the notice may be distributed as part of other mailings or distributions by the covered entity. For example, one commenter argued that the Rule should be flexible enough to allow for notices to be included in a health plan’s Summary Plan Descriptions, Booklets, or an Enrollment Application. It was argued that the notice would receive greater attention, be more carefully reviewed and, thus, better understood if it were published in materials known to be widely read by members.

    Response: The Department clarifies that no special or separate mailings are required to satisfy the notice distribution requirements. The Privacy Rule provides covered entities with discretion in this area. A health plan distributing its notice through the mail, in accordance with § 164.520(c)(1), may do so as part of another mailing to the individual. In addition, a covered entity that provides its notice to an individual by e-mail, in accordance with § 164.520(c)(3), may include additional materials in the e-mail. No separate e-mail is required. However, the Privacy Rule at § 164.508(b)(3) continues to prohibit a covered entity from combining the notice in a single document with an authorization.

    Comment: Commenters also urged that the Rule permit, for group products, a health plan to send its notice to the administrator of the group product or the plan sponsor, who would then be responsible for distributing the notice to each enrollee/employee. One commenter claimed this distribution method is especially appropriate where there is no regular communication with the covered individuals, as in an employer-pay-all group medical or dental plan. According to the commenter, providing the notice to the employer makes sense because the employer picks the plan and should be aware of the plan’s privacy practices when doing so.

    Response: The Privacy Rule requires a health plan to distribute its notice to each individual covered by the plan. Health plans may arrange to have another entity, or person, for example, a group administrator or a plan sponsor, distribute the notice on their behalf. However, the Department cautions that if such other entity or person fails to distribute the notice to individuals, the health plan would be in violation of the Rule.

    Comment: Another commenter asked that the Department eliminate the requirement that a covered entity must provide the notice to every dependent, rather than just the head of the household. This commenter argued that while it makes sense to provide the notice to an emancipated minor or to a minor who pursuant to State law has consented to treatment, it does not make sense to send the notice to a 2-year old child.

    Response: The Privacy Rule provides that a health plan may satisfy the notice provision requirements by distributing the notice to the named insured of a policy under which coverage is provided to the named insured and one or more dependents. A health plan is not required to distribute the notice to each dependent. See § 164.520(c)(1)(iii).

    Further, a covered health care provider with a direct treatment relationship with the individual is required only to provide the notice to the individual receiving treatment at first service delivery. Where a parent brings a 2-year old child in for treatment, the provider satisfies the notice distribution requirements by providing the notice only to the child’s parent.

     

    HHS Description from Original Rulemaking
    Notice of Privacy Practices: Provision of the Notice

     

    As in the proposed rule, all covered entities that are required to produce a notice must provide the notice upon request of any person. The requestor does not have to be a current patient or enrollee. We intend the notice to be a public document that people can use in choosing between covered entities.

    For health plans, we proposed to require health plans to distribute the notice to individuals covered by the health plan as of the compliance date; after the compliance date, at enrollment in the health plan; after enrollment, within 60 days of a material revision to the content of the notice; and no less frequently than once every three years.

    As in the proposed rule, under the final rule health plans must provide the notice to all health plan enrollees as of the compliance date. After the compliance date, health plans must provide the notice to all new enrollees at the time of enrollment and to all enrollees within 60 days of a material revision to the notice. Of course, the term “enrollees” includes participants and beneficiaries in group health plans.

    Unlike the proposed rule, we do not require health plans to distribute the notice every three years. Instead, health plans must notify enrollees no less than once every three years about the availability of the notice and how to obtain a copy.

    We also clarify that, in each of these circumstances, if a named insured and one or more dependents are covered by the same policy, the health plan can satisfy the distribution requirement with respect to the dependents by sending a single copy of the notice to the named insured. For example, if an employee of a firm and her three dependents are all covered under a single health plan policy, that health plan can satisfy the initial distribution requirement by sending a single copy of the notice to the employee rather than sending four copies, each addressed to a different member of the family.

    We further clarify that if a health plan has more than one notice, it satisfies its distribution requirement by providing the notice that is relevant to the individual or other person requesting the notice. For example, a health insurance issuer may have contracts with two different group health plans. One contract specifies that the issuer may use and disclose protected health information about the participants in the group health plan for research purposes without authorization (subject to the requirements of this rule) and one contract specifies that the issuer must always obtain authorizations for these uses and disclosures. The issuer accordingly develops two notices reflecting these different practices and satisfies its distribution requirements by providing the relevant notice to the relevant group health plan participants.

    We proposed to require covered health care providers with face-to-face contact with individuals to provide the notice to all such individuals at the first service delivery to the individual during the one year period after the compliance date. After this one year period, covered providers with face-to-face contact with individuals would have been required to distribute the notice to all new patients at the first service delivery. Covered providers without face-to-face contact with individuals would have been required to provide the notice in a reasonable period of time following first service delivery.

    We proposed to require all covered providers to post the notice in a clear and prominent location where it would be reasonable to expect individuals seeking services from the covered provider to be able to read the notice. We would have required revisions to be posted promptly.

    In the final rule, we vary the distribution requirements according to whether the covered health care provider has a direct treatment relationship with an individual, rather than whether the covered health care provider has face-to-face contact with an individual. See § 164.501 and the corresponding discussion in this preamble regarding the definition of indirect treatment relationship.

    Covered health care providers that have direct treatment relationships with individuals must provide the notice to such individuals as of the first service delivery after the compliance date. This requirement applies whether the first service is delivered electronically or in person. Covered providers may satisfy this requirement by sending the notice to all of their patients at once, by giving the notice to each patient as he or she comes into the provider’s office or facility or contacts the provider electronically, or by some combination of these approaches. Covered providers that maintain a physical service delivery site must prominently post the notice where it is reasonable to expect individuals seeking service from the provider to be able to read the notice. The notice must also be available on site for individuals to take on request. In the event of a revision to the notice, the covered provider must promptly post the revision and make it available on site.

    Covered health care providers that have indirect treatment relationships with individuals are only required to produce the notice upon request, as described above.

    The proposed rule was silent regarding electronic distribution of the notice. Under the final rule, a covered entity that maintains a web site describing the services and benefits it offers must make its privacy notice prominently available through the site.

    A covered entity may satisfy the applicable distribution requirements described above by providing the notice to the individual electronically, if the individual agrees to receiving materials from the covered entity electronically and the individual has not withdrawn his or her agreement. If the covered entity knows that the electronic transmission has failed, the covered entity must provide a paper copy of the notice to the individual.

    If an individual’s first service delivery from a covered provider occurs electronically, the covered provider must provide electronic notice automatically and contemporaneously in response to the individual’s first request for service. For example, the first time an individual requests to fill a prescription through a covered internet pharmacy, the pharmacy must automatically and contemporaneously provide the individual with the pharmacy’s notice of privacy practices. An individual that receives a covered entity’s notice electronically retains the right to request a paper copy of the notice as described above. This right must be described in the notice.

    We note that the Electronic Signatures in Global and National Commerce Act (Pub. L. 106-229) may apply to documents required under this rule to be provided in writing. We do not intend to affect the application of that law to documents required under this rule.

     

    HHS Response to Comments Received from Original Rulemaking
    Notice of Privacy Practices: Provision of the Notice

     

    Note: HHS Response to Comments Received is the same as for § 164.520(a)

    Comment: Many commenters supported the proposal to require covered entities to produce a notice of information practices. They stated that such notice would improve individuals’ understanding of how their information may be used and disclosed and would help to build trust between individuals and covered entities. A few comments, however, argued that the notice requirement would be administratively burdensome and expensive without providing significant benefit to individuals.

    Response: We retain the requirement for covered health care providers and health plans to produce a notice of information practices. We additionally require health care clearinghouses that create or receive protected health information other than as a business associate of another covered entity to produce a notice. We believe the notice will provide individuals with a clearer understanding of how their information may be used and disclosed and is essential to inform individuals of their privacy rights. The notice will focus individuals on privacy issues, and prompt individuals to have discussions about privacy issues with their health plans, health care providers, and other persons.

    The importance of providing individuals with notice of the uses and disclosures of their information and of their rights with respect to that information is well supported by industry groups, and is recognized in current state and federal law. The July 1977 Report of the Privacy Protection Study Commission recommended that “each medical-care provider be required to notify an individual on whom it maintains a medical record of the disclosures that may be made of information in the record without the individual’s express authorization.” The Commission also recommended that “an insurance institution... notify [an applicant or principal insured] as to: ... the types of parties to whom and circumstances under which information about the individual may be disclosed without his authorization, and the types of information that may be disclosed; [and] ... the procedures whereby the individual may correct, amend, delete, or dispute any resulting record about himself.” The Privacy Act (5 U.S.C. 552a) requires government agencies to provide notice of the routine uses of information the agency collects and the rights individuals have with respect to that information. In its report “Best Principles for Health Privacy,” the Health Privacy Working Group stated, “Individuals should be given notice about the use and disclosure of their health information and their rights with regard to that information.” The National Association of Insurance Commissioners’ Health Information Privacy Model Act requires carriers to provide a written notice of health information policies, standards, and procedures, including a description of the uses and disclosures prohibited and permitted by the Act, the procedures for authorizing and limiting disclosures and for revoking authorizations, and the procedures for accessing and amending protected health information.

    Some states require additional notice. For example, Hawaii requires health care providers and health plans, among others, to produce a notice of confidentiality practices, including a description of the individual’s privacy rights and a description of the uses and disclosures of protected health information permitted under state law without the individual’s authorization. (HRS section 323C-13)

    Today, health plan hand books and evidences of coverage include some of what is required to be in the notice. Industry and standard-setting organizations have also developed notice requirements. The National Committee for Quality Assurance accreditation guidelines state that an accredited managed care organization “communicates to prospective members its policies and practices regarding the collection, use, and disclosure of medical information [and]... informs members... of its policies and procedures on... allowing members access to their medical records.” Standards of the American Society for Testing and Materials state, “Organizations and individuals who collect, process, handle, or maintain health information should provide individuals and the public with a notice of information practices.” They recommend that the notice include, among other elements, “a description of the rights of individuals, including the right to inspect and copy information and the right to seek amendments [and] a description of the types of uses and disclosures that are permitted or required by law without the individual’s authorization.” We build on this well-established principle in this final rule.

    Comment: We received many comments on the model notice provided in the proposed rule. Some commenters argued that patients seeing similar documents would be less likely to become disoriented when examining a new notice. Other commenters, however, opposed the inclusion of a model notice or expressed concern about particular language included in the model. They maintained that a uniform model notice would never capture the varying practices of covered entities. Many commenters opposed requirements for a particular format or specific language in the notice. They stated that covered entities should be afforded maximum flexibility in fashioning their notices. Other commenters requested inclusion of specific language as a header to indicate the importance of the notice. A few commenters recommended specific formatting requirements, such as font size or type.

    Response: On the whole, we found commenters’ arguments for flexibility in the regulation more persuasive than those arguing for more standardization. We agree that a uniform notice would not capture the wide variation in information practices across covered entities. We therefore do not include a model notice in the final rule, and do not require inclusion of specific language in the notice (except for a standard header). We also do not require particular formatting. We do, however, require the notice to be written in plain language. (See above for guidance on writing documents in plain language.) We also agree with commenters that the notice should contain a standard header to draw the individual’s attention to the notice and facilitate the individual’s ability to recognize the notice across covered entities.

    We believe that post-publication guidance will be a more effective mechanism for helping covered entities design their notices than the regulation itself. After the rule is published, we can provide guidance on notice content and format tailored to different types of health plans and providers. We believe such specially designed guidance will be more useful that a one-size-fits-all model notice we might publish with this regulation.

    Comment: Commenters suggested that the rule should require that the notice regarding privacy practices include specific provisions related to health information of unemancipated minors.

    Response: Although we agree that minors and their parents should be made aware of practices related to confidentiality of protected health information of unemancipated minors, we do not require covered entities that treat minors or use their protected health information to include provisions in their notice that are not required of other covered entities. In general, the content of notice requirements in § 164.520(b) do not vary based on the status of the individual being served. We have decided to maintain consistency by declining to prescribe specific notice requirements for minors. The rule does permit a covered entity to provide individuals with notice of its policies and procedures with respect to anticipated uses and disclosures of protected health information (§ 164.520(b)(2)), and providers are encouraged to do so.

    Comment: Some commenters argued that covered entities should not be required to distinguish between those uses and disclosures that are required by law and those that are permitted by law without authorization, because these distinctions may not always be clear and will vary across jurisdictions. Some commenters maintained that simply stating that the covered entity would make all disclosures required by law would be sufficient. Other comments suggested that covered entities should be able to produce very broadly stated notices so that repeated revisions and mailings of those revisions would not be necessary.

    Response: While we believe that covered entities have an independent duty to understand the laws to which they are subject, we also recognize that it could be difficult to convey such legal distinctions clearly and concisely in a notice. We therefore eliminate the proposed requirement for covered entities to distinguish between those uses and disclosures that are required by and those that are permitted by law. We instead require that covered entities describe each purpose for which they are permitted or required to use or disclose protected health information under this rule and other applicable law without individual consent or authorization. Specifically, covered entities must describe the types of uses and disclosures they are permitted to make for treatment, payment, and health care operations. They must also describe each of the purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual’s written consent or authorization (even if they do not plan to make a permissive use or disclosure). We believe this requirement provides individuals with sufficient information to understand how information about them can be used and disclosed and to prompt them to ask for additional information to obtain a clearer understanding, while minimizing covered entities’ burden.

    A notice that stated only that the covered entity would make all disclosures required by law, as suggested by some of these commenters, would fail to inform individuals of the uses and disclosures of information about them that are permitted, but not required, by law. We clarify that each and every disclosure required by law need not be listed on the notice. Rather, the covered entity can include a general statement that disclosures required by law will be made.

    Comment: Some comments argued that the covered entity should not have to provide notice about uses and disclosures that are permitted under the rule without authorization. Other comments suggested that the notice should inform individuals about all of the uses and disclosures that may be made, with or without the individual’s authorization.

    Response: When the individual’s permission is not required for uses and disclosures of information, we believe providing the required notice is the most effective means of ensuring that individuals are aware of how information about them may be shared. The notice need not describe uses and disclosures for which the individual’s permission is required, because the individual will be informed of these at the time permission to use or disclose the information is requested.

    We additionally require covered entities, even those required to obtain the individual’s consent for use and disclosure of protected health information for treatment, payment, and health care operations, to describe those uses and disclosures in their notice. (See § 164.506 and the corresponding preamble discussion regarding consent requirements.) We require these uses and disclosures to be described in the notice in part in order to reduce the administrative burden on covered providers that are required to obtain consent. Rather than obtaining a new consent each time the covered provider’s information policies and procedures are materially revised, covered providers may revise and redistribute their notice. We also expect that the description of how information may be used to carry out treatment, payment, and health care operations in the notice will be more detailed than in the more general consent document.

    Comment: Some commenters argued that covered entities should not be required to provide notice of the right to request restrictions, because doing so would be burdensome to the covered entity and distracting to the individual; because individuals have the right whether they are informed of such right or not; and because the requirement would be unlikely to improve patient care.

    Response: We disagree. We believe that the ability of an individual to request restrictions is an important privacy right and that informing people of their rights improves their ability to exercise those rights. We do not believe that adding a sentence to the notice is burdensome to covered entities.

    Comment: We received comments supporting inclusion of a contact point in the notice, so that individuals will not be forced to make multiple calls to find someone who can assist them with the issues in the notice.

    Response: We retain the requirement, but clarify that the title of the contact person is sufficient. A person’s name is not required.

    Comment: Some commenters argued that we could facilitate compliance by requiring the notice to include the proposed requirement that covered entities use and disclose only the minimum necessary protected health information.

    Response: We do not agree that adding such a requirement would strengthen the notice. The purpose of the notice is to inform individuals of their privacy rights, and of the purposes for which protected health information about them may be used or disclosed. Informing individuals that covered entities may use and disclose only the minimum necessary protected health information for a purpose would not increase individuals’ understanding of their rights or the purposes for which information may be used or disclosed.

    Comment: A few commenters supported allowing covered entities to apply changes in their information practices to protected health information obtained prior to the change. They argued that requiring different protections for information obtained at different times would be inefficient and extremely difficult to administer. Some comments supported requiring covered entities to state in the notice that the information policies and procedures are subject to change.

    Response: We agree. In the final rule, we provide a mechanism by which covered entities may revise their privacy practices and apply those revisions to protected health information they already maintain. We permit, but do not require, covered entities to reserve the right to change their practices and apply the revised practices to information previously created or obtained. If a covered entity wishes to reserve this right, it must make a statement to that effect in its notice. If it does not make such a statement, the covered entity may still revise its privacy practices, but it may apply the revised practices only to protected health information created or obtained after the effective date of the notice in which the revised practices are reflected. See § 164.530(i) and the corresponding preamble discussion of requirements regarding changes to information policies and procedures.

    Comment: Some commenters requested clarification of the term “material changes” so that entities will be comfortable that they act properly after making changes to their information practices. Some comments stated that entities should notify individuals whenever a new category of disclosures to be made without authorization is created.

    Response: The concept of “material change” appears in other notice laws, such as the ERISA requirements for summary plan descriptions. We therefore retain the “materiality” condition for revision of notices, and encourage covered entities to draw on the concept as it has developed through those other laws. We agree that the addition of a new category of use or disclosure of health information that may be made without authorization would likely qualify as a material change.

    Comment: We proposed to permit covered entities to implement revised policies and procedures without first revising the notice if a compelling reason existed to do so. Some commenters objected to this proposal because they were concerned that the “compelling reason” exception would give covered entities broad discretion to engage in post hoc violations of its own information practices.

    Response: We agree and eliminate this provision. Covered entities may not implement revised information policies and procedures before properly documenting the revisions and updating their notice. See § 164.530(i). Because in the final rule we require the notice to include all disclosures that may be made, not only those the covered entity intends to make, we no longer need this provision to accommodate emergencies.

    Comment: Some comments suggested that we require covered entities to maintain a log of all past notices, with changes from the previous notice highlighted. They further suggested we require covered entities to post this log on their web sites.

    Response: In accordance with § 164.530(j)(2), a covered entity must retain for six years a copy of each notice it issues. We do not require highlighting of changes to the notice or posting of prior notices, due to the associated administrative burdens and the complexity such a requirement would build into the notice over time. We encourage covered entities, however, to make such materials available upon request.

    Comment: Several commenters requested clarification about when, relative to the compliance date, covered entities are required to produce their notice. One commenter suggested that covered entities be allowed a period not less than 180 days after adoption of the final rule to develop and distribute the notice. Other comments requested that the notice compliance date be consistent with other HIPAA regulations.

    Response: We require covered entities to have a notice available upon request as of the compliance date of this rule (or the compliance date of the covered entity if such date is later). See § 164.534 and the corresponding preamble discussion of the compliance date.

    Comment: Some commenters suggested that covered entities, particularly covered health care providers, should be required to discuss the notice with individuals. They argued that posting a notice or otherwise providing the notice in writing may not achieve the goal of informing individuals of how their information will be handled, because some individuals may not be literate or able to function at the reading level used in the notice. Others argued that entities should have the flexibility to choose alternative modes of communicating the information in the notice, including voice disclosure. In contrast, some commenters were concerned that requirements to provide the notice in plain language or in languages other than English would be overly burdensome.

    Response: We require covered entities to write the notice in plain language so that the average reader will be able to understand the notice. We encourage, but do not require, covered entities to consider alternative means of communicating with certain populations. We note that any covered entity that is a recipient of federal financial assistance is generally obligated under Title VI of the Civil Rights Act of 1964 to provide material ordinarily distributed to the public in the primary languages of persons with limited English proficiency in the recipients’ service areas. While we believe the notice will prompt individuals to initiate discussions with their health plans and health care providers about the use and disclosure of health information, we believe this should be a matter left to each individual and that requiring covered entities to initiate discussions with each individual would be overly burdensome.

    Comment: Some commenters suggested that covered entities, particularly health plans, should be permitted to distribute their notice in a newsletter or other communication with individuals.

    Response: We agree, so long as the notice is sufficiently separate from other important documents. We therefore prohibit covered entities from combining the notice in a single document with either a consent (§ 164.506) or an authorization (§ 164.508), but do not otherwise prohibit covered entities from including the notice in or with other documents the covered entity shares with individuals.

    Comment: Some comments suggested that covered entities should not be required to respond to requests for the notice from the general public. These comments indicated that the requirement would place an undue burden on covered entities without benefitting individuals.

    Response: We proposed that the notice be publicly available so that individuals may use the notice to compare covered entities’ privacy practices and to select a health plan or health care provider accordingly. We therefore retain the proposed requirement for covered entities to provide the notice to any person who requests a copy, including members of the general public.

    Comment: Many commenters argued that the distribution requirements for health plans should be less burdensome. Some suggested requiring distribution upon material revision, but not every three years. Some suggested that health plans should only be required to distribute their notice annually or upon re-enrollment. Some suggested that health plans should only have to distribute their notice upon initial enrollment, not re-enrollment. Other commenters supported the proposed approach.

    Response: We agree that the notice distribution requirements for health plans can be less burdensome than in the NPRM while still being effective. In the final rule, we reduce health plans’ distribution burden in several ways. First, we require health plans to remind individuals every three years of the availability of the notice and of how to obtain a copy of the notice, rather than requiring the notice to be distributed every three years as proposed. Second, we clarify that health plans only have to distribute the notice to new enrollees on enrollment, not to current members of the health plan upon re-enrollment. Third, we specifically allow all covered entities to distribute the notice electronically in accordance with § 164.520(c)(3).

    We retain the requirement for health plans to distribute the notice within 60 days of a material revision. We believe the revised distribution requirements will ensure that individuals are adequately informed of health plans’ information practices and any changes to those procedures, without unduly burdening health plans.

    Comment: Many commenters argued that health plans should not be required to distribute their notice to every person covered by the plan. They argued that distributing the notice to every family member would be unnecessarily duplicative, costly, and difficult to administer. They suggested that health plans only be required to distribute the notice to the primary participant or to each household with one or more insured individuals.

    Response: We agree, and clarify in the final rule that a health plan may satisfy the distribution requirement by providing the notice to the named insured on behalf of the dependents of that named insured. For example, a group health plan may satisfy its notice requirement by providing a single notice to each covered employee of the plan sponsor. We do not require the group health plan to distribute the notice to each covered employee and to each covered dependent of those employees.

    Comment: Many comments requested clarification about health plans’ ability to distribute the notice via other entities. Some commenters suggested that group health plans should be able to satisfy the distribution requirement by providing copies of the notice to plan sponsors for delivery to employees. Others requested clarification that covered health care providers are only required to distribute their own notice and that health plans should be prohibited from using their affiliated providers to distribute the health plan’s notice.

    Response: We require health plans to distribute their notice to individuals covered by the health plan. Health plans may elect to hire or otherwise arrange for others, including group health plan sponsors and health care providers affiliated with the health plan, to carry out this distribution. We require covered providers to distribute only their own notices, and neither require nor prohibit health plans and health care providers from devising whatever arrangements they find suitable to meet the requirements of this rule. However, if a covered entity arranges for another person or entity to distribute the covered entity’s notice on its behalf and individuals do not receive such notice, the covered entity would be in violation of the rule.

    Comment: Some comments stated that covered providers without direct patient contact, such as clinical laboratories, might not have sufficient patient contact information to be able to mail the notice. They suggested we require or allow such providers to form agreements with referring providers or other entities to distribute notices on their behalf or to include their practices in the referring entity’s own notice.

    Response: We agree with commenters’ concerns about the potential administrative and financial burdens of requiring covered providers that have indirect treatment relationships with individuals, such as clinical laboratories, to distribute the notice. Therefore, we require these covered providers to provide the notice only upon request. In addition, these covered providers may elect to reach agreements with other entities distribute their notice on their behalf, or to participate in an organized health care arrangement that produces a joint notice. See § 164.520(d) and the corresponding preamble discussion of joint notice requirements.

    Comment: Some commenters requested that covered health care providers be permitted to distribute their notice prior to an individual’s initial visit so that patients could review the information in advance of the visit. They suggested that distribution in advance would reduce the amount of time covered health care providers’ staff would have to spend explaining the notice to patients in the office. Other comments argued that providers should distribute their notice to patients at the time the individual visits the provider, because providers lack the administrative infrastructure necessary to develop and distribute mass communications and generally have difficulty identifying active patients.

    Response: In the final rule, we clarify that covered providers with direct treatment relationships must provide the notice to patients no later than the first service delivery to the patient after the compliance date. For the reasons identified by these commenters, we do not require covered providers to send their notice to the patient in advance of the patient’s visit. We do not prohibit distribution in advance, but only require distribution to the patient as of the time of the visit. We believe this flexibility will allow each covered provider to develop procedures that best meet its and its patients’ needs.

    Comment: Some comments suggested that covered providers should be required to distribute the notice as of the compliance date. They noted that if the covered provider waited to distribute the notice until first service delivery, it would be possible (pursuant to the rule) for a use or disclosure to be made without the individual’s authorization, but before the individual receives the notice.

    Response: Because health care providers generally lack the administrative infrastructure necessary to develop and distribute mass communications and generally have difficulty identifying active patients, we do not require covered providers to distribute the notice until the first service delivery after the compliance date. We acknowledge that this policy allows uses and disclosure of health information without individuals’ consent or authorization before the individual receives the notice. We require covered entities, including covered providers, to have the notice available upon request as of the compliance date of the rule. Individuals may request a copy of the notice from their provider at any time.

    Comment: Many commenters were concerned with the requirement that covered providers post their notice. Some commenters suggested that covered hospital-based providers should be able to satisfy the distribution requirements by posting their notice in multiple locations at the hospital, rather than handing the notice to patients - particularly with respect to distribution after material revisions have been made. Some additionally suggested that these covered providers should have copies of the notice available on site. Some commenters emphasized that the notice must be clear and conspicuous to give individuals meaningful and effective notice of their rights. Other commenters noted that posting the notice will not inform former patients who no longer see the provider.

    Response: We clarify in the final rule that the requirement to post a notice does not substitute for the requirement to give individuals a notice or make notices available upon request. Covered providers with direct treatment relationships, including covered hospitals, must give a copy of the notice to the individual as of first service delivery after the compliance date. After giving the individual a copy of the notice as of that first visit, the covered provider has no other obligation to actively distribute the notice. We believe it is unnecessarily burdensome to require covered providers to mail the notice to all current and former patients each time the notice is revised, because unlike health plans, providers may have a difficult time identifying active patients. All individuals, including those who no longer see the covered provider, have the right to receive a copy of the notice on request.

    If the covered provider maintains a physical delivery site, it must also post the notice (including revisions to the notice) in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered provider to be able to read the notice. The covered provider must also have the notice available on site for individuals to be able to request and take with them.

    Comment: Some comments requested clarification about the distribution requirements for a covered entity that is a health plan and a covered health care provider.

    Response: Under § 164.504(g), discussed above, covered entities that conduct multiple types of covered functions, such as the kind of entities described in the above comments, are required to comply with the provisions applicable to a particular type of health care function when acting in that capacity. Thus, in the example described above, the covered entity is required by § 164.504(g) to follow the requirements for health plans with respect to its actions as a health plan and to follow the requirements for health care providers with respect to its actions as a health care provider.

    Comment: We received many comments about the ability of covered entities to distribute their notices electronically. Many commenters suggested that we permit covered entities to distribute the notice electronically, either via a web site or e-mail. They argued that covered entities are increasingly using electronic technology to communicate with patients and otherwise administer benefits. They also noted that other regulations permit similar documents, such as ERISA-required summary plan descriptions, to be delivered electronically. Some commenters suggested that electronic distribution should be permitted unless the individual specifically requests a hard copy or lacks electronic access. Some argued that entities should be able to choose a least-cost alternative that allows for periodic changes without excessive mailing costs. A few commenters suggested requiring covered entities to distribute notices electronically.

    Response: We clarify in the final rule that covered entities may elect to distribute their notice electronically, provided the individual agrees to receiving the notice electronically and has not withdrawn such agreement. We do not require any particular form of agreement. For example, a covered provider could ask an individual at the time the individual requests a copy of the notice whether she prefers to receive it in hard copy or electronic form. A health plan could ask an individual applying for coverage to provide an e-mail address where the health plan can send the individual information. If the individual provides an e-mail address, the health plan can infer agreement to obtain information electronically.

    An individual who has agreed to receive the notice electronically, however, retains the right to request a hard copy of the notice. This right must be described in the notice. In addition, if the covered entity knows that electronic transmission of the notice has failed, the covered entity must produce a hard copy of the notice. We believe this provision allows covered entities flexibility to provide the notice in the form that best meets their needs without compromising individuals’ right to adequate notice of covered entities’ information practices.

    We note that covered entities may also be subject to the Electronic Signatures in Global and National Commerce Act. This rule is not intended to alter covered entities’ requirements under that Act.

    Comment: Some commenters were concerned that covered providers with “face-to-face” patient contact would have a competitive disadvantage against covered internet-based providers, because the face-to-face providers would be required to distribute the notice in hard copy while internet-based providers could satisfy the requirement by requiring review of the notice on the web site before processing an order. They suggested allowing face-to-face covered providers to satisfy the distribution requirement by asking patients to review the notice posted on site.

    Response: We clarify in the final rule that covered health care providers that provide services to individuals over the internet have direct treatment relationships with those individuals. Covered internet-based providers, therefore, must distribute the notice at the first service delivery after the compliance date by automatically and contemporaneously providing the notice electronically in response to the individual’s first request for service, provided the individual agrees to receiving the notice electronically.

    Even though we require all covered entity web sites to post the entity’s notice prominently, we note that such posting is not sufficient to meet the distribution requirements. A covered internet-based provider must send the notice electronically at the individual’s first request for service, just as other covered providers with direct treatment relationships must give individuals a copy of the notice as of the first service delivery after the compliance date.

    We do not intend to create competitive advantages among covered providers. A web-based and a non-web-based covered provider each have the same alternatives available for distribution of the notice. Both types of covered providers may provide either a paper copy or an electronic copy of the notice.

    Comment: We received several comments suggesting that some covered entities should be exempted from the notice requirement or permitted to combine notices with other covered entities. Many comments argued that the notice requirement would be burdensome for hospital-based physicians and result in numerous, duplicative notices that would be meaningless or confusing to patients. Other comments suggested that multiple health plans offered through the same employer should be permitted to produce a single notice.

    Response: We retain the requirement for all covered health care providers and health plans to produce a notice of information practices. Health care clearinghouses are required to produce a notice of information practices only to the extent the clearinghouse creates or receives protected health information other than as a business associate of a covered entity. See § 164.500(b)(2). Two other types of covered entities are not required to produce a notice: a correctional institution that is a covered entity and a group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs.

    We clarify in § 164.504(d), however, that affiliated covered entities under common ownership or control may designate themselves as a single covered entity for purposes of this rule. An affiliated covered entity is only required to produce a single notice.

    In addition, covered entities that participate in an organized health care arrangement - which could include hospitals and their associated physicians - may choose to produce a single, joint notice, if certain requirements are met. See § 164.501 and the corresponding preamble discussion of organized health care arrangements.

    We clarify that each covered entity included in a joint notice must meet the applicable distribution requirements. If any one of the covered entities, however, provides the notice to a given individual, the distribution requirement with respect to that individual is met for all of the covered entities included in the joint notice. For example, a covered hospital and its attending physicians may elect to produce a joint notice. When an individual is first seen at the hospital, the hospital must provide the individual with a copy of the joint notice. Once the hospital has done so, the notice distribution requirement for all of the attending physicians that provide treatment to the individual at the hospital and that are included in the joint notice is satisfied.

    Comment: We solicited and received comments on whether to require covered entities to obtain the individual’s signature on the notice. Some commenters suggested that requiring a signature would convey the importance of the notice, would make it more likely that individuals read the notice, and could have some of the same benefits of a consent. They noted that at least one state already requires entities to make a reasonable effort to obtain a signed notice. Other comments noted that the signature would be useful for compliance and risk management purposes because it would document that the individual had received the notice.

    The majority of commenters on this topic, however, argued that a signed acknowledgment would be administratively burdensome, inconsistent with the intent of the Administrative Simplification requirements of HIPAA, impossible to achieve for incapacitated individuals, difficult to achieve for covered entities that do not have direct contact with patients, inconsistent with other notice requirements under other laws, misleading to individuals who might interpret their signature as an agreement, inimical to the concept of permitting uses and disclosures without authorization, and an insufficient substitute for authorization.

    Response: We agree with the majority of commenters and do not require covered entities to obtain the individual’s signed acknowledgment of receipt of the notice. We believe that we satisfied most of the arguments in support of requiring a signature with the new policy requiring covered health care providers with direct treatment relationships to obtain a consent for uses and disclosures of protected health information to carry out treatment, payment, and health care operations. See § 164.506 and the corresponding preamble discussion of consent requirements. We note that this rule does not preempt other applicable laws that require a signed notice and does not prohibit a covered entity from requesting an individual to sign the notice.

    Comment: Some commenters supported requiring covered entities to adhere to their privacy practices, as described in their notice. They argued that the notice is meaningless if a covered entity does not actually have to follow the practices contained in its notice. Other commenters were concerned that the rule would prevent a covered entity from using or disclosing protected health information in otherwise lawful and legitimate ways because of an intentional or inadvertent omission from its published notice. Some of these commenters suggested requiring the notice to include a description of some or all disclosures that are required or permitted by law. Some commenters stated that the adherence requirement should be eliminated because it would generally inhibit covered entities’ ability to innovate and would be burdensome.

    Response: We agree that the value of the notice would be significantly diminished absent a requirement that covered entities adhere to the statements they make in their notices. We therefore retain the requirement for covered entities to adhere to the terms of the notice. See § 164.502(i).

    Many of these commenters’ concerns regarding a covered entity’s inability to use or disclose protected health information due to an intentional or inadvertent omission from the notice are addressed in our revisions to the proposed content requirements for the notice. Rather than require covered entities to describe only those uses and disclosures they anticipate making, as proposed, we require covered entities to describe all uses and disclosures they are required or permitted to make under the rule without the individual’s consent or authorization. We permit a covered entity to provide a statement that it will disclose protected health information that is otherwise required by law, as permitted in § 164.512(a), without requiring them to list all state laws that may require disclosure. Because the notice must describe all legally permissible uses and disclosures, the notice will not generally preclude covered entities from making any uses or disclosures they could otherwise make without individual consent or authorization. This change will also ensure that individuals are aware of all possible uses and disclosures that may occur without their consent or authorization, regardless of the covered entity’s current practices.

    We encourage covered entities, however, to additionally describe the more limited uses and disclosures they actually anticipate making in order to give individuals a more accurate understanding of how information about them will be shared. We expect that certain covered entities will want to distinguish themselves on the basis of their privacy protections. We note that a covered entity that chooses to exercise this option must clearly state that, at a minimum, the covered entity may make disclosures that are required by law and that are necessary to avert a serious and imminent threat to health or safety.