Skip to main content

OCR Delays Required Changes to Notices of Privacy Practices for Laboratories

Written by: Stephanie Willis

The HHS Office of Civil Rights (OCR) has granted certain clinical laboratories a temporary reprieve from the requirement to update their Notices of Privacy Practices (NPPs) by September 23, 2013, the deadline imposed by the HIPAA Omnibus Rule.  As a result, OCR will not take enforcement action or impose civil money penalties against laboratories that have not revised their NPPs by the deadline.  Additionally, OCR plans to issue a public notice at least 30 days in advance of the end of the enforcement delay.  This enforcement delay, however, does not apply to laboratories that operate as a part of a larger covered entity (e.g., a hospital) because those laboratories do not have NPPs separate from the larger entity. 

The HIPAA Omnibus Rule requires that all covered entities make significant updates to their NPPs, including adding statements regarding: 

  • the prohibition on the covered entity’s sale of personal health information (PHI) without an individual’s authorization;
  • permissible uses of certain PHI for marketing communications (pursuant to limitations on third-party funding of such marketing communications);
  • permissible uses of certain PHI for fundraising purposes, along with the patient’s opt-out rights from such fundraising communications;
  • the individual’s rights to restrict covered entity communications of PHI to health plans when he or she has paid for services out-of-pocket;
  • an individual’s right to receive copies of PHI delivered either to the individual or to a third party identified by the individual, if maintained in that form by the covered entity;   
  • the covered entity’s obligation to account for treatment, payment and health care operation disclosures if it maintained an electronic health record after January 1, 2007; and
  • the individual’s right to receive notification in the event of a breach as well as the covered entity’s ability to use PHI to provide such breach notifications.

As stated in its announcement on the eve of the weekend before the long-anticipated deadline, “the Department anticipates publishing an amendment to the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1998 (CLIA) regulations regarding the right of individuals to receive their test reports directly from CLIA and CLIA-exempt laboratories, which was proposed for public comment on September 14, 2011” (and profiled in this post).  

If proposed changes from the September 14, 2011 rule are adopted, OCR recognized that this would impose material changes to the privacy practices of laboratories covered by HIPAA.  Specifically, the rule would require the impacted laboratories to inform their patients of their new rights and describe how to exercise them.  The anticipated proximity of the two rulemakings prompted OCR to announce the enforcement delay to relieve the administrative burden for the potentially affected laboratories. 

Pending the release of the final rule, affected clinical laboratories can wait with bated breath for the release of the final rule on CLIA laboratory test report access rights, but should still look at the model NPPs OCR released earlier this week to ensure that they account for those basic changes in the interim. 

Subscribe To Viewpoints