What privacy notice is required?
An individual has the right to notice regarding the uses and disclosures by a covered entity of protected health information. Covered entities must have and distribute a notice of its privacy practices (“NPP”) The NPP must describe the uses and disclosures of protected health information, the covered entity’s legal duties and privacy practices with respect to protected health information, and the individual’s rights with regard to protected health information.
The NPP must contain a statement indicating most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information for marketing purposes, and states that other uses and disclosures not described in the NPP will be made only with authorization by the individual. If the entity plans to do fundraising, that must also be included in the privacy notice and the opportunity to opt-out.
The NPP should also inform individuals of their right to restrict disclosures of protected health information when the individual has paid out of pocket for the health care product or service.
A business associate does not need to provide a separate notice. But a covered entity must ensure through its contract with the business associate that the business associate’s uses and disclosures of protected health information and other actions are consistent with the covered entity’s privacy policies, as stated in covered entity’s notice. Also, a covered entity may use a business associate to distribute its notice to individuals.
Please note that the Notice must reflect any State law(s) that is more stringent than the Privacy Rule with respect to the use or disclosure of protected information. Where the covered entity is subject to the privacy laws of multiple States, the more stringent use and disclosure laws of each of the States, if any, must be reflected in the Notice.
When there is a material revision to the Notice based on a change in State law, covered entities must use the revised Notice to meet the Rule’s requirements for distribution of the Notice that occur on or after the effective date of the revised Notice. In particular, a health plan must provide individuals (in most cases, the named insured) then covered by the plan with the revised Notice within 60 days of the revision.
What notice is required for a breach of the health data? What if a breach occurs?
The NPP (above) should include a notice of the right of affected individuals to be notified in the event of a breach whereby the protected information is impermissibly used or disclosed to provide helpful context should a breach occur in the future.
The HITECH Act requires covered entities to provide notification to affected individuals, the Secretary of HHS, and the media (if more than 500 residents of the State or jurisdiction are impacted) following discovery of the breach. A breach is to be treated as discovered if any person (other than the individual committing the breach) that is an employee knows or should have known about the breach.
The notice should be sent within 60 days after it was discovered. The notice to the individual should include:
- description of what happened,
- description of types of protected information involved in the breach,
- any steps individuals should take to protect themselves from harm resulting from the breach,
- a brief description of what steps the covered entity (or business associate as applicable) is taking to investigate the breach, mitigate harm, preventative measures
- contact information for individuals to seek more information.
What obligations does a Business Associate have in the event of a breach?
A business associate is required to notify the covered entity (or all covered entities if they are multiple) of the breach of unsecured protected health information so that the covered entity can notify affected individuals. This should occur not later than 60 days following discovery of the breach.
Please note that law enforcement may require a delay prior to breach notification.