The Office for Civil Rights (OCR) promised further guidance on some of the changes delivered in the Omnibus Rule earlier this year and this week we have seen this start to roll out. First came the new Notice of Privacy Practices (NPP) issued by the OCR on their website to give organizations a template to use or to start with in developing their new NPP. Using this NPP makes it very simple for entities in that at a minimum you have confidence that the basics required are covered if this template is adopted. If nothing else it provides a good place to start.
Other guidance released just recently includes further guidance on the marketing provision, decedent information provision and the provision covering student immunizations. These FAQ sheets can be found on the OCR website, but the following is a brief synopsis of what they communicate.
Guidance for refill reminders and other medication adherence communications, an excluded category under the marketing definition. The rule expressly excludes these communications around refill reminders and other communications about a drug or biologic that is currently being prescribed for the individual, provided that financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication. Financial remuneration does not include non-financial or in-kind benefits. The two components of determining what is appropriate are whether or not the communication is about a currently prescribed drug or biologic and if it involves remuneration, is it reasonable. The guidance provides details on how to answer these two questions and gives examples for clarification.
Guidance regarding information pertaining to a decedent. The rule explicitly excludes information about a decedent that has been deceased for more than fifty years. In addition to provisions for releasing decedent information to law enforcement, coroners, organ donors or for specific research the rule also permits the release of decedent information to family members or other individuals who were involved in the individuals health care or payment for care prior to their death. The information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care. For access to other information the person requesting must follow standard procedure for receiving authorization. Again the guidance provides more detail.
Guidance on student immunizations. To ensure schools are able to receive the necessary documentation of immunization in a timely manner and admit children without undue delay, the rule permits a covered entity to disclose proof of immunization directly to a school that is required by law to have such proof prior to admitting a student, with oral or written permission by the parent or guardian. Covered entities are permitted to release this information providing they obtain and document permission by the parent or the student if emancipated or an adult. The agreement can be oral or written and need not include signatures. As with the previous guidance this one offers a series of FAQs to further clarify its implementation.
If you have not seen these now is the time to do so and make sure that the changes you have made to your Privacy policies accurately reflect this guidance. The next step is to train the workforce with respect to these changes. There should be more guidance as we move through the rest of this year and into next.
