Must a covered entity with a Notice of Privacy Practices that reflects more stringent state laws of multiple states, revise the whole Notice every time one state law materially changes?

Answer:

The Privacy Rule requires the Notice of Privacy Practices (Notice) to identify, among other things, what uses and disclosures the covered entity may make of protected health information. The Notice must reflect any State law(s) that is more stringent than the Privacy Rule with respect to the use or disclosure of this information. Where the covered entity is subject to the privacy laws of multiple States, the more stringent use and disclosure laws of each of the States, if any, must be reflected in the Notice. See 45 CFR 164.520(b)(1)(ii)(C).

When there is a material revision to the Notice based on a change in State law, covered entities must use the revised Notice to meet the Rule’s requirements for distribution of the Notice that occur on or after the effective date of the revised Notice. See, generally, §§164.520(c)(1)-(3). In particular, a health plan must provide individuals (in most cases, the named insured) then covered by the plan with the revised Notice within 60 days of the revision. See §164.520(c)(1)(i)(C).

The Notice requirements are intended to ensure that individuals are fairly informed about how a covered entity may use or disclose their personal health information, including important limitations imposed by State law. Although a covered entity can describe more stringent State privacy laws in the uses and disclosures section of its Notice, this may be more confusing than informative to the individual, particularly where multiple and varying State laws may be applicable. There are other ways a covered entity can design its Notice that may make this information easier for the individual to read and understand, as well as to facilitate the covered entity’s ability to keep the information current and accurate. For instance, a general statement could be included in the uses and disclosures section of the Notice that clearly identifies and refers the reader to a separate section of the Notice which describes the more stringent State privacy law(s) and more fully informs the reader about how protected health information may be used and disclosed. Thus, when more stringent State privacy laws materially change the covered entity’s privacy practices, the covered entity would need to revise only the section of the Notice that contains the State law specific information.

Having a separable section on more stringent State laws can also facilitate distribution of the revised Notice when material changes occur in this section of the Notice. The revised State law section, if on a separate page, may be more readily inserted in or associated with existing Notices in place of the out-dated material.