New HIPPA Rule Requires Changes to Privacy Practices

By Anne Sumpter Arney

Since 2002, HIPAA has required physician’s offices as well as other healthcare providers to provide their patients with a Notice of Privacy Practices.  These notices are now familiar to everyone who is part of the healthcare industry, including patients.  Although they may differ slightly, they are substantially the same because the form and content is primarily dictated by the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

On January 17 of this year, the U.S. Department of Health and Human Services issued the new final rules under HIPAA, which strengthen its privacy and security protections. This new final rule changed several aspects of the privacy and security rules in ways that will directly affect physicians, including modifying what must be included in your Notice of Privacy Practices. In addition to the information already required, a provider’s Notice of Privacy Practices must now include the following additional statements and information:

  • If a provider plans to use or disclose protected health information for fundraising, a statement that the provider may contact them to raise funds and that the individual has the right to opt out of receiving these fundraising communications.

  • If the provider maintains “psychotherapy notes,” a statement that the psychotherapy notes will only be used and disclosed with the individual’s authorization.

  • A statement that the patient has the right to restrict the disclosure of information to their insurer if they are paying out of pocket, in full for the care.

  • A statement that the sale of protected health information without the express written authorization of the individual is prohibited, as well as the other uses and disclosures for which the rule expressly requires the individual's authorization (i.e., marketing and disclosure of psychotherapy notes, as appropriate).

  • A statement that the covered entity has a duty to notify affected individuals of a breach of unsecured protected health information.

The other changes required by the new final rule will be addressed in future issues of the Physicians’ Legal Update.  A covered entity has until September 23, 2013 to update their Notice of Privacy Practices and to comply with the other requirements of the new rule.


Bone McAllester Norton PLLC is a full-service law firm with 33 attorneys and offices in Nashville and Sumner County, Tennessee. Our attorneys focus on 16 distinct practice areas, providing the wide range of legal services ordinarily required by established and growing businesses and entrepreneurs. Among our practices, we represent clients in business and capital formation, mergers and acquisitions, securities matters, commercial lending and creditors’ rights, commercial real estate and development, governmental regulatory matters, commercial litigation and dispute resolution, intellectual property strategy and enforcement, entertainment and environmental matters.   Our client base reflects the firm’s deep understanding and coverage of today’s leading industry and business segments. For more information, visit