There has been confusion as to whether the Affordable Care Act’s nondiscrimination provision (“ACA”) affects a covered entity’s notice of privacy practices (“NPP”) or data breach notifications. OCR has issued guidance indicating that ACA does indeed impact NPPs. Moreover, breach notifications also likely are affected. Accordingly, if they have not already done so, covered entities should consider updating their NPPs to include the required nondiscrimination language and “taglines” in different languages. Covered entities also should address their breach notification policies, procedures, templates, processes, and checklists so that any required ACA language and taglines are included in any breach notifications going to individuals.
In mid-2016, regulations by the Department of Health and Human Services Office for Civil Rights (“HHS”) implemented Section 1557 of the ACA (the “ACA Rule”). The ACA Rule generally prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs and activities. The ACA Rule applies to health programs or activities that receive funding from HHS, health programs and activities administered by HHS, the Health Insurance Marketplaces, and plans offered by issuers that participate in those Marketplaces. Covered entities that may be affected include hospitals, health clinics, health insurance issuers, state Medicaid agencies, community health centers, physician’s practices, and home health care agencies.
ACA Nondiscrimination Obligations for “Significant Publications”
The ACA Rule requires that a covered entity’s “significant publications” and “significant communications” include notification of its nondiscrimination obligations with respect to its health programs and activities. Specifically, these notices and communications must include the following information:
The covered entity does not discriminate on the basis of race, color, national origin, sex, age, or disability
The covered entity provides language assistance services, free of charge and in a timely manner, to individuals with limited English proficiency
The covered entity provides appropriate auxiliary aids and services, free of charge and in a timely manner, to individuals with disabilities
The way that an individual can access the covered entity’s language assistance and disability aids and services
The availability of a grievance procedure, and how to file a grievance
The mechanism for filing a discrimination complaint with OCR; and
The contact information for the responsible employee coordinating compliance with the ACA Rule.
A covered entity must include this notice in significant publications and significant communications targeted to beneficiaries, enrollees, applicants, and members of the public.
Additionally, covered entities are required to include “taglines” in the top fifteen languages spoken by individuals with limited English proficiency within the covered entity’s state. There is an exception for significant publications and significant communications that are small-sized, such as postcards and tri-fold brochures, which may include a shorter non-discrimination statement in lieu of the full notice and may include two rather than 15 taglines.
What Does this Mean for HIPAA NPPs?
Covered entities have expressed confusion whether an NPP, which is mandated by HIPAA, is a “significant publication” that requires the ACA Rule-mandated notice and taglines. Guidance from HHS provides some clarification. HHS has stated that a covered entity’s NPP is considered to be a significant publication under the ACA Rule. Therefore, covered entities should verify that their NPPs have been updated to include any nondiscrimination notice language and taglines required by the ACA Rule.
What Does this Mean for HIPAA Breach Notifications?
In commentary to the ACA Rule, HHS indicates that it “intends to interpret ‘significant publications and significant communications’ broadly.” Further, in the HIPAA Omnibus Rule, HHS indicated that breach notifications may have to comply with various civil rights laws (although the ACA Rule, which was not yet implemented, is not mentioned). And, breach notifications are required by HIPAA when the triggering criteria are met. Taking all these factors into account, HHS may require the ACA-Rule-mandated notice and taglines for notifications of the breach of unsecured protected health information to affected individuals.
HHS includes model notice and tagline language in multiple languages here and identifies the top 15 languages spoken in each state here. Accordingly, covered entities can use these resources to add the model notice language and the taglines in the top 15 languages in the covered entity’s state to their NPPs and notifications.
A failure to comply with the ACA Rule would not constitute a HIPAA violation since HIPAA does not require the ACA Rule language and taglines. Further, because the ACA is a law that the current Administration is on record as trying to repeal, there remains the question of whether HHS would seek to enforce the ACA Rule in various instances, including with respect to NPPs and breach notifications. Only time will tell. Accordingly, covered entities are left in limbo, wondering to what extent limited resources should be focused on complying with new regulatory requirements that may not be currently enforced by HHS.
Covered entities should consider the following:
When applicable, covered entities may decide to post online and on-site a revised NPP containing the mandated ACA Rule language.
For paper copies of NPPs that are available at facilities, a covered entity may exhaust its current supply of NPPs, as long as they were printed before July 18, 2016 (the ACA Rule’s effective date). Then, covered entities should restock their NPPs with versions that comply with the ACA Rule. Although not required, OCR recommends adding inserts with the nondiscrimination language and taglines to existing stocks of NPPs.
Covered entities do not need to obtain a second acknowledgement of receipt of the modified NPP, nor treat the revised language as a “material change” of the NPP for purposes of HIPAA. Basically, HIPAA does not require any action for the NPP with respect to the ACA Rule.
Although the effective date of the NPP need not change, a covered entity may want to update the “revision date” upon adding the nondiscrimination text. This way the covered entity can more readily identify old versus new NPPs.
Covered entities should consider whether breach notifications should contain the mandated ACA Rule language and taglines.