Must a covered entity with a Notice of Privacy Practices that reflects more stringent State laws of multiple States, revise the whole Notice every time one State law materially changes?
The Privacy Rule requires the Notice of Privacy Practices (Notice) to identify, among other things, what uses and disclosures the covered entity may make of protected health information. The Notice must reflect any State law(s) that is more stringent than the Privacy Rule with respect to the use or disclosure of this information. Where the covered entity is subject to the privacy laws of multiple States, the more stringent use and disclosure laws of each of the States, if any, must be reflected in the Notice. See 45 CFR 164.520(b)(1) (ii)(C). When there is a material revision to the Notice based on a change in State law, covered entities must use the revised Notice to meet the Rules requirements for distribution of the Notice that occur on or after the effective date of the revised Notice. See, generally, 164.520(c)(1)-(3). In particular, a health plan must provide individuals (in most cases, the named insured) then covered by the plan with the revised Notice within 60 days of the revi
Related Questions
- Must a covered entity with a Notice of Privacy Practices that reflects more stringent State laws of multiple States, revise the whole Notice every time one State law materially changes?
- To a group, are we covered if we provide Notice of Privacy Practices to the group administrator, or does notice need to be provided to each and every eligible employee?
- Do state privacy laws override HIPAA?
