HHS issues model HIPAA notices of privacy practices

Less than a week before the compliance deadline for the final omnibus rule issued under the Health Insurance Portability and Accountability Act, the Department of Health and Human Services, the Office for Civil Rights and the Office of the National Coordinator for Health Information Technology issued model Notices of Privacy Practices for use by health care providers and health plans - covered entities under HIPAA.

According to the agencies, their intent was to create model NPPs with "plain language and approachable designs."

The model NPPs reflect the regulatory changes under the omnibus rule and provide a baseline for covered entities to comply with the new requirements.

HIPAA generally requires covered entities to provide NPPs to individuals regarding:

* The uses and disclosures of their protected health information.

* Their rights with respect to PHI.

* The covered entity's legal duties with respect to PHI.

The omnibus rule released in January includes changes to the required content of NPPs. For example, the omnibus rule requires covered entities to include the following provisions in their NPPs:

* A description of the types of uses and disclosures that require an individual's authorization, such as use of psychotherapy notes, disclosure of PHI for marketing purposes and disclosures that constitute a sale of PHI.

* A statement that the covered entity may not use genetic information for purposes of underwriting.

* A statement regarding the individual's right to be notified in the event of a breach of unsecured PHI.

* A statement addressing the covered entity's use of PHI for fundraising purposes, including the individual's right to opt out of receiving such communications.

The preamble of the omnibus rule states that the changes to the required content of NPPs constitute material changes to the NPPs of covered entities. According to HHS, the modifications to the NPP content requirements are significant and important to ensure that individuals are aware of the changes that affect their privacy protections and individual rights regarding PHI. Therefore, covered entities were required to update their NPPs by September 23, 2013, and distribute the revised NPPs to individuals in accordance with the NPP distribution requirements under HIPAA.

In guidance accompanying the model NPPs, the agencies state that covered entities must make their NPPs available to individuals who request a copy, and must prominently post and make available their NPPs on any websites they maintain that provide information about their customer services or benefits.

The model NPPs include the following optional formats for use by covered entities:

1. Booklet version. This version is set up as a booklet that is folded and stapled. According to the agencies, consumers liked this version because it was approachable, easy to read and portable.

2. Layered version. This version has a one-page summary of key privacy rights, uses and disclosures on the first page. It is configured to be printed on 81/2 x 11-size paper. According to the agencies, consumers liked this version because they liked the quick and easy-to-read summary.

3. Full-page version. This version uses similar design elements as the booklet but is configured to be printed on a full page (81/2 x 11-size paper). According to the agencies, if covered entities like the design of the brochure but do not want to print and assemble it, this version is a useful option.

4. Text-only version. This version includes only the unformatted text. Covered entities may use this version if they like the language used in the model NPPs but would like to insert their own designs.

Along with the model NPPs, the agencies have released a questions-and-instructions document for use by covered entities. This document provides covered entities with guidance regarding which model NPP they should use, how to customize the NPPs, how to add a logo to the model NPPs and best practices for using the model NPPs.

If a covered entity does not currently have a HIPAA-compliant NPP, the model notices provide a good starting point for complying with the requirements under HIPAA and the omnibus rule. Covered entities have the option of using the model NPP, but are not required to do so.

If a covered entity chooses to use a model NPP, the document should be reviewed carefully to ensure that it accurately reflects the covered entity's use and disclosure of PHI. The model NPPs will need to be customized to accurately reflect the covered entity's specific approach to HIPAA compliance.

Contributing Editor Kate Bongiovanni is an associate in the tax section of Smith, Gambrell & Russell, LLP. She can be reached at kbongiovanni@sgrlaw.com.

For reprint and licensing requests for this article, click here.
Healthcare reform
MORE FROM EMPLOYEE BENEFIT NEWS