Written By: Kimberly Gold
With the September 23, 2013 compliance date for the HIPAA Omnibus Rule only one week away, the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have developed model Notices of Privacy Practices (“NPP”) to help health care providers and health plans ensure compliance with the HIPAA Privacy Rule and recent changes implemented under the Omnibus Rule.
It is crucial that covered entities update their NPPs no later than September 23, 2013. Health care providers must make the updated NPP available upon request and must have the revised NPP available at the practice location and posted in a clear and prominent location. Health plans must post the updated NPP on their website no later than September 23, 2013, and must distribute a summary of changes or copies of updated NPP in the next annual mailing.
The model NPP implements several new requirements, including the necessary statement of the uses and disclosures of protected health information (“PHI”) that require an authorization, including a statement that most uses and disclosures of psychotherapy notes and of PHI for marketing purposes and the sale of PHI require an authorization.
OCR and ONC created the model NPP in response to covered entities’ requests for additional guidance on how to create a clear, accessible notice that their patients or plan members can understand. The following models were created for use by health plans and health care providers:
- Notice in the form of a booklet;
- A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
- A notice with the design elements found in the booklet, but formatted for full page presentation; and
- A text only version of the notice.
The agencies indicated that the models can serve as the baseline for covered entities working to come into compliance with the new requirements. While they may be a helpful baseline, it is important to remember that the NPPs must be tailored for each covered entity’s particular practices.