The HHS Office of Civil Rights (OCR) recently released several versions of a model Notice of Privacy Practices (NPP) for use by covered entity health plans and health care providers. The notices have been written specifically to comport with the soon-to-be-effective requirements of the Omnibus final rule released in January of this year implementing many of the requirements of the HITECH Act.
The notices are available in three structured formats (“Booklet,” “Layered,” and “Full Page”) but the content in all three is essentially identical (a “text only” version is also available, for those providers who wish to use different layouts or graphic design). The formats are distinguished by their design and the density of the information presented. In all cases, the model notices employ a level of graphic design absent from most NPPs (which are generally printed in a more typical document format). Guidance published along with the notices indicates that the design was tested with consumers and that both the organization of the text and the colors used to demarcate different subject matters in the notice were appreciated by consumers. In all cases, the files available for download from the OCR site provide instructions regarding customization and completion and allow for the inclusion of entity logos.
Covered entities that alter their NPPs are generally not required to send revised versions to patients who have already received an NPP (or been provided access to one). Except as to health plans that post their NPP on their website, the HITECH Act did not change the requirements for providing copies of an amended NPP. Other than for those health plans, OCR has maintained that changes to an NPP necessitate making the new notice available and posting it (in place of the old notice) but do not trigger a notice requirement. In a 2006 FAQ responding to a medical practice's question, the OCR explained:
The HIPAA Privacy Rule does not require a covered health care provider to mail out its revised notice or otherwise notify patients by mail of changes to the notice. Rather, when a covered health care provider with a direct treatment relationship with individuals makes a change to his notice, he must make the notice available upon request to patients or other persons on or after the effective date of the revision, and, if he maintains a physical service delivery site, post the revised notice in a clear and prominent location in his facility. See 45 CFR 164.520(c)(2)(iv). In addition, the provider must ensure that the current notice, in effect at that time, is provided to patients at first service delivery, and made available on his customer service web site, if he has one. See 45 CFR 164.520(c).
Ober|Kaler's Comments
Entities concerned about the upcoming September 23, 2013 effective date the new regulatory requirements for NPPs will be pleased to note that the provided forms include all necessary information and are “approved” by OCR for immediate use and distribution. Though more complicated entities may choose to review the forms closely and customize them to reflect unique structural or work-flow concerns, the new forms offer a clear “starting point” for all NPPs and will likely work “out of the box” for smaller entities.