Template Privacy Notices Simplify HIPAA Compliance
September 23 is right around the corner. Has your practice updated its standard privacy notice yet?
Covered entities—including health care providers who conduct covered healthcare transactions electronically—are required to develop and distribute a notice to patients that provides a clear, user-friendly explanation of the provider’s privacy practices and patients’ rights to privacy of protected health information (PHI). This isn’t new. What is new are the requirements for these privacy notices.
The U.S. Department of Health & Human Services (HHS) issued a final rule at the beginning of the year modifying several provisions of the Health Insurance Portability and Accountability Act (HIPAA), in part to strengthen the privacy and security protection for individuals’ PHI. The new regulations went into effect March 26. Covered entities and business associates have until Sept. 23 to comply with the new requirements.
The omnibus final rule is comprised of four rules, one being to finalize HIPAA privacy, security, and enforcement rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which includes requiring “modifications to, and redistribution of, a covered entity’s notice of privacy practices.” (Federal Register, vol. 78, No. 17, Jan. 25, 2013)
Covered entities are required to provide a notice in plain language that describes:
- How the covered entity may use and disclose PHI about an individual.
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
- The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of PHI.
- Who the contact is for further information about the covered entity’s privacy policies.
The notice must also include an effective date; and a covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices.
But these requirements only scratch the surface of what you need to know. Developing a privacy notice is complicated and time consuming.
To simplify matters, the Office of the National Coordinator (ONC) and the HHS Office for Civil Rights (OCR) have released model Notices of Privacy Practices for healthcare providers to use to communicate with their patients.
Model notices come in three styles and are customizable:
- Booklet form
- Letter form
- Booklet form in a full-page layout
A text-only version also is available, for those who prefer to incorporate the content into their own formatted materials.
You can access the notices on the HHS website here.