OCR Issues Model Notices of Privacy Practices

As the compliance date for the final Omnibus HIPAA privacy and security rule looms, September 23, 2013, the Office for Civil Rights and Office of the National Coordinator for Health Information Technology lend a helping hand to covered entities by publishing model Notices of Privacy Practices (NPP) for health care providers and health plans. The Omnibus Rule implements a number of changes required under HITECH , including “material” changes to NPPs.

The model NPPs reflect these changes and are designed to help covered entities meet their obligation to develop and distribute clear, user friendly notices. The agencies also provided optional formats for the NPPs:

  • Notice in the form of a booklet;
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
  • A notice with the design elements found in the booklet, but formatted for full page presentation; and
  • A text only version of the notice.

Note to covered entities: The agencies state that the model NPPs reflect the regulatory changes of the Omnibus Rule, and can serve as a baseline for compliance. Covered entities will still have to tailor the notices to their particular circumstances and insert information specific to their organizations. In addition, covered entities should review the rules for how and when notices need to be provided. See 45 CFR 164.520. For example, NPPs generally can be provided by email provided the recipient has consented. Also, if a covered entity maintains a website about its customer services or benefits, it must prominently post the NPP on that site.