The HIPAA Privacy Rule has mandated the development of a detailed Notice of Privacy Practices (NPP) over a decade. Recent updates to the regulations, in the form of the HIPAA Omnibus Rule in 2013, required updates be made to all existing NPPs. To comply with federal regulations and to strengthen the relationship and communication with patients and other consumers’ covered health care providers and health plans need to understand their obligations and individuals’ rights under the rule.
Understanding the NPP: Purpose and Covered Entities
As part of the HIPAA Privacy Rule, health plans and covered health care providers must notify individuals of the privacy practices and rights related to protected health information (PHI). Specifically, the NPP must be distributed, posted and made available upon request to all patients notifying them not only of the privacy practices followed by their health plan or health care provider but of their privacy rights related to their PHI.
All health plans and health care providers, regardless of size or specialty, must comply with HIPAA. The NPP is required for all except the following:
- Third-party health care clearinghouses
- Correctional institutions
- Group health plans that provide benefits only through contracts and do not create or receive any PHI beyond summary health information or enrollment information
Developing the NPP: Required Content and Model Notices
In addition to requiring the NPP be written in user-friendly, accessible language, the Final Rule requires the NPP contain certain information. For the complete requirements, refer to the HIPAA regulations in 45 CFR 164.520(b). Highlights of the necessary content are:
Header: All NPPs must have the header: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”
Uses and Disclosures: The NPP must describe the types of disclosures of PHI that are permitted without authorization from the individual. The NPP also must describe the types of uses or disclosures that do require authorization or that the individual can elect to opt out of. Specifically, authorization is required for use or disclosure of:
- Psychotherapy notes
- Use of PHI for marketing purposes
- The sale of PHI
Other uses and disclosures that are not described in the NPP can be made only with the individual’s authorization.
The NPP must inform individuals that they can opt out of fundraising communications.
A health care provider’s NPP must state that individuals have the ability to restrict certain disclosures of PHI to a health plan when the individual pays in full out-of-pocket for the health care item or service.
Individual Rights: Specific individual rights under the Privacy Rule must be described. These rights include the right to request restrictions on uses or disclosures of PHI, the right to inspect, copy and amend PHI, and other rights.
Covered Entity’s Responsibilities: The NPP must specify the covered entity’s duties, which include the requirement, under the law, to maintain the privacy of individuals’ PHI.
Other: Additional considerations include:
- The effective date of the NPP must be part of the notice. The date cannot be any earlier than the date of publication.
- The name or title and phone number for a person at the health plan or provider to whom questions can be directed must be included.
- Information on how to file a complaint with the organization must be provided. Though the NPP must also inform people that complaints can be filed with HHS, the NPP does not need to detail how to do so.
- The final Privacy Rule requires the NPP include a statement informing individuals of the right to be notified following a breach of unsecured PHI.
Since developing the NPP can be daunting — the notice requires some specific words be used, as well as several subjects be covered, with as much detail as possible, all using plain language — the Department of Health and Human Services (HHS) provides several model notices that can be customized as appropriate.
Organizations are free to develop their own formats, as long as the NPP contains the required text and information. However, use of these model templates is encouraged, since they not only include all required federal components, they have been tested with consumers for ease of understanding and appeal of the design.
The NPP content requirements differ slightly for health plans, so HHS provides two sets of model NPPs — one for health care providers and one for health plans — in both English and Spanish. The provided options are:
- A booklet, which was by far the most popular choice among patients and other consumers
- A “layered notice,” which provides a one-page summary of the NPP followed by the full content of the notice
- A full-page version of the booklet, for ease of printing and assembling
- A Word document with no formatting, only the text of the NPP
Also available are open source digital model notices submitted in response to competition in 2014. The Digital Privacy Notice Challenge requested digital versions of the paper-based notices for use on health plans’ and health care providers’ websites. Covered entities must prominently post its NPP on their websites if the site provides information about customer services or benefits.
Keep in mind that state laws might be more restrictive. If so, then the more restrictive guidelines must be followed.
Distributing the NPP: Posting Requirements and Updating Patients
The NPP must be made available to anyone who asks for a copy. The notice needs to be posted in its entirety at the health care facility or provider’s office as well as on its website, if applicable. The most recent copy needs to be provided to all new patients. Existing patients who already have received a copy of the notice do not need to be provided the updated NPP, though at least once every three years a health care provider’s patients must be reminded of the existence of the NPP and informed about how to obtain a copy if they want.