If there’s one aspect of HIPAA compliance it seems every office implements, it’s the Notice of Privacy Practices (NPP) — the document that informs patients of the permitted uses and disclosures of their Protected Health Information (PHI) and also spells out their rights as patients regarding their own access to their PHI.
I can vouch for the widespread use of NPPs from my own experience as a healthcare consumer. At every first-time visit to a doctor’s or dentist’s office in recent memory, I’ve been handed a clipboard with a lengthy, legal-sounding NPP to read, along with a pen to sign it.
Of course, there’s more to HIPAA than NPPs.
Nearly all practices have the NPP part of HIPAA compliance down pat. That’s the good news. The not-so-good news — for consumers and the overall security of their health information — is that some offices erroneously believe that NPP’s are the end-all and be-all of HIPAA compliance, that all an office has to do to achieve compliance is get those forms read, signed, and filed.
But if this blind faith in NPPs tells us anything, it’s that those forms are important — for consumers, as well as healthcare practices. Not only important, but also — since September, 2013 — newly revised to reflect changes brought about by the Omnibus Rule.
This post will point out those changes and also point you in the direction of FREE templates, developed by Health and Human Services (HHS), that you can use to comply with the new requirements for NPPs.
Still using your old Notice of Privacy Practices? Stop!
The Omnibus Rule required several modifications to NPPs. Here are a few of the issues those changes address:
- Breach notices — NPPs are now required to include a right of affected individuals to be notified following a breach of their PHI.
- Non-enumerated uses — NPPs must state that any uses or disclosures of PHI not described in the NPP will only be made upon written authorization from the individual.
- Out-of-pocket payment restrictions — HIPAA now requires healthcare providers to inform individuals that they have a right to restrict certain disclosures of PHI to a health plan if the individual has paid out-of-pocket in full for the healthcare service or item.
- Marketing sale, and psychotherapy notes disclosures — NPPs must now contain a statement indicating that the following uses and disclosures of PHI require written authorization: for marketing purposes; disclosures that constitute a sale of PHI, and, for those providers who record and maintain psychotherapy notes, most uses and disclosures of those notes.
Your new NPP is just a click away.
HHS has done an excellent job in making its new NPPs user-friendly, to-the-point, and easy-to-understand. Gone are the “heretofores” and the “whereases” that typically characterize documents that need to be signed and dated. Instead, HHS offers model NPPs written in clear language and presented through attractive design. They’re available on the HHS website in English and Spanish and in four different formats: booklet, layered, full page, and text. The examples you’ll find on the site can be customized for your practice.
If you haven’t already updated your NPPs, click here to get started.