Providing the individual with a Notice of Privacy Practices (NPP) has been mandated since the effective date of the original HIPAA Privacy Rule. A foundational element in the healthcare privacy world, the NPP is intended to provide information about how the covered entity (including the provider or health plan) uses and discloses the patient’s protected health information (PHI), and the various rights of the individual regarding that PHI, including the right to access, copy, add an amendment, receive communications at a confidential or alternate location, and to request a restriction. This is nothing new.
The HITECH Omnibus Final Rule, some 10 years later, is mandating additional items to be included in the NPP. You must make these changes by September 23, 2013. The provisions include:
· A description of uses and disclosures that require authorization, a statement that any use or disclosure of PHI other than those permitted by the Privacy Rule will be made only with written authorization of the individual, and the right of the individual to revoke that authorization (so long as the covered entity has not already acted on it);
· Where applicable, that the covered entity intends to contact an individual for fundraising purposes, and that the individual has the right to opt out of receiving such communications;
· If the covered entity is a health plan, then its NPP must state that the covered entity is prohibited from using or disclosing genetic information for underwriting purposes;
· A statement that the covered entity is required by law to maintain the privacy of PHI, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information;
· That an individual has the right to restrict disclosure of PHI to a health plan where the individual or personal representative pays out-of-pocket in full for the health care item or service, so long as the restriction is for payment or business operations, and not required by law (as may be the case with certain government payers. Note that many states require, and many providers have a already created, a mechanism for patients who seek to keep sensitive information confidential through out of pocket payments.)
· And while this is not HITECH mandated, I like to add that where a provider is disclosing PHI to a regional or statewide health information network, that this material disclosure of PHI be included in the NPP as well (although this notice does not substitute for the required, separate information and opt-out form that may apply, as it does in Maine.)
Please, please, please, POST your NPP. Even though you do NOT have to print and give the new NPP to everyone who seeks treatment, the HITECH preample specifically reaffirms that old requirement that you post the NPP in a prominent location. I cannot tell you how often I find a compliance failure with this very basic (10 year old) requirement. The failure to post your NPP is a ridiculously easy “gotcha” for the auditors. Don’t give it to them. Find some wall space, put up the NPP, and don’t forget to consider whether the individual in the wheelchair can read the content on that wall.
The HITECH Omnibus Rule does allow you to post an abbreviated NPP, so long as there are copies of the full NPP immediately near or below (such as on a table), and the individual does not have to affirmatively ask the receptionist for a copy. Post the new notice to your website, if you have one (this is mandated for health plans.) Physically provide the updated notice to your new patients, and make your good faith effort to obtain the patient or personal representative’s signature for receipt. The recipient does not have to sign, but you need to document your attempt either way.
And finally, for the moment, remember: not only does the HIPAA Privacy Rule require that the NPP be written in plain language, but now HITECH reaffirms HIPAA’s commitment to equal access and understanding of the information in the NPP. Make sure your NPP complies with laws around requirements for accomodating those with disabilities, mandated by Section 504 of the Rehabilitation Act of 1973, the Americans with Disabilities Act of 1990, and Title VI of the Civil Rights Act. How will you communicate the information in the NPP to those with limited English proficiency, or for those who are visually impaired? Some providers create their NPP in braille, large print, audio and a variety of languages, as the community requires. Consider what your practice or organization needs.
We are simply shining up the old rule, which should provide some relief to those feeling a bit overwhelmed by the new requirements and changes.
But unlike 10 years ago, there was no HIPAA audit team on the ground checking up on you. Now there is. Extra reason for you to get your NPP, and other HIPAA/HITECH documents, in order.
