On September 13, 2013, the U.S. Department of Health and Human Services (HHS) released several variations of a model Notice of Privacy Practices for use by healthcare providers and health plans to communicate with their patients and plan members. The new model notices are intended to facilitate compliance with a portion of the Omnibus Final Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Omnibus Rule was released in January of this year and its requirements will be effective on September 23.
Under the Omnibus Rule, providers and plans are required to develop a clear, user-friendly notice to inform patients of their policies and procedures regarding use and sharing of patients’ protected health information (PHI), as well as patients’ rights regarding access to and sharing of their PHI. According to the Office for Civil Rights and Office of the National Coordinator for Health Information Technology, the two agencies within HHS that developed the model notices, “The models reflect the regulatory changes of the Omnibus Rule and can serve as the baseline for covered entities working to come into compliance with the new requirements.”
In addition to their standard language, the new model notices include blank fields and instructions to allow providers and plans to customize them with contact information, specific information about their own business practices and use of PHI, and the existence of any state or other laws that require greater limits on disclosures. Consequently, most providers and plans who use the models as templates will want to seek input from their attorneys or other advisers in finalizing them.
A HIPAA covered entity is required to make its Notice of Privacy Practices available to any person who asks for it, and to prominently post it on any website it maintains that provides information about its customer services or benefits.