The Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR"), and Office of the National Coordinator for Health Information Technology ("ONC") (the "Agencies") have issued model Notices of Privacy Practices ("NPPs") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") for use by health care providers and health plans ("covered entities" under HIPAA).
As background, HIPAA requires covered entities to provide NPPs to individuals regarding (1) the uses and disclosures of their protected health information ("PHI"), (2) individuals' rights with respect to their PHI, and (3) the covered entity's legal duties with respect to PHI. The final HIPAA "omnibus" rule (the "Omnibus Rule") that was released in January 2013 includes changes to the required content of NPPs. Generally, the changes required under the Omnibus Rule become effective on September 23, 2013.
The model NPPs, which are available here, include the following optional formats for use by health plans and health care providers:
- A NPP in the form of a booklet;
- A "layered" NPP that presents a summary of the information on the first page, followed by the full content on the following pages;
- A NPP with the design elements found in the booklet, but formatted for full page presentation; and
- A text-only version of the NPP.
According to the Agencies, the model NPPs reflect the regulatory changes under the Omnibus Rule and can serve as a baseline for covered entities to develop HIPAA-compliant NPPs. Covered entities may - but are not required to - use the model NPPs. If a covered entity chooses to use a model NPP, it should review the document closely and customize it to accurately reflect the entity's specific approach to HIPAA compliance.