On Sept. 17, 2013, the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) announced that they developed model Notices of Privacy Practices. The model Privacy Notices are available for health care providers and health plans to use to communicate with their patients and plan members.
The model Privacy Notices were developed through the use of consumer focus groups to provide a clear, accessible notice that patients or plan members can understand. According to the OCR and ONC, the models reflect the regulatory changes of the final HIPAA Omnibus Rule and can serve as the baseline for covered entities working to come into compliance with the new requirements. The compliance deadline for the final HIPAA Omnibus Rule is Sept. 23, 2013.
There are three different designs for the model Privacy Notice for health plans. Every design has the same language, although the layered notice includes an additional first page that summarizes key privacy rights, choices, uses and disclosures.
Each design is in a fillable Adobe PDF format and has some areas that can be customized for each health plan. The gray, fillable fields in each PDF include instructions for special notes to add to the Privacy Notice if they apply to the health plan. Also, there is a way to add logo art instead of the health plan's name on the Notice. More information on customizing the notice and best practices is available in the Health Plan Instructions and the Questions and Instructions for using the Model Notices.
In addition, the OCR and ONC have provided a text-only version of the model Privacy Notice. Health plans that use this version can add their own design elements to the Notice or customize the language.
The final HIPAA Omnibus Rule requires covered entities to revise and redistribute their Privacy Notices. According to the Department of Health and Human Services (HHS), the final HIPAA Omnibus Rule's changes to the Privacy Notice represent a material revision to the Notice. As a general rule, a health plan must provide a revised Privacy Notice, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of a material revision to the Notice.
The final HIPAA Omnibus Rule contains a special delivery rule that allows some health plans to avoid the cost of a separate mailing. Under this rule, a health plan that currently posts its Privacy Notice on its website must post the material change or a revised notice by Sept. 23, 2013 and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to plan participants (such as at the beginning of the plan year or during the plan's open enrollment period).
Also, as described below, sponsors of fully-insured health plans are not subject to all of the Privacy Notice requirements.
For fully insured health plans, the insurer has primary responsibility for providing the Privacy Notice. The plan sponsor will have limited responsibilities with respect to the Privacy Notice, depending on its access to PHI.
Source: Department of Health and Human Services
This Compliance Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice.
Design © 2013 Zywave, Inc. All rights reserved.