The Office for Civil Rights (“OCR”), in collaboration with the Office of the National Coordinator for Health Information Technology (“ONC”), recently developed and released model Notices of Privacy Practices (“Notices”) for health care providers and health plans. Several different styles and formats are available for customization.
Providers and health plans (as well as health care clearinghouses) are required by HIPAA to provide patients, enrollees, and/or members with documents explaining how their Protected Health Information (“PHI”) will be safeguarded, what rights individuals have with respect to their PHI, and how the entity may use or disclose the PHI. HIPAA contains a list of elements required to be in all Notices, and it also mandates that such Notices be user friendly and accessible. The Final HIPAA Omnibus Rule (the “Omnibus Rule”) changed the requirements for Notices; for example, pursuant to the Omnibus Rule, patients must be informed of their new right to view their PHI contained in electronic health records where applicable.
Many entities asked for assistance with drafting documents that comply with the new regulations, and OCR and ONC responded by publishing these model Notices that may easily be customized and adopted. OCR and ONC also published corresponding FAQs and instructions that provide guidance regarding how to individualize and use the model Notices. The model Notices also contain internal instructions that identify which parts should be customized; entities should be sure to follow these instructions prior to distribution.
The Omnibus Rule’s provisions regarding Notices go into effect September 23, 2013. Covered Entities under HIPAA should either adapt the model Notices or update their own previous versions prior to this date in order to ensure compliance with law.