The HIPAA Privacy Rule, which establishes national standards for the protection of medical records and Protected Health Information (PHI), states that individuals have a right to be informed of their covered entities’ privacy practices as well as their individual privacy rights concerning their own PHI. To this end, HIPAA requires that covered entities provide their covered individuals with a Notice of Privacy Practices (NPP) every three years. For small health plans (i.e., those plans with $5 million or less in paid claims and premiums), this requirement is approaching again on April 14, 2016.
To remain compliant with the Privacy Rule, individuals in a small health plan must receive a notice by the above date telling them 1) the plan’s NPP is available and 2) how a copy of the NPP can be obtained. Keep in mind this notification requirement does not apply to covered dependents; the plan only needs to send the NPP to the “named insured of a policy,” in other words, the employee.
According to the Privacy Rule, an NPP must describe the following in plain language (as well as state an effective date):
1. How the plan may use and disclose a participant’s
2. The individual’s rights concerning his/her PHI and how he/she can exercise those rights, as well as how the individual can file a complaint to the plan.
3. The plan’s legal duties concerning PHI along with a statement declaring the plan’s legal requirement to maintain the PHI.
4. Contact information to learn more about the plan’s privacy policies.
Creating the NPP for your plan may seem a daunting task, but the U.S. Department of Health & Human Services has developed a variety of model NPPs for your use, such as a designed booklet form and a text-only form. All models are available in English and Spanish. Simply visit their website (http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices), download the NPP model that you would like to use, and enter your information into the file. The models are current for the 2013 Omnibus Rule.
Remember, along with the three-year notices to covered individuals, you must also prominently post your NPP and make it available on any website you maintain that provides information about your customer services or benefits.