September 23, 2013 is the date that medical practices and other covered healthcare entities will roll out a new Notice of Privacy Practices to patients to be compliant with the HIPAA Omnibus rule enacted in March 2013.
What Does This Mean For Patients?
Patients should be aware that after September 23rd, their healthcare providers will have a new Notice of Privacy Practices (NPP) available. The new NPP should be posted in each office, on the website if one exists, and should be available as a handout for any patient requesting it.
The new notice will include:
- Reasons that your Protected Health Information (PHI) can and cannot be disclosed to others.
- Information for opting-out of communication related to fundraising activities, if your healthcare provider does any fundraising.
- The ability to restrict your PHI from payer disclosure when you pay in cash instead of having the charges filed with your insurance plan.
- Information about being contacted if there is a breach of your PHI due to unsecured records.
What Does This Mean For Practices?
- A new Notice of Privacy Practices that is specialized to your practice must be developed.
- The new NPP must be posted in your practice, on your website and available as a handout for any established patients who request them.
- All new patients must be offered a copy of the new NPP and must sign an acknowledgement that they received it. (They may turn a copy of the NPP down, however.)
- Policies that address the disclosure of information/records and notification of a breach, should one occur must be developed.
- Old and new versions of the NPP should be on file in the practice, and patient acknowledgements should also be kept as long as the medical record is retained.
What else is required for compliance with HIPAA Omnibus?
One of our good friends, Steve Spearman at Health Security Solutions has posted great information on his site about the other requirements of the HIPAA Omnibus rule. His excellent posts help readers understand and comply with the new HIPAA guidelines in the following areas:
- Business Associates Agreement (BAA) Update
- Downstream Subcontractors Needing BAAs
- New Breach Notification and Reporting Protocol
- School Immunization Records Protocol
- Electronic Fulfillment of PHI Request
- Medical Record Protocols for Cash Payments
At Manage My Practice, we’ve offering a free sample Notice of Privacy Practices for your practice use. Please read the sample notice carefully, make changes specific to your practice and add your practice name. Note that language related to fundraising is NOT included, as it will not apply to most private practices. Insert fundraising language as follows if appropriate for your practice.
Fundraising Activities: We may use PHI to contact you to raise money. If you wish to opt out these contacts, or if you wish to opt back in to these contacts, please contact our Privacy Officer.
Likewise, if your practice has a research function, insert relevant language:
Research: We may use and share your health information for certain kinds of research, however, all research projects are subject to a special approval process.
Check your state laws.
Your state law may require authorizations for certain uses and disclosures of PHI beyond those outlined in the sample notice. Be sure to amend your NPP to reflect any state-specific laws (resource here) related to release of medical records. Remember to post your new NPP on your website and in your practice, and begin giving it to new patients September 23, 2013.
The new Notice of Privacy Practices is not required until September 23rd, but you can start using it as soon as you have yours ready.
For more on HIPAA, read my post “Three Big HIPAA Myths.”