On Sept. 17, 2013, the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) announced that they developed model Notices of Privacy Practices. The model Privacy Notices are available for health care providers and health plans to use to communicate with their patients and plan members.
The model Privacy Notices were developed through the use of consumer focus groups to provide a clear, accessible notice that patients or plan members can understand. According to the OCR and ONC, the models reflect the regulatory changes of the final HIPAA Omnibus Rule and can serve as the baseline for covered entities working to come into compliance with the new requirements. The compliance deadline for the final HIPAA Omnibus Rule is Sept. 23, 2013.
Format of Model Notice
There are three different designs for the model Privacy Notice for health plans. Every design has the same language, although the layered notice includes an additional first page that summarizes key privacy rights, choices, uses and disclosures.
- Booklet Version – This version is set up as a booklet that is folded and stapled. According to the OCR and ONC, consumers like this version because it is approachable, portable and easy to read.
- Full-page Version – This version uses similar design elements as the booklet but is configured to be printed on a full page (8 ½ X 11 size). It is a useful option for health plans that like the design of the brochure but do not want to print and assemble it.
- Layered Version – This version has a one-page summary of key privacy rights, uses and disclosures on the first page. It is configured to be printed on 8 ½” X 11” paper. According to the OCR and ONC, consumers like this version because they appreciate the quick and easy-to-read summary.
Each design is in a fillable Adobe PDF format and has some areas that can be customized for each health plan. The gray, fillable fields in each PDF include instructions for special notes to add to the Privacy Notice if they apply to the health plan. Also, there is a way to add logo art instead of the health plan’s name on the Notice. More information on customizing the notice and best practices is available in the Health Plan Instructions and the Questions and Instructions for using the Model Notices.
In addition, the OCR and ONC have provided a text-only version of the model Privacy Notice. Health plans that use this version can add their own design elements to the Notice or customize the language.
The final HIPAA Omnibus Rule requires covered entities to revise and redistribute their Privacy Notices. According to the Department of Health and Human Services (HHS), the final HIPAA Omnibus Rule’s changes to the Privacy Notice represent a material revision to the Notice. As a general rule, a health plan must provide a revised Privacy Notice, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of a material revision to the Notice.
The final HIPAA Omnibus Rule contains a special delivery rule that allows some health plans to avoid the cost of a separate mailing. Under this rule, a health plan that currently posts its Privacy Notice on its website must post the material change or a revised notice by Sept. 23, 2013 and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to plan participants (such as at the beginning of the plan year or during the plan’s open enrollment period).
Also, as described below, sponsors of fully-insured health plans are not subject to all of the Privacy Notice requirements.
Special Rules for Fully Insured Plans
For fully insured health plans, the insurer has primary responsibility for providing the Privacy Notice. The plan sponsor will have limited responsibilities with respect to the Privacy Notice, depending on its access to PHI.
- If the sponsor of a fully insured plan has access to PHI for plan administrative functions, it is required to maintain a Privacy Notice and provide the Notice upon request.
- If the sponsor of a fully insured plan does not have access to PHI, it is not required to maintain or provide a Privacy Notice. A plan sponsor’s access to enrollment applications and disenrollment information alone does not qualify as having access to PHI.
Source: Department of Health and Human Services