Background

The Health Insurance Portability and Accountability Act (HIPAA), requires patients have the right to be informed about the privacy practices of their health plans and healthcare providers (covered entities”), as well as their privacy rights concerning their personal health information. This fundamental right requires covered entities to develop and distribute a clear, user-friendly Notice of Privacy Practices (NPP).

Notice Requirements and Accessibility

All covered entities, are required to create and provide an NPP. This notice must be comprehensible and in plain language, detailing:

  • How the entity may use and disclose protected health information.
  • The individual’s rights and how to exercise them.
  • The entity’s legal duties regarding the protection of health information.
  • Contact information for further inquiries about the entity’s privacy policies.

An NPP must be made available upon request and must be prominently posted and accessible both in the provider’s office and on any website maintained by the entity that provides information about services or benefits. It should be noted that health plans are also required to distribute the notice to new enrollees at enrollment and following any significant changes to the privacy practices.

Services

Carosh Compliance Solutions is here to deliver solutions customized for your specific needs. As your trusted advisor, we assist your organization in achieving privacy and security goals, more cost efficiently, requiring less time from your employees; thereby saving your organization time and money.

When selecting a level of service that’s right for you, you will achieve the confidence in knowing that your program will protect you from financial risk of those inevitable privacy and security incidents.

You’re here because you do not have an NPP on your website, or, your NPP doesn’t satisfy the requirements published by HHS.

Click the play button below to understand why it raises red flags for other areas of your compliance program.

SCHEDULE A TIME TO TALK

Model Notices of Privacy Practices

To facilitate this requirement, the Department of Health and is available in various formats, including booklets and layered notices, to suit different needs. All of which are provided below.

Entities can personalize these model notices by inserting specific details relevant to their practices. Entities need to review all provided instructions and documents thoroughly before personalizing and distributing their notices.

Instructions:

Health Plan Instructions – PDF
HC Provider Instructions – PDF
Questions and Instructions for using the Model Notices – PDF

 

NPP Provider Files:

English

NPP Booklet – HC Provider – PDF
NPP Layered – HC Provider – PDF
NPP Full Page – HC Provider – PDF
NPP HC Provider – Text Version

Spanish

NPP Booklet – HC Provider – PDF
NPP Layered – HC Provider – PDF
NPP Full Page – HC Provider – PDF
NPP HC Provider – Text Version

NPP Health Plan Files:

English

NPP Booklet – Health Plan – PDF
NPP Full Page – Health Plan – PDF
NPP Layered – Health Plan – PDF
NPP Health Plan – Text Version

Spanish

NPP Booklet – Health Plan – PDF
NPP Full Page – Health Plan – PDF
NPP Layered – Health Plan – PDF
NPP Health Plan – Text Version

Prominent Posting and Implementation Details

Entities must ensure that the NPP is obvious and easily accessible from the homepage of their website. A recommended approach is to provide a direct link labeled clearly, such as “HIPAA Notice of Privacy Practices.” This link should include a concise description and must be accompanied by the effective date of the notice and contact information for the privacy official or another contact person by either name or title.

Along with the language requirements, many practices do not include the required effective date and contact information:

Effective Date of this Notice: [Insert Date]

Privacy Official Contact Information:

Name/Title: [Insert Name or Title of the Privacy Official]

Email: [Insert Email Address]

Phone: [Insert Phone Number]

By adhering to these guidelines, entities not only comply with legal requirements but also demonstrate their commitment to protecting individual privacy rights. This commitment is essential for maintaining trust and confidence in the privacy and security of personal health information.