Model HIPAA Notices Offer Tools and Insight Into OCR Expectations

The Office of Civil Rights recently posted Model Notices of Privacy Practices on its HIPAA website.  The model notices can be found by following this link:

These notices are a helpful tool for covered entities – although they do still need to be tailored for each covered entity’s individual organization.  For example, the privacy officer contact information will need to be included, as well as information regarding any state laws that are more stringent and information related to organized health care arrangements.

The model notices are also interesting because they provide insight as to what the Office of Civil Rights is expecting to see in a compliant Notice of Privacy Practices.  While the HIPAA Privacy regulations require covered entities to describe every purpose for which the covered entity is permitted or required to use or disclose protected health information, the specificity with which such uses or disclosures must be described has never been very clear.  In the Final Privacy Rule, CMS clarified that covered entities must include uses or disclosures that they were permitted to make, even if they did not intend to do so.  This made it difficult for providers to determine how to deal with some of the more unusual permissible uses and disclosures, that would rarely apply to their practice, such as disclosures to a correctional institution.  The model notices, however, appear to be lacking in detail with regard to some of the more unusual disclosures that are permitted by the Privacy Rule.

Another area where the model notices are very vague is in the description of patient rights.  While the HIPAA Privacy Rule requires covered entities to include in their Notice of Privacy Practices a description of how to exercise the patient rights, the model notice merely states “ask us how to do this.” While covered entities are not likely to be found in violation where they have followed the model notice, the failure to provide individuals with more specific instructions regarding how to exercise patient rights can lead to patient disputes.

For example, many covered entities request that patients put such requests in writing so that there is a paper trail of what the individual actually requested of the covered entity and when the request was made.

In summary, the model notices are a useful tool for covered entities who need assistance with drafting a Notice of Privacy Practices.  Covered entities who are looking to revise their notices, especially in light of the final Omnibus Rule changes, may also find some of the sample language helpful, keeping in mind that many parts of the model language will need to be tailored to the organization.  Covered entities may also decide to attempt to streamline their Notice of Privacy Practices based on the OCR’s guidance if the covered entity’s current notice is more specific and lengthy than the model notices.

Speak Your Mind