The HHS’ Office of Civil Rights has developed a couple of different model notices of privacy practices that can be used by health plans.  There are 4 different formats of these sample notices:

1. Notice in the form of a booklet;
2. A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
3. A notice with the design elements found in the booklet, but formatted for full page presentation; or
4. A text only version of the notice.

The model notices are posted here.  The files labeled “NPP Health Plan Files” could be used by health plans that are determined to be covered entities.  There are also ‘Health Plan Instructions’ and Q&As about using these model forms.

Remember that the Notice of Privacy Practices (NPP) is to be provided by the covered entity.   A covered entity is a health plan, health care provider or healthcare clearinghouse. 

• If the plan is insured and the employer receives no protected health information (PHI), then the NPP is to be provided by the insurer. 
• If the plan is self-funded, generally, the employer is responsible for providing the NPP; though, the TPA may do it on behalf of the employer. 

An employer should only issue a NPP after working closely with its plan vendors to ensure consistency.

As a reminder, the NPP was to be updated and re-distributed by September 23, 2013.