Updates relating to the HIPAA Privacy Rules
The HHS’ Office of Civil Rights has recently made several announcements relating to the HIPAA privacy rules.
Sample Notices of Privacy Practices in Spanish
Last fall, the Office of Civil Rights released model notices of privacy practices (NPP) that can be used by health plans (see Benefit Beat article, OCR Releases Sample Notices of Privacy Practices, 10/8/13). There are 4 different formats of these sample notices:
- A booklet format;
- A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
- A notice with the design elements found in the booklet, but formatted for full page presentation; and
- A text only version of the notice.
The OCR has recently released these same model notices in Spanish. Both the English and Spanish versions of the NPP are posted here. The files labeled “NPP Health Plan Files” could be used by health plans that are determined to be covered entities. There are also ‘Health Plan Instructions’ and Q&As about using these model forms.
As a reminder, the NPP is to be provided by the covered entity. A covered entity is a health plan, health care provider or healthcare clearinghouse.
- If the plan is insured and the employer receives no protected health information (PHI), then the NPP is to be provided by the insurer.
- If the plan is self-funded, generally, the employer is responsible for providing the NPP; though, the TPA may do it on behalf of the employer.
An employer should only issue a NPP after working closely with its plan vendors to ensure consistency.
Pre-Audit Compliance Survey Initiative
The OCR is required by law to conduct periodic audits. Two years ago, the OCR initiated a pilot audit program, the goal of which was to determine what further or future guidance would be useful to covered entities, including their business associates, to ensure proper compliance with the privacy, security and breach rules (see New Pilot Audit Program: HIPAA Privacy and Security Compliance, 1/19/12).
On February 24, 2014, the OCR announced a proposal for a pre-audit survey initiative to determine suitability of covered entities and business associates for the OCR’s HIPAA Audit Program. Information gleaned from the survey of approximately 1,200 organizations is intended to enable OCR to assess the size, complexity, and fitness of a covered entity. The type of information they will collect includes number of insured lives, use of electronic information, revenue and business locations. Comments about this request for information must be received by April 25, 2014.
Guidance on Mental Health Disclosures
The HIPAA privacy rules prohibit the use and disclosure of an individual’s mental health information, including psychotherapy information, under certain circumstances unless such use or disclosure would be helpful in the individual’s overall treatment or for the health and safety of the patient or others. The OCR has recently issued some guidance in the form of Questions and Answers to assist covered entities in determining their obligations in releasing an individual’s mental health information. The majority of this guidance is directed at health care providers in their communications with the patient’s family regarding the patient’s treatment or for communication to law enforcement or other entities when there may be threat of harm to oneself or public safety.