(The author would like to thank Teresa Carano, CFC, CIPP/US, CIPM, FIP, senior privacy specialist and compliance analyst at WageWorks, for her invaluable contributions to this article.)
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is conducting Phase 2 HIPAA (The Health Insurance Portability and Accountability Act of 1996) audits. About 167 employers have received notifications, with more audits to come. The audits review the policies and procedures adopted and used by health plans (covered entities); however, the Phase 2 Audit guidance suggests a focus on the Notice of Privacy Practices (NPP).
Background
The HIPAA Privacy Rule requires health plans to develop and distribute a notice that provides a clear, user friendly, explanation that describes the privacy practices of health plans and how an individual can exercise their individual rights.
There are also specific requirements for notice content. This includes how the covered entity may use and disclose protected health information about an individual, the individual’s rights with respect to the information, and how the individual can exercise their rights including how the individual may complain to the covered entity.
Providing the Notice
The notice must be made available to any new enrollees at the time of enrollment or at any time upon request. It also must contain an effective date and be made available on any website that provides information about the plan’s benefits. If revised, notices must be provided to currently covered individuals within 60 days of any material revisions. If no material revisions occur, the health plan must notify participants in the plan of the availability of the updated notice and how to obtain the notice at least once every three years. Many employers will send the notice of availability every year to simplify this compliance requirement.
Review and Update Notices Now
Although HHS provides a model notice, notices are a reflection of employer practices. Employers must make certain those practices align with their notice. Employers must also confirm they have internal procedures to manage the actions stated in the notice. The notice should be reviewed now. Some specific areas to review include the following:
- Are the health plan name, address, and website on the notice accurate?
- Does the notice include the Privacy Officials’ phone, email address, and other contact information?
- Is there an effective date on the notice?
- Is there a list of individual rights included and does the employer have internal procedures to respond to an individual’s request? For example, how are individuals’ rights to request confidential communications handled?
- Are the health plan’s uses and disclosures of health information correctly described? This may require a survey of the uses and disclosures within the health plan as well as those entities outside of the health plan that may receive plan information. There are, of course, permitted uses and disclosures so the review needs to confirm if the uses and disclosures are accurate and permitted under the Privacy Rule.
- Is there a description of any state or other laws that require greater limits on disclosures? For example, “We will never share any substance abuse treatment records without your written permission.” If no laws with greater limits apply to your health plan, no information needs to be included.
- Was personal information ever marketed or sold with written permission? An area to review includes wellness programs, including any mobile or fitness devices provided.
- Also included must be instructions on how an individual will be provided a new notice or how they can request a notice or file a complaint.
Keep in mind that the notice is a reflection of individual employer practices and internal procedures for each welfare benefit plan. Make certain it contains all required elements since it seems to be a focus point of the Phase 2 Audits. Now is the time to review and update notices to reflect all aspects of privacy practices.
The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.
