As we reported in March, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is currently conducting Phase 2 HIPAA audits. About 167 employers have received notifications, with more audits to come. The audits review the policies and procedures adopted and used by health plans (covered entities); however, the Phase 2 Audit guidance suggests a focus on the Notice of Privacy Practices (NPP).
Background
The HIPAA Privacy Rule requires health plans to develop and distribute a notice that provides a clear, user friendly, explanation that describes the privacy practices of health plans and how individuals can exercise their individual rights.
There are also specific requirements for notice content. This includes how the covered entity may use and disclose protected health information about an individual, the individual’s rights with respect to the information, and how individuals can exercise their rights including how the individual may complain to the covered entity.
Providing the Notice
The notice must be made available to any new enrollees at the time of enrollment or at any time upon request. It also must contain an effective date and be made available on any website that provides information about the plan’s benefits. If revised, notices must be provided to currently covered individuals within 60 days of any material revisions. If no material revisions occur, the health plan must notify participants in the plan of the availability of the updated notice and how to obtain the notice at least once every three years.
Many employers will send the notice of availability every year to simplify this compliance requirement.
Review and Update Your Notice Now
Although HHS provides a model notice, notices are a reflection of employer practices. Make certain those practices align with the notice. Also confirm you have internal procedures to manage the actions stated in the notice. The notice should be reviewed now. Some specific areas to review include the following:
Keep in mind that the notice is a reflection of your practices and internal procedures for each of your welfare benefit plans. Make certain it contains all required elements since it seems to be a focus point of the Phase 2 Audits Take time now to review and update your notice to reflect all aspects of your privacy practices.
Download a copy of this Alert.