Also: What happens if you don’t comply by Sept. 23?
After you’ve meticulously updated your Notice of Privacy Practices (NPP) so that it complies with all the changes in the HIPAA Omnibus final rule, don’t forget to repost and redistribute it properly.
“The omnibus rule does not modify current requirements for health care providers to distribute NPP revisions,” according to a whitepaper by the law firm Epstein Becker & Green (EBG) posted on its website www.ebglaw.com. “Therefore, when a health care provider with a direct treatment relationship with an individual revises its NPP, the provider must make the NPP available upon request on or after the effective date of the revision.”
In addition to making the NPP available to patients upon request, you must also provide the NPP no later than the date of first service and immediately after making any revisions, says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC. You need to post the NPP at your “service delivery site,” or post a summary with the full version available to patients upon request.
And if you have a website, you must post your NPP prominently on the site and make it available in an electronic format, Sheldon-Dean states. Keep in mind that the recipient of an electronic copy can also get a paper copy of the NPP.
Remember to retain copies of your NPPs issued and the effective dates on all versions, Sheldon-Dean advises. Retain the patients’ receipt of NPP acknowledgements for six years from the acknowledgement date, and retain your NPPs for six years from when the NPP was last in effect.
NPP Noncompliance: What Could Happen
But if you fail to update your NPP by the Sept. 23 compliance deadline, you could face government investigations, increased civil monetary penalties, resolution agreements, and patient complaints, EBG warns.
“As the omnibus rule affects individual rights, covered entities should be cognizant that failure to comply with the NPP requirements may be highly visible by patients and beneficiaries, and can result in greater scrutiny by the HHS Office of Civil Rights, the agency with enforcement authority under HIPAA,” EBG says.