Notice of Privacy Practices (NPP) – Most People’s Connection to HIPAA

When you mention HIPAA, most people reference the Notice of Privacy Practices (NPP) they received at the hospital, doctor’s, dentist’s or eye doctor’s office.

The NPP is a document that tells your patients, employees, or clients how their health information may be used and shared and lists their health privacy rights related to Protected Health Information (PHI). It’s a part of the HIPAA Privacy Rule and a key requirement for your organization. This week we’ll review the requirements for an NPP.

Is your organization required to create and distribute an NPP?

You’ve been on the receiving end of a Notice of Privacy Practices (NPP) when you go to the doctor. You’ve received one, but is your organization responsible for creating and distributing an NPP for others?

Since April 14, 2003, medical and dental providers have the responsibility to provide patients a copy of a Notice of Privacy Practices (NPP).

As a health insurance agency, business associate, or an employer group that provides a group health plan, HIPAA requires you to create and distribute a Notice of Privacy Practices as of 2004.

Exactly what you provide to your clients in an NPP is very specific and how you distribute it depends on your industry. Regardless of your size or specialty, you must provide your patients, employees, or clients a Notice of Privacy Practices (NPP) and it must be made available upon request at any time.

Creating the Notice of Privacy Practices (NPP)

The easiest way to create a Notice of Privacy Practices (NPP) is to use a template; it can assure that you include the language and information the HIPAA law requires.

Your Notice of Privacy Practices (NPP) will be different depending on your industry. You’ll find lots of different sources for templates, but beware: not all are created equal. You’ll need to assure that the template is from a reputable source and that it contains the information required. For example, healthcare providers or those responsible for a health plan can reference HHS’ website for a model NPP notice.¹

Total HIPAA has created a Notice of Privacy Practices (NPP) to reflect the separate requirements for the five markets we serve.

For Insurance carriers and agencies, your NPP should have language referring to the Gramm-Leach-Bliley Financial Modernization Act (Aka GLB Act), as well the HITECH Act.

While you are free to develop your own NPP formats that include the required text and information, Total HIPAA provides NPP templates that include all required federal components, as well as state or other laws that may require greater limits on disclosures.

Furthermore, our NPPs have been tested with consumers for ease of understanding and appeal of the design.

Regardless of industry, your NPP must contain user-friendly language and specific information:

1. For all NPP requirements, reference HIPAA regulations in 45 CFR 164.520(b).
2. Header: All NPPs must have the header: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”
3. Statement(s) of Usage, Disclosures:
   • Describe the types of uses or disclosures of PHI that are permitted without authorization from the individual.
   • Describe the types of uses or disclosures that require authorization or that the individual can elect to opt out:
     • Psychotherapy notes
     • Use of PHI for marketing purposes
     • The sale of PHI
   • Other uses and disclosures that are not described in the NPP can be made only with the individual’s authorization.
   • Individuals that they can opt out of fundraising communications.
   • (Provider Only) NPP must state that individuals have the ability to restrict certain disclosures of PHI to a health plan when the individual pays in full out-of-pocket for the health care item or service.
4. Individual Rights: Specific individual rights under the Privacy Rule must be described. These rights include the right to request restrictions on uses or disclosures of PHI, the right to inspect, copy and amend PHI.
5. Covered Entity’s Responsibilities: The NPP must specify the covered entity’s duties, which include the requirement, under the law, to maintain the privacy of individuals’ PHI.
6. Additional considerations:
   • The effective date of the NPP must be part of the notice. The date cannot be any earlier than the date of publication of either April 14, 2003, or 2004 for small health plans.The name or title and phone number of a person at the health plan or provider to whom questions can be directed must be included.
   • Information on how to file a complaint with the organization must be provided. Though the NPP must also inform people that complaints can be filed with HHS, the NPP does not need to detail how to do so.
   • The final Privacy Rule requires the NPP include a statement informing individuals of the right to be notified following a breach of unsecured PHI.

Distributing the Notice of Privacy Practices (NPP)

When distributing your NPP, there are general requirements that every industry should know:

• Anyone who asks for a copy must be provided one.
• Covered entities must prominently post its NPP within the physical location.
• Post on their websites if the site provides information about customer services or benefits.

Reference the points below for industry-specific requirements regarding distributing the NPP:

Medical and Dental Providers:

• Have one posted somewhere prominently in the office, on your website (if the practice has one), and documented that each patient has received one.

Insurance Agencies:

• If the agency provides a group health plan within the organization, one must go to each employee.
• The agency needs to distribute to individuals (only one copy per family no matter how many people are in the family coverage) and if it is a group plan, the agency must provide a copy to the company (as the client) and the company is responsible for distributing to each employee.

Employer Groups:

• Distribute the NPP to employees who are part of the Group Health Plan offered.

Business Associates:

• If the business associate provides a group health plan, one copy must go to each employee.

Acknowledgment of NPP

HIPAA law requires doctors, hospitals, or other healthcare providers to keep records that clients or employees have received the notice. You may do this by getting a signature acknowledging the individual received the NPP or keeping a dated log of NPP distribution.

• A signature does not mean that the client/employee has agreed to any special uses or disclosures (sharing) of health records.
• Refusing to sign an acknowledgment does not prevent a provider or plan from using or disclosing health information as HIPAA permits.
  • If your client or patient refuses to sign an acknowledgment, the provider must keep a record of this fact.
• As a healthcare provider, you can have a first-time patient sign that they received an NPP and then scan the signed document into their personal file.
• Have the individual review and sign an authorization to receive the NPP electronically when given the NPP for future notifications.

Updating and maintaining the NPP

You should update your NPP at least once every three years. Specifically:

• A health care provider’s patients must be reminded of the existence of the NPP and informed about how to obtain a copy if they want it.
• Insurance carriers and agencies must send an NPP annually as long as the customer relationship lasts.

For more information on the Notice of Privacy Practices, you can reference the following:

• HHS Notice of Privacy Practices FAQs

1. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html

Sharing is caring!