The compliance deadline for changes to the HIPAA privacy, security and breach notification regulations is September 23, 2013, or, in other words, very soon! Many hospices and other covered entities have likely procrastinated and are now up against the deadline. It's not too late but there are some things that have to get done FAST! One of the most important things, the subject of this post, involves changes to your Notice of Privacy Practices.
Hospices must revise their Notice of Privacy Practices. Changes to the HIPAA regulations brought about by the HIPAA Omnibus Rule require changes that must be incorporated into the Notice of Privacy Practices. This is a high-risk issue because the Notice must include its effective date and if the Notice does not have an effective date after January 25, 2013 and before September 23, 2013, it is obvious that the hospice has not revised its Notice to incorporate the required elements. Given that §164.520(c)(3)(1) requires that the Notice of Privacy Practices be posted in a prominent location on a hospice's website if it has one (most do), it makes for a very easy quick compliance check.
To that end, I just conducted a very informal, interesting, non-statistically valid study. I looked at a random sample of 10 hospice websites. Six of the ten had no Notice of Privacy Practices posted at all (!), three had Notices that have not been revised with the new requirements, and only one (congratulations Hospice Buffalo!) had a Notice posted on their website that is compliant with the Omnibus Rule. There are a number of conclusions to draw from this quick little study but, suffice it to say, a lot of hospices have some work to do.
So here is a Notice of Privacy Practices compliance to do list (used with my permission from the manual I recently wrote to help hospices comply with the Omnibus Rule).
What Hospices Need to
Do About the Notice of Privacy Practices
- Revise and update the hospice’s Notice of Privacy Practices to include the material changes from the Omnibus Rule (a template sample Notice is included in the new HIPAA manual).
- Update the hospice's Notice of Privacy Practices policy and procedure.
- Post the revised Notice to the hospice’s website.
- Make the revised Notice available upon request to existing patients.
- Post the Notice in a prominent location if the hospice has a physical service delivery site.
- Print an adequate supply of copies of the revised Notice.
- Ensure all new patients/representatives receive the revised Notice at the time of first service after the effective date.
- Get rid of all copies of the prior Notice so it is not mistakenly given to new patients after the effective date.
- Ensure that a copy of the previous Notice and copies of acknowledgement of its receipt are maintained by the Privacy Official for six years from the date it was last in effect.
The HIPAA Omnibus Rule: What Hospices Need to Know and Do written by Heather Wilson, Ph.D.
The HIPAA Omnibus Rule published in the Federal Register, January 25, 2013
A copy of all of the HIPAA Privacy, Security and Breach Notification regulations is available here in a very helpful volume, updated with the Omnibus Rule.
New free course on the HIPAA Omnibus Rule available here from the Hospice Education Network
Posted by Heather Wilson, PhD, Founder and CEO of Weatherbee and HEN