Yesterday I had the experience of going into an outpatient surgery center for a procedure. I was presented with a form to sign indicating that I had seen the Notice of Privacy Practices (NPP), but when I asked to see it they had to go searching. When I was presented with the document 15 minutes later, I was saddened to see that it was dated 2003. The notice indicated that it was posted on the wall of the office (it was not) and that it was distributed to each patient on admission (obviously, it was not). I was distressed to see how little energy even an organization the size of an outpatient surgery center has given to implementing HIPAA. I certainly fear for the security and privacy of my data.
A couple of weeks ago, I posted about the amount of time providers have spent implementing the new HIPAA Omnibus Rule that goes into effect on Monday, September 23, 2013. The Notice of Privacy Practices is the most time consuming part of this implementation.
On September 16, 2013, the Office of the National Coordinator (ONC) and HHS Office of Civil Rights released sample NPPs that you can customize and use in your own organization. Please note that these models are templates that are meant for you to edit. Please DO NOT just print them out as they are. You can also use them as models for an NPP that you create from scratch.
You should also know that HHS OCR maintains detailed background information about HIPAA NPPs, implementation of HIPAA, and anything else you can think of related to it. If you have never visited this web site, you should be sure to do so.
Please tell us where you are in implementing the HIPAA Omnibus Rule. Have you updated your NPP? Do you have BAAs with all your business partners who might have access to your PHI? What have you done to include the changes in your procedures and educate your staff? Please share your comments below.