OCR and ONC release model NPPs

With H-Hour (the HIPAA Omnibus Rule compliance date) just a week away, the federales have come through, delivering a useful compliance tool with the HIPAA Notice of Privacy Practices requirements — a set of model forms released during the Consumer Health IT Summit. At first blush, the forms seem extremely user-friendly, and they are certainly briefer, and are written in a tongue that bears a closer resemblance to English, than the NPPs with which most of us have had to labor. Kudos to the agencies for undertaking the effort to draft and field-test these forms.

While the field-testers' favored format, we are told, is the booklet, I much prefer the layered online form. The first page has a high-level summary of the HIPAA privacy and security rules as they pertain to patients, and details are set forth on the pages that follow.

I was disappointed, however, with one of the examples given in the model NPP:

• You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
• We will say “yes” to all reasonable requests.

Telephone and snail mail are nice, but many patients would prefer to be in contact with their health care providers via text message or email. Both modes of communication are permitted under HIPAA wth the patient's consent (which may be expressed by simply emailing or texting a provider), but if the NPP doesn't alert patients to that right, then many will never be aware of it.

I know that there are continuity-of-care benefits to maintaining communications in a patient portal so that messages can be accessed by other clinicians in the EHR, but a tool or process may be devised which imports email and SMS communications into the EHR (I've had one doc tell me that she would gladly transcribe the messages herself if her institution would permit email communication with patients) and, in any event, it is the patient's right to use these other modes of communication. The privacy rule permits email communication, and the security rule permits email communication as well. They have for years; this is not a HITECH Act innovation.

One would have hoped that OCR could have brought guidance such as this to the table earlier than one week before the compliance date. There are other deficits in guidance under this rule, too, notably the situation that led to a lawsuit over HIPAA regulations and medication adherence reminders.

Bottom line: The model NPP is a useful tool. Covered entities under HIPAA will need to customize their notices to their own circumstances, and get them ready to roll pronto.

I had proposed to develop a more comprehensive, and patient-focused, form of NPP via the Hacking HIPAA project, though unfortunately — while it attracted some attention — that project didn't get sufficient traction. Even ONC staff thought part of the approach was worthwhile:

Standard legal lang. for patient e-access really would help. Too bad project wasn't funded..what now? @ieslick @fredtrotter @healthblawg

— claudiawilliams (@claudiawilliams) September 8, 2013

Have I mentioned that the compliance date is September 23?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting