Did you know that your organization’s website can reveal to the world that you are out of compliance with HIPAA?
A quick look at your organization’s website could reveal to a HIPAA auditor that your organization is struggling with HIPAA compliance. Wondering what I am referring to? The Notice of Privacy Practices!
The regulations state that your organization must ensure that the most current version of your Notice of Privacy Practices is posted on the organization’s website (if one exists). Here is the specific language of the regulations:
CFR 164.520(c)(3)(i) – A covered entity that maintains a website that provides information about the covered entity’s customer services or benefits must prominently post its notice (of privacy practices) on their website and make the notice available electronically through their website.
Go ahead, give it a try. Head on out to your organization’s website (or another organization). Try and find the Notice of Privacy Practices for the organization. Were you successful or did you find something that is called Privacy Policy? If you look through the Privacy Policy, most of the time the language is something specific to the privacy policy of the website and not the Notice of Privacy Practices. Keep searching for the Notice of Privacy Practices. If you are unsuccessful at finding it, the basic elements of the regulations are not met. If you found the Notice of Privacy Practices, you are compliant, right? Not necessarily!
Even with your Notice of Privacy Practices posted on your website, you must make sure that the document is your most current version and matches the one available in your office. You also must make sure it meets all the requirements that were defined in the 2013 HIPAA Privacy Regulations and the 2013 HIPAA Omnibus Rule. If any of the following 3 statements are true, your website revealed that you are out of compliance with HIPAA.
- Your notice of privacy practices was not posted on your website.
- Your Notice of Privacy Practices was dated prior to Sept. 23, 2013.
- The notice of privacy practices on your website isn’t the most up to date copy.
If you think the auditors will not be looking on your website to make sure your notice of privacy practices is posted, think again. In the OCR 2016 HIPAA Desk Audit Guidance on Selected Protocol Elements, it states the covered entity must “upload the URL for the entity’s website and the URL for the posting of the entity’s notice.” In fact, the instructions for the HIPAA auditors state that they must:
“Determine whether the entity maintains a web site. If so, observe the web site to determine if the notice of privacy practices is prominently displayed and available. An example of prominent posting of the notice would include a direct link from homepage with a clear description that the link is to the HIPAA Notice of Privacy Practices.”
Not only does it have to be posted on your website, but it must be in a location that is easy to find with an easy description!
The Notice of Privacy Practice is not a difficult area to comply with for the HIPAA regulations; however, it is a common area of non-compliance. To be compliant with this regulation, the following four items should be established:
- Organization’s Notice of Privacy Practices
- Notice of Privacy Practices Policy and Procedure
- Acknowledge Form of the Notice of Privacy Practices
- Making the notice available on the organization’s website
The specific elements that need to be defined in the Notice of Privacy Practices are specifically defined out in the regulations. More information can be found here.
