HIPAA Q & A from HcPro

Q: HHS guidelines require us to notify individuals of the availability of our Notice of Privacy Practices (NPP) and how they may obtain a copy at least once every three years. Must we ask individuals to sign a new NPP acknowledgment of receipt every three years?

A: NPP requirements differ for health plans and healthcare providers. Health plans must give their notices to new enrollees at the time of enrollment. They must also send reminders to all enrollees at least once every three years that the NPP is available upon request. Health plans are not required to obtain a signed acknowledgment of receipt of the notice.

A health plan that makes material changes to its NPP must provide the revised notice within 60 days to individuals who the plan covers.

A healthcare provider that has direct treatment relationships must:

  • Provide its NPP to patients no later than the first service encounter
  • Post its NPP at every service delivery site
  • Make a good-faith effort to obtain patients' written acknowledgment of receipt of the NPP

When healthcare providers make material changes to their NPPs, they must make their notices available on request and post and distribute revised notices at service delivery sites. Both health plans and healthcare providers must provide their NPP to anyone upon request, as well as make their notices available electronically on any Web site they maintain for the purpose of providing customer service or benefits information.


Have questions? I’m here to help.