[ Friday, March 20, 2009 ]
NoPP on CD:
Just received a fairly interesting question on the requirement to deliver a notice of privacy practices (NoPP). HIPAA requires covered entities to provide them to the people whose health information the covered entity will be handling (patients of providers, beneficiaries of health plans). For health plans, they must give the NoPP on first subscription, then every 3 years must either provide another copy or at least remind the beneficiary where they can get another copy. Covered entities are allowed to send a copy by email if the recipient agrees, but must provide a "paper copy" if the covered entity knows the email transmission failed.
What if a health plan gives out a CD to all beneficiaries with health plan information on it, including the NoPP? Does that count as delivery, or must they deliver a paper copy? Do they need specific consent from the employee/beneficiary for this delivery (it's not "email")? Must they ask each recipient if getting a copy on CD is acceptable, or can they just deliver the CD and give a paper copy to any recipient who says they can't use the CD?
In my opinion, delivering a NoPP on a CD is delivering a NoPP for HIPAA purposes, unless the circumstances indicate that would be unreasonable. If the recipients are office workers who deal with computer technology on a regular basis, delivering a document on CD is no different than delivering a paper version (ecologically, it might be better). If you're making the delivery to nomadic Hutu tribesmen, not so much.
Jeff [11:52 AM]
Blogger: HIPAA Blog - Edit your Template