Skip to main content

Policy/Memo 115

Number: Policy Memo 115
Date Issued: April 14, 2003
Policy File Ref: A1810
Subject: HIPAA Privacy Policy and Administrative Requirements, Notice of Privacy Practices

PURPOSE:

To issue instructions to EBD workforce members regarding the division???s Notice(s) Of Privacy Practices.

Policy:

EBD will maintain a Notice of Privacy Practices (NPP) as required for the group health plans covered by HIPAA. NPPs shall be maintained for:

  • The Empire Plan, NYSHIP- participating Health Maintenance Organizations, Dental Program, and Vision Plan (combined notice); and
  • NYPERLSM Long Term Care Program.

EBD will not maintain NPPs for the Management Confidential Life Insurance Program and the Income Protection Plan because these benefits are not covered under HIPAA.

The NPPs will describe in plain language the plans’ uses and disclosures of protected health information. The NPP will also explain individuals’ rights under HIPAA and the plans’ obligations with respect to protected health information. Notices will include instructions on obtaining further information about EBD’s privacy policies and on filing complaints for privacy rights violations.

EBD will ensure current NPPs by revising them as necessary upon material change to associated policies and procedures. EBD will retain copies of each NPP version created and distributed.

EBD shall provide the appropriate NPP(s) to any person upon request according to the HIPAA Privacy Rule specifications.

Procedure:

Requests for Notices
Individuals may obtain a Notice of Privacy Practices by:

  • Printing it or saving an electronic copy from the Public Web site;
  • Calling the EBD Call Center; or
  • Submitting a written request to EBD.

NPPs will also be available on the HBA and EBD Web sites.

EBD staff that receives requests for NPPs should verify the requestor’s address and forward the request to the Operations Support Unit. Support Unit staff shall mail the appropriate Notice(s) via first class mail .

If an individual requests a copy of a Notice of Privacy Practices for one of the contracted insurers or HMOs, EBD staff will provide the individual with the phone number, Web site or address of the insurer or HMO.

Revisions to Notice
The EBD Privacy Official will determine if revisions to the current NPP are required when changes are made to the division’s privacy policies or procedures or HIPAA Privacy Regulations are amended. When an NPP is revised, the required effective date on the notice will contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published. The EBD Privacy Official will ensure that the revised NPP is available on the Web site(s) and copies are available upon request on or before the effective date of the revision. Outdated NPP versions will be removed from general access and replaced with current NPPs. Requests for outdated NPP versions should be forwarded to the Privacy Official.

Documentation
EBD will retain copies of each NPP version created and distributed. All NPPs will be retained for a period of six (6) years from the date last in effect.