Did you know that in order to be in compliance with section 164 of the Omnibus Rules, your practice needs to have its Notice of Privacy Practices posted on its website? Here is the specific rule language:

CFR 164.520(c)(3)(i): A covered entity that maintains a web site that provides information about the covered entity’s customer services or benefits must prominently post its notice (of privacy practices) on their web site and make the notice available electronically through their web site.

If you think your practice is in the clear because you find a link titled Privacy Policies on your practice’s website, think again. A Privacy Policy usually contains language specific to the privacy of the website whereas the Notice of Privacy Practices describes the following:

How the covered entity may use and disclose PHI about an individual.
The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of PHI.
Whom individuals can contact for further information about the covered entity’s privacy polices.
In addition to addressing the four points above, the Notice of Privacy Rights posted online must be the most up-to-date copy as well as dated after September 23, 2013. This is when the HIPAA Security & Privacy Rules as well as the Omnibus Rules were last dated.