What is a layered notice in the Privacy Rule? 

A layered notice is a two-part document that starts with a simple summary of key privacy information followed by a more detailed explanation of all required elements.

The notice of privacy practices 

The Privacy Rule requires that covered entities provide a notice of privacy practices (NPP) to ensure that patients are informed from the start of treatment. The document outlines permissible uses and disclosures of PHI and communicates the patient’s rights. Further emphasizing the patient’s control, the NPP guides them on how to file complaints if they believe their rights have been violated. Healthcare providers must distribute the NPP at the first point of service, while health plans must provide it at enrollment and ensure that updates are communicated as needed. 

What is a layered notice? 

A layered notice is a way for covered entities to present information about privacy practices more effectively. HHS guidance provides, “Covered entities may use a “layered” notice to implement the HIPAA Privacy Rule’s requirements, so long as the elements required by 45 CFR 164.520(b) are included in the document that is provided to the individual. For example, a covered entity may satisfy the notice requirements by providing the individual with both a short notice that briefly summarizes the individual’s rights…”

The short version helps patients quickly understand the main points, while the longer version offers complete details. Covered entities are not required to use a layered notice, but they are allowed to do so as long as they meet all the requirements outlined in the Privacy Rule. The goal of a layered notice is to make information more accessible and easier to understand. 

Best practices for creating a layered notice 

1. The top layer should be a brief, easy-to-understand summary that discusses the necessary points, such as the individual’s privacy rights, how their information may be used, and how they can exercise their rights. Aim for bullet points or short sentences that make the content quickly scannable.
2. Choose a simple, clean layout with plenty of white space, readable fonts, and clear headings. Break the text into short sections with bold headers so readers can easily find specific information.
3. Use icons, infographics, or other visual elements in the short summary to emphasize key points. Visual aids can make information more engaging and easier to retain.
4. The longer, more detailed layer must include all the elements required by the HIPAA Privacy Rule, such as descriptions of permissible uses and disclosures, individual rights, and how to file complaints. 
5. Ensure content in the short summary aligns with the detailed information in the longer notice. There should be no contradictions, and both layers should reinforce each other.
6. Ensure the notice is accessible to individuals with disabilities, including providing alternative formats if needed. Additionally, consider translation into other languages spoken by your patient population.
7. For digital notices, use hyperlinks or buttons that allow users to jump from the summary to the detailed sections. For printed versions, clear headings and references can guide readers through the document.

FAQs

What is the Privacy Rule?

The Privacy Rule is a set of federal regulations under HIPAA that protects the privacy of an individual's health information and outlines the rights and obligations related to that information.

Can an NPP be sent digitally? 

Yes.

Do patients need to be updated about changes to the NPP?

Yes, patients need to be informed about relevant changes to the NPP, either through direct notification like through HIPAA compliant email or by making the updated notice available.