Are health information organizations (HIOs) required to have a HIPAA Notice of Privacy Practices (NPP)?
Generally, no. The HIPAA Privacy Rule’s NPP obligations extend only to HIPAA covered entities and the functions a HIO generally performs do not make it a HIPAA covered entity (i.e., a health plan, health care clearinghouse, or covered health care provider). See 45 C.F.R. § 160.103 (definition of “covered entity”). However, while a HIO does not itself have a HIPAA obligation to provide a NPP to individuals, the Privacy Rule permits covered entities that participate in electronic health information exchange with the HIO to provide notice to individuals of the disclosures that will be made to and through the HIO and through the network, as well as how individuals’ health information will be protected by the HIO.