§164.520(c)(3) Specific requirements for electronic notice. (i) A covered entity that maintains a web site that provides information about the covered entity’s customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site.(ii) A covered entity may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of paragraph (c) of this section when made in accordance with paragraph (c)(1) or (2) of this section.
(iii) For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual’s first request for service. The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice.
(iv) The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request.

Audit Inquiry

Does a covered entity that maintains a web site prominently post its notice?

Does the covered entity implement policies and procedures, if any, to provide the notice electronically consistent with the standard?

Determine whether the entity maintains a web site. If so, observe the web site to determine if the notice of privacy practices is prominently displayed and available. An example of prominent posting of the notice would include a direct link from homepage with a clear description that the link is to the HIPAA Notice of Privacy Practices.
If the covered entity provides electronic notice (such as by linkage to a web page or e-mail), obtain and review the policies and procedures regarding the provision of the notice of privacy practices electronically and the process by which an individual can withdraw their request for receipt of electronic notice.