The HIPAA Notice of Privacy Practices is one of the many requirements under the general umbrella of HIPAA. In fact, many organizations forget that not only is the Notice of Privacy Practices required, but also is the policy and procedures to support the Notice of Privacy Practices. In this post, we are going to analyze the requirements and common questions regarding the Notice of Privacy Practices that is required for all covered entities, business associates, and subcontractors.
What are the Notice of Privacy Practices?
The Notice of Privacy Practices is a document that can be provided to patients or customers that includes information on how their medical information is used. In fact, the regulations require a notice on each Notice of Privacy Practices that explains what the actual document is. To understand what the document is, it is better to understand the goals of the document. The goal is to (a) describe to the patient how their medical information is used; (b) describe to the patient how their medical information is disclosed; and (c) describe to the patient how they can get access to this information. In a nutshell, it is allowing patients to know exactly what you as a organization will be doing with their medical information!
Must All Patients and/or Customers Receive This Document?
Actually no. Although most are required to have the right of adequate notice of the uses and disclosures of protected health information, there are exceptions to this. The first exception is for individuals in a group health plan. This does not absolve organizations from the Notice of Privacy Practices but actually puts additional requirements on group health plans. So although this is a slight exception, it is less of an exception and more of a tweak to the requirements. However, the actual exception relates to inmates and correctional institutions that are covered entities. In short, if your correctional institution is a covered entity, the Notice of Privacy Practices does not apply to your organization’s situation.
What is Required in the Notice of Privacy Practices?
A lot! However, we will take this one by one. First, there needs to be a header statement in the following format:
- “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
Second, the following items must be contained in the Notice of Privacy Practices and generally they describe the actual uses and disclosure notices:
- A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by HIPAA to make for each of the following purposes: treatment, payment, and health care operations.
- A description of each of the other purposes for which the covered entity is permitted or required by HIPAA to use or disclose protected health information without the individual’s written authorization.
- If a use or disclosure for any purpose described in the first two prongs above is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law which is a reference that State law may be more stringent and must be included if conflicting with the first two descriptions above.
- For each purpose described in the first two prongs, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by HIPAA and other applicable law.
- A description of the types of uses and disclosures that require an authorization a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization, and a statement that the individual may revoke an authorization.
Third, in the event a covered entity engages in the following activities, the description required for the first prong above must include a separate statement informing the patient or customer of the following:
- The covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications;
- The group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan; or
- If a covered entity that is a health plan, with some exclusions, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes.
Fourth, the Notice of Privacy Practices must include information specifically related to individual rights. This information includes the following:
- The right to request restrictions on certain uses and disclosures of protected health information as allowed by HIPAA, including a statement that the covered entity is not required to agree to a requested restriction, except in case situations in which it is required by HIPAA;
- The right to receive confidential communications of protected health information as provided by HIPAA;
- The right to inspect and copy protected health information as provided by HIPAA;
- The right to amend protected health information as provided by HIPAA;
- The right to receive an accounting of disclosures of protected health information as provided by HIPAA; and
- The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request.
Finally, the Notice of Privacy Practices must include the following information related to the covered entity’s duties, complaints, contact information, and effective date:
- A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information;
- A statement that the covered entity is required to abide by the terms of the notice currently in effect;
- For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with§ 164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice;
- The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint;
- The notice must contain the name, or title, and telephone number of a person or office to contact for further information; and
- The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
Who Must the Notice of Privacy Practices be Provided to?
The Notice of Privacy Practices in general must be available to any person. However, health plans must provide the Notice of Privacy Practices to members. There are specific requirements for that. In addition, the covered health care provider that directly treats patients must provide the notice on the first date of service delivery or in the event of an emergency, as soon as reasonably possible.
What Happens if we make Revisions to the Notice of Privacy Practices?
If revisions are made and it would be considered a material change, the notice must be redistributed. Keep in mind though that any material change cannot be implemented prior to the effective date of the notice.
In conclusion, the Notice of Privacy Practices is a straightforward area, with some very grey issues involved. For more information on the Notice of Privacy Practices regulations, click here.