The HIPAA Notice of Privacy Practices is required under 45 CFR 164.520. This regulation mandates that covered entities, such as healthcare providers and health plans, inform individuals about their privacy rights and how their protected health information (PHI) may be used or disclosed. The notice must be written in plain language, include details on data usage, individual rights, and legal obligations, and be provided to patients at their first service encounter.
Under 45 CFR 164.520, covered entities that maintain a website providing customer services or benefits must prominently post their Notice of Privacy Practices (NPP or Notice) online. If an individual agrees to receive the notice electronically, the entity may provide it via email, but must offer a paper copy upon request. If an email transmission fails, the entity must provide a physical notice. Electronic notices must be timely, aligning with the first in-person or telehealth service delivery.
Separate covered entities that participate in an organized health care arrangement may issue a joint Notice of Privacy Practices if they agree to abide by its terms regarding PHI. The joint notice must:
– Identify the covered entities included in the arrangement.
– Describe the service delivery sites to which the notice applies.
– State that the entities will follow the terms of the joint notice for PHI they create or receive.
– Ensure that providing the notice to an individual by one entity satisfies the requirement for all entities covered by the notice.
Business associates are not required to publish a Notice of Privacy Practices under HIPAA. However, a covered entity must ensure that its business associate’s use and disclosure of protected health information (PHI) align with the covered entity’s privacy policies, as outlined in its own NPP.
The Notice must include disclosures about how a covered entity may use and disclose PHI. The notice must describe permitted uses and disclosures for treatment, payment, and health care operations, along with examples of each. It must also outline situations where PHI may be disclosed without patient authorization, such as public health reporting, law enforcement requests, and health oversight activities. Additionally, the NPP must inform individuals of their privacy rights, including the right to request restrictions, access their records, and file complaints.
The Notice must outline an individual’s rights regarding their protected health information. These rights include:
– Right to Access: Individuals can request and obtain copies of their medical records.
– Right to Request Amendments: They may ask for corrections to inaccurate or incomplete PHI.
– Right to Request Restrictions: Individuals can request limitations on how their PHI is used or disclosed.
– Right to Confidential Communications: They can specify how and where they receive health-related communications.
– Right to an Accounting of Disclosures: Individuals can request a list of entities that have accessed their PHI.
– Right to File Complaints: They can file complaints if they believe their privacy rights have been violated.
A covered entity must outline its legal duties in the Notice to ensure transparency and compliance with HIPAA regulations. These duties include:
– Maintaining the Privacy of PHI: The entity must safeguard PHI and prevent unauthorized disclosures.
– Providing Notice of Privacy Practices: The entity must inform individuals about their privacy rights and how their PHI may be used or disclosed.
– Complying with the Terms of the Notice: The entity must adhere to the privacy practices outlined in the NPP.
– Updating the Notice When Necessary: If privacy practices change, the entity must revise and redistribute the notice.
– Informing Individuals of Their Rights: The entity must explain how individuals can access, amend, or restrict their PHI.
The U.S. Department of Health and Human Services (HHS) provides model Notices of Privacy Practices to help health plans and healthcare providers comply with HIPAA privacy requirements. These models use plain language and approachable designs to improve patient understanding. HHS offers different formats, including booklet-style notices, layered notices, full-page versions, and text-only options, available in English and Spanish.
A medical provider is required to make a good faith effort to obtain a written acknowledgment from a patient confirming receipt of the HIPAA Notice of Privacy Practices. However, patients are not required to sign the acknowledgment, and refusal to do so does not prevent the provider from using or disclosing protected health information as permitted under HIPAA.
A HIPAA Notice of Privacy Practices must be updated and redistributed whenever a material change occurs in a covered entity’s privacy practices. If a healthcare provider has a direct treatment relationship with patients, they must provide the NPP at the first service encounter and make it available upon request. Health plans must distribute an updated NPP within 60 days of a material revision. If the entity maintains a website, the revised notice must be posted online by the effective date of the change. Health plans also need to remind enrollees about the notice’s availability at least once every three years.