DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Privacy Rule requires health plans and healthcare providers to develop and distribute a Notices of Privacy Practices (NPP). The Privacy Rule covers when the notice must be provided, what form the notice may take, what must be in the notice, and when the notice must be updated.
What Information Must the HIPAA Notice of Privacy Practices Contain?
Under HIPAA regulations, covered entities are generally required to provide individuals with a Notice of Privacy Practices in plain language that contains the following information:
The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
A description (with examples) of how PHI can be used for treatment, payment, and health care operations.
A description (and examples) of the types of PHI for uses and disclosures requiring patient authorization.
A description of the circumstances in which the covered entity may use or disclose PHI without written authorization. A covered entity may use or disclose PHI without authorization for a number of purposes, such as for public heath purposes, health oversight activities, and judicial proceedings.
The name, title, and phone number of a person or office to contact for further information or questions about the notice.
The date on which the notice is first in effect (Note that this information is not the same as an “expiration date.” There is no requirement for an NPP to have an expiration date, nor is there a requirement that it be re-issued or revised annually. Revision requirements are discussed below).
A statement that an individual may revoke an authorization.
Patient Rights Information
The notice must also contain a statement of the patient’s rights with respect to PHI. These rights include:
The right to request restrictions on certain uses and disclosures of PHI.
The right to receive confidential communications of PHI, as permitted by law.
The right to inspect and copy PHI.
The right to amend PHI, as permitted by law.
The right to receive an accounting of disclosures of PHI.
The right of an individual to obtain a paper copy of the notice, upon request.
The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes his or her privacy rights have been violated.
The notice must also contain a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint.
Information About Covered Entity Duties
The notice must contain information regarding the covered entity’s duties with respect to PHI. The required information includes:
A statement that the covered entity is required by law to maintain the privacy of PHI.
A statement that the covered entity must provide individuals with notice of its legal duties and privacy practices with respect to PHI.
A statement that the covered entity must notify affected individuals following a breach of unsecured PHI.
A statement that the covered entity must abide by the conditions of the notice currently in effect.
When Must the Notice be Provided?
Providers typically give the notice to patients at their first appointment with the provider. In the event of an emergency, the provider must give the notice to the patient as soon as possible after the emergency.
A covered healthcare provider that has a direct treatment relationship with an individual must provide the notice: No later than the date of the first service delivery (including service delivered electronically) to such individual; or, in an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
A covered healthcare provider that has a direct treatment relationship with an individual must also, except in an emergency treatment situation, make a good-faith effort to obtain a written acknowledgment of receipt of the notice. If the provider cannot obtain the written acknowledgment of receipt of the notice, the provider must document its good faith efforts to obtain such an acknowledgment and the reason why the acknowledgment was not obtained.
Covered healthcare providers who have a direct treatment relationship with patients, and who maintain a physical delivery site, must have the notice available at the service delivery site for individuals to request to take with them. These providers must also post the notice in a clear and prominent location, where it is reasonable to expect individuals seeking service from the covered healthcare provider to be able to read the notice.
When covered healthcare providers who have a direct treatment relationship with patients revise the notice, these providers must make the notice available upon request on or after the effective date of the revision.
Electronic Notice Requirements for Covered Entities
A covered entity that maintains a website that provides information about the covered entity's customer services or benefits, must prominently post its notice on the website and make the notice available electronically through the website.
A covered entity may provide the NPP to an individual by email, if the individual first agrees to electronic notice, and such agreement has not been withdrawn. If the covered entity knows that the email transmission has failed, a paper copy of the notice must be provided to the individual.
If the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service.
Requirements for Health Plans
A health plan must give its notice to individuals at the time of enrollment. It must also send a reminder at least once every three years that enrollees can ask for the notice at any time.
A health plan can give the notice to the “named insured” (subscriber for coverage). It does not also have to give separate notices to spouses and dependents.
When Must the Notice of Privacy Practices be Updated?
A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article