Comprehensive Guide to the HIPAA Notice of Privacy Practices

Modified on Wed, 18 Sep at 11:03 AM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Comprehensive Guide to the Notice of Privacy Practices

Notice of Privacy Practices
A Notice of Privacy Practices (NPP) is a document that most covered entities must implement and distribute. Generally, healthcare providers must provide the NPP to patients, while health plans must provide the NPP to their enrollees. This article goes over NPP content and other requirements.

What is the Purpose of a Notice of Privacy Practices?
The main purpose of the Notice of Privacy Practices is to describe:

1. The uses of protected health information (PHI) that a covered entity is permitted to make.
2. The covered entity’s legal duties and privacy practices regarding protected health information (PHI).
3. An individual’s rights regarding their protected health information.

Content of Privacy Notices

An NPP must be written in plain language and contain the following statement as a header or otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."

The Notice must contain the following additional information:

A description, including at least one example, of the types of uses and disclosures that the CE is permitted to make for treatment, payment, and health care operations.
A description of each of the other purposes for which the covered entity is permitted or required by the HIPAA Privacy Rule to use or disclose protected health information without the individual's written authorization.
A statement that:
- Other uses and disclosures will be made only with the individual's written authorization; and
- Prior authorizations can be revoked.

The NPP also must:

Contain a statement that individuals may complain to the covered entity and to the HHS Secretary if they believe their privacy rights have been violated; a brief description of how the individual may file a complaint with the covered entity; and a statement that the individual will not be retaliated against for filing a complaint.
Contain the name, or title, and telephone number of a person or office to contact for further information as required by the HIPAA Privacy Rule.
Contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
Describe the individual's rights concerning PHI. For example, this includes an explanation that covered entities must agree to a patient's request to restrict disclosure of PHI to a health plan that:
- Is for payment or health care operations; and pertains to a health care item or service for which the individual has paid in full, out of pocket.
Describe the CE's legal duties and privacy practices regarding PHI. Specifically, the NPP must contain:
1. A statement that the covered entity is legally required to maintain the privacy of PHI. to provide individuals with notice of its legal duties and privacy practices, and to notify affected individuals following a breach of unsecured PHI.
2. A statement that the covered entity must abide by the terms of the notice currently in effect.
3. For the covered entity to apply a change in privacy practices that is described in the notice to PHI that the covered entity created or received prior to issuing a revised notice, the covered entity must provide a statement that it reserves the right to change the terms of the notice and to make the new notice provisions effective for all PHI that it maintains. The statement must also describe how it will provide individuals with a revised notice.

NPP Revision Requirements
A covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which that material change is reflected.

NPP Requirements for Health Plans
The Notice of Privacy Practices rule imposes special requirements on covered entities that are health plans. Health plans must provide NPPs to:

All covered participants and beneficiaries.
New enrollees in a plan at the time of enrollment.

In addition, the plan must inform covered plan participants and beneficiaries—at least once every three years—of the availability of an NPP and how to obtain it. If the NPP is provided to a plan's named insured, it is deemed to be provided to all of the named insured's dependents.

Note:
The requirement to inform individuals of the availability of an NPP and how to obtain it at least once every three years, only applies to covered entity health plans, not to providers.

All covered entities must promptly revise and distribute their notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice.

Method for Providing Privacy Notices
A health plan that distributes its NPPs through the mail may do so as part of another mailing (for example, a mailing that includes the plan's summary plan description). A separate mailing is not required.

Covered Healthcare Providers That Have a Direct Treatment Relationship With an Individual
Covered healthcare providers that have a direct treatment relationship with an individual are subject to specific rules regarding provision of the notice. A direct treatment relationship is a treatment relationship that is not an indirect treatment relationship.

An indirect treatment relationship is a relationship between an individual and a healthcare provider in which:

(1) The health care provider delivers health care to the individual based on the orders of another health care provider; and

(2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.

Timing of Posting of Notice:
Covered healthcare providers that have a direct treatment relationship with an individual must provide the notice either no later than the date of the first service delivery, including service delivered electronically, to the individual, or, in an emergency treatment situation, as soon as reasonably practicable (practical) after the emergency treatment situation is over.

If the initial contact with the individual is merely to schedule an appointment, the NPP requirements may be satisfied when the individual arrives at the CE's facility for an appointment.

Written Acknowledgment:
Covered healthcare providers that have a direct treatment relationship with an individual must also, except in an emergency situation, make a good-faith effort to obtain a written acknowledgment of receipt of the NPP that they have provided, above. If the acknowledgment is not obtained, the covered healthcare provider with the direct treatment relationship must document its good faith efforts to obtain the acknowledgment, and the reason why the acknowledgment was not obtained.

If the CE mails the NPP, the CE may include a "tear-off" sheet or other document with the NPP that requests that the acknowledgment be mailed back to the CE.

Note:

A covered healthcare provider with a direct treatment relationship with individuals is required to make a good faith effort to obtain an individual's acknowledgment of receipt of the notice only at the time the provider first gives the notice to the individual -- that is, at first service delivery.

If the covered healthcare provider with a direct treatment relationship maintains a physical service delivery site, the covered healthcare provider must:

(A) Have the notice available at the service delivery site for individuals to request to take with them; and

(B) Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice.

Revisions to Notice:
Whenever a covered provider with a direct treatment relationship revises its notice, the provider must make the notice available upon request on or after the effective date of the revision. If that covered provider with a direct treatment relationship maintains a physical site, the covered provider must:

Have the notice available at the service delivery site for individuals to request to take with them; and
Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice.

Specific Requirements for Electronic Notice:

A CE that maintains a website that provides information about its customer services or benefits, must:

Prominently post its NPP on the website.
Make the notice available electronically through the website.

A CE may provide its NPP to an individual using email, if the individual agrees to electronic notice and that agreement has not been withdrawn. However, if the CE knows that the email transmission has failed, the CE must furnish the individual with a paper copy of the NPP. As with mailed NPPs, a CE that provides its NPP to an individual by email may include additional materials in the email. A separate email is not required.

If the first service delivery to an individual is delivered electronically, a covered entity providing electronic notice must provide that notice automatically and contemporaneously (at the same time) in response to the individual's first request for service.

If the first service delivery with the individual is via phone, the CE may satisfy the notice requirements by mailing the NPP to the individual no later than the day of the first service delivery.

Individuals who receive an electronic notice still have the right to obtain a "paper copy" of the notice from a covered entity upon request.

Written Acknowledgment:
Covered entities who provide electronic notice must, except in an emergency situation, make a good-faith effort to obtain a written acknowledgment of receipt of the NPP that they have provided. Specifically, if the NPP is provided electronically, the CE should make a good faith effort to obtain a return receipt or other transmission indicating that the individual received the electronic NPP. If the acknowledgment is not obtained, the covered entity must document its good faith efforts to obtain the acknowledgment, and the reason why the acknowledgment was not obtained.

FAQs

Do Business Associates Need to Implement a Notice of Privacy Practices?
No. The Notice of Privacy Practices requirement applies to covered entities.

Are There Any Covered Entities That Do Not Need to Implement a Notice of Privacy Practices?

Yes.

1. Covered entities that are correctional institutions need not provide inmates with a Notice of Privacy Practices.
2. Healthcare clearinghouses are required to produce a Notice of Privacy Practices only to the extent the clearinghouse creates or receives protected health information other than as a business associate of a covered entity.
3. A group healthcare plan is not required to maintain or provide a Notice of Privacy Practices, if:
a. The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or HMO, AND
b. Does not create or receive PHI other than summary health information as defined in
§ 164.504(a), or information on whether an individual is participating in the group health plan or enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

Example: Say I am a group health plan. I provide health benefits solely through an insurance contract with a health insurance issuer (say, Oxford). The only PHI I create or receive is:

1. Summary health information;
2. Information on whether an individual is participating in the group healthcare plan; and/or
3. Information on whether an individual is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

Under these circumstances (creating or receiving only the above PHI, and providing health benefit solely through an insurance contract with a health insurance issuer or HMO), I am not required to maintain or provide a Notice of Privacy Practices.

Covered entities that do not meet any of these exceptions (the correctional facility exception, the group health plan exception, or the healthcare clearinghouse) are not exempt from the Notice of Privacy Practices rule.

Are Patients Required to Sign the Notice of Privacy Practices?
There is no requirement for an individual to sign a Notice of Privacy Practices. A covered entity may ask that an individual provide their written signature acknowledging receipt, either on the NPP itself, or on a separate form. The signature does not indicate agreement with (or disagreement with, for that matter) the Notice of Privacy Practices or its contents; the signature merely indicates that the individual acknowledges that they have received the NPP.

Is a Notice of Privacy Practices Required to Have a Specific Format, Font, Font Size, or Page Size?
No.

CEs may use a "layered" NPP, if the NPP content rules are met. For example, a CE could provide individuals both:

A short notice that briefly summarizes the individual's rights and includes other information.
A longer notice, layered beneath the short notice, that contains all of the elements required by the Privacy Rule.

Is There a Sample Notice I Can Use?
The Department of Health and Human Services (HHS) provides four template Notices of Privacy Practices on its website. These are: