American Osteopathic Association

Advancing the distinctive philosophy and practice of osteopathic medicine

 

Updating HIPAA Notice of Privacy Practices

Aug. 8, 2013

On Jan. 25, 2013 Health and Human Services made changes to the existing Health Insurance Portability and Accountability Act (HIPAA). You must comply with these changes by Sept. 23, 2013. The only exception relates to updating existing Business Associate Agreements (BAA). The compliance date for making BAA agreement updates is Sept. 23, 2014.    

Physicians must update their Notice of Privacy Practices to reflect several changes.  With this in mind, the AOA provides the following guidelines and templates to help inform the process:

What is a Notice of Privacy Practices?

A document that health care providers and other covered entities must develop in order to inform patients about their rights surrounding the protection of their Protected Health Information (PHI).

The patients written acknowledgment of receipt of the Notice of Privacy Practices must be obtained on the date the first service is rendered to the patient. However, a practice is not required to obtain the patients written acknowledgment of receipt of the Notice of Privacy Practices under the following circumstances:

  • In the event of an emergency; though the practice must use reasonable efforts to obtain such acknowledgment as soon as reasonably practicable after the emergency.

  • If a patient refuses to sign the acknowledgment and the practice documents such refusal. If written acknowledgement of the receipt of the Notice of Privacy Practices is not obtained, then the practice must document its efforts to do so. The practice may not deny medical treatment for failure to sign an acknowledgment of receipt of the Notice of Privacy Practices. The practice may use and disclose the patients PHI in accordance with the Privacy Rule and state law regardless of the patients refusal to sign an acknowledgment. 

Implementing a Notice of Privacy Practices 

Your practice must implement and maintain an official Notice of Privacy Practices to inform patients about their rights surrounding the protection of their PHI. This notice must be displayed in an area of the office where patients will readily see it, such as in the waiting room or reception area and must be given to patients the first time services are rendered.

This notice is long due to the complexity required by the regulation itself. A written summary alone would not be acceptable because it would require the omission of language that protects your practice. 

Patient Rights

Under HIPAA, an individual has the following rights with regard to his/her PHI:

  • The right to authorize the use and disclosure of PHI for certain non-Treatment, Payment and Operations (TPO) purposes and for psychotherapy notes.

  • The right to receive a copy of the practices Notice of Privacy Practices.

  • The right to request restrictions on certain uses and disclosures of PHI.

  • The right to request restrictions on how the practice communicates PHI to the patient.

  • The right to inspect and copy PHI.

  • The right to request an amendment of PHI.

  • The right to an accounting of the disclosures of PHI made by the covered entity for purposes other than TPO and not pursuant to a valid authorization.

  • The right to complain about alleged violations to the practice and DHHS. 

Developing and Distributing the Notice of Privacy Practices 

  1. Photocopy and distribute the Notice of Privacy Practices to patients on the day services are first rendered. If you offer a patient the opportunity to receive a copy of the Notice of Privacy Practices via email and the patient accepts, you may distribute a copy of the notice via email to an email address that they provide. However, if you receive confirmation that your attempt to provide the Notice of Privacy Practices via email has failed, you must deliver a paper copy of the Notice of Privacy Practices to the requesting individual.

  2. Use best efforts to obtain written acknowledgement from the patient that he/she has received a copy of the Notice of Privacy Practices. If you are unable to obtain such authorization, your efforts must be documented in the chart notes and a reason given for not obtaining the acknowledgement.

  3. Post the Notice of Privacy Practices in an area in your practice where it is clearly visible to patients. If it is revised, the revised version must be distributed to each patient upon his or her request and posted prominently in the practice.

  4. If your practice has a website that describes its services and benefits, a copy of the Notice of Privacy Practices must be posted on the website.

  5. Create an electronic copy of Notice of Privacy Practices in a “read only” version that can only be modified by the Privacy Officer.

  6. Some clauses have been defined in the Privacy Rule as “Optional.” Include the “Optional” clauses only if they are applicable to your practice.

  7. You must provide your Notice of Privacy Practices to all patients no later than the first delivery of service. Non-patients also have the right to obtain a copy.

  8. If you want to put more stringent restrictions than legally required on how you use and disclose PHI, you may do so, according to the HIPAA Privacy Rule. However, the restrictions cannot infringe upon the uses and disclosures that are required by the Privacy Rule.

  9. If you are applying greater limits on uses and disclosures of PHI than previously stated, a statement acknowledging this change must be included in a revised Notice of Privacy Practices.

  10. Although you are permitted to revise your Notice of Privacy Practices (so long as it continues to comply with the Privacy Rule), you must reserve this right in writing in your Notice of Privacy Practices. The Notice of Privacy Practices provided to you reserves this right to you be sure not to remove it.

  11. Whenever there is a change that needs to be made to the Notice of Privacy Practices such as to the uses and disclosures of PHI, to the individual patients rights or to the practices legal duties, the practice must revise and have available for redistribution the Notice of Privacy Practices to its patients in a timely manner. There is no requirement to mail or otherwise send the revised notice to patients.

  12. You must retain a complete copy of each version of the Notice of Privacy Practices for six years. Accordingly, if a Notice of Privacy Practices is superseded by a new version, you only need to keep the old version for six years.

  13. If you maintain a website that provides information to patients, you must post the Notice of Privacy Practices on your website. The Notice of Privacy Practices can also be provided by email. However, the patient must agree before this notice can be sent electronically.

Templates

Please Note: These documents are templates only. They do not reflect the requirements of your state's laws. You should consult with advisors (your state or local medical or specialty society, association or legal or other counsel) familiar with your state's privacy laws prior to using these documents:

 

 

 Share This