—Steven M. Harris, Esq.
In my May 2013 article, “HIPAA Changes,” I noted that as part of the recent changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), health care providers are required to update their “Notices of Privacy Practices.”
If you are a health care provider (e.g., medical practice, physician, hospital) and either do not have a Notice of Privacy Practices or have not updated your Notice of Privacy Practices in 2013, now is the time to get compliant. Failure to have an updated Notice of Privacy Practices by September 23, 2013 is a violation of HIPAA and could result in fines and penalties.
In January 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued an omnibus final rule (Final Rule) implementing various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule revises HIPAA, and included in that rule are requirements affecting Notices of Privacy Practices.
What is a “Notice of Privacy Practices”?
A Notice of Privacy Practices is a written notice that health care providers are required under HIPAA and the HITECH Act to provide to patients that explains the patients’ rights as they relate to their health information and the privacy practices of the health care provider. Notices of Privacy Practices are intended to inform patients of their privacy rights, and to encourage patients to have discussions with their health care providers about these rights.
What Must Be Included in Notices of Privacy Practices?
Health care providers are required to provide patients with a Notice of Privacy Practices that is written in plain language and includes a number of elements.
First, Notices of Privacy Practices must describe how the health care provider can use and disclose a patient’s protected health information. A new change imposed by the Final Rule mandates that Notices of Privacy Practices include a description of certain types of uses and disclosures of protected health information that require an authorization. Now, Notices of Privacy Practices must explicitly state that if a health care provider will use or disclose a patient’s health care information for marketing purposes or in a sales transaction (receipt of remuneration in exchange for patient health information), or if such health information includes psychotherapy notes, then the health care provider must first obtain an authorization. Further, the authorization must explicitly acknowledge that remuneration is involved.
Second, Notices of Privacy Practices must contain a statement of the patient’s rights with respect to his or her health information and how the patient can exercise these rights. Such rights include the right to 1) request restrictions on certain uses and disclosures of a patient’s health information; 2) receive confidential communications of a patient’s health information; 3) inspect and copy records containing a patient’s health information; 4) amend such records; 5) receive an accounting of disclosures of a patient’s health information; and 6) receive a paper copy of the Notice of Privacy Practices.
Third, Notices of Privacy Practices must identify the health care provider’s legal duties with respect to patients’ protected health information by including a statement that the health care provider is required by law to maintain the privacy of protected health information. A new change imposed by the Final Rules mandates that Notices of Privacy Practices include a statement that the health care provider notify the patient in the event of a breach of the patient’s unsecured protected health information.
Also, Notices of Privacy Practices must include a statement explaining how patients can submit complaints regarding their privacy rights, and whom patients can contact for more information about the health care provider’s privacy policies.
Implementing and Revising the Notice of Privacy Practices
Absent an emergency situation, health care providers with direct patient contact must make the Notice of Privacy Practices available to patients no later than when service is first delivered to the patient. Health care providers with a physical service delivery site must have the Notice of Privacy Practices available onsite and posted in a clear and prominent location. In addition, if the health care provider has a website that includes information about the services offered, the Notice of Privacy Practices must also be prominently posted on the website.
Whenever the Notice of Privacy Practices is revised, the health care provider must promptly distribute the updated version to patients. The Notice of Privacy Practices must be available to patients upon request on or after the effective date of the revision, and shall be available onsite at the facility and posted in a clear and prominent
location. If a website is maintained, the updated Notice of Privacy Practices will also need to be posted on the website.
Health care providers are required to make a good faith effort to obtain a written acknowledgement from the patient that he or she received the Notice of Privacy Practices. If the Notice of Privacy Practices has been revised since the patient’s last written acknowledgment, a new written acknowledgment from the patient should be obtained. If a written acknowledgment is not obtained, the health care provider should document the good faith efforts to obtain the acknowledgment and the reason why it was not obtained.
Now is the time to get compliant. If you either do not have a Notice of Privacy Practices or have not updated your Notice of Privacy Practices to include the changes mandated by the Final Rule, you must do so before the September 23, 2013 deadline. Contact a health attorney experienced in HIPAA and HITECH Act matters to create a Notice of Privacy Practices for your practice.
Steven M. Harris, Esq., is a nationally recognized health care attorney and a member of the law firm McDonald Hopkins, LLC. He may be reached at email@example.com.
Reprinted with permission from the American College of Rheumatology.