|
Notice
of Privacy Practices (HIPAA)
Under HIPAA, every
patient must receive a Notice of Privacy Practices that includes
specifications of the individual's legal rights, and the covered
entity's legal duties, with respect to protected
health information (PHI). A covered entity must also make
its Notice available upon request to any person.
Specifics of the
Notice requirements are conditioned by the type of covered
entity involved. A health plan must provide its Notice:
- no later than
the compliance date for the health plan, to individuals
then covered by the plan;
- thereafter,
at the time of enrollment, to individuals who are new enrollees;
and
- within 60 days
of a material revision to the Notice, to individuals then
covered by the plan.
No less frequently
than once every three years, a health plan must notify individuals
then covered by the plan of the availability of the Notice
and how to obtain it.
A health plan satisfies
the requirements if:
- the Notice
is provided to the named insured of a policy under which
coverage is provided to the named insured and one or more
dependents;
- where it has
more than one kind of Notice, the version that is relevant
to the individual or other person requesting the Notice
is provided.
Group health plans
must provide Notices to members unless
- the health benefits
they receive are provided solely through an insurance contract
with a health insurance issuer or an HMO; and
- the plan receives
nothing more than summary health information from the insurance
issuer or HMO.
Health insurance
issuers and HMOs, as well as health plan sponsors that receive
other than summary information, must provide Notices on a
similar timetable.
Health care providers
that have a direct
treatment relationship with an individual must:
- provide a Notice
no later than the date of the first service delivery, including
service delivered electronically, after the compliance date;
and
(Other types of
covered entities are not required to obtain an acknowledgment,
but can do so if they choose.)
If the provider
maintains a physical service delivery site, he/she must
- have copies
of the Notice available there for individuals upon request;
and
- post the Notice
"in a clear and prominent location where it is reasonable
to expect individuals seeking service" to see it;
Whenever its Notice
is revised, the provider must make available and post the
current version on or after the effective date of the revision.
If the first service
is electronic, the provider's Notice must be provided contemporaneously
with that service (and the systems must have a mechanism for
capturing acknowledgment of receipt electronically).
If a covered entity
of any kind has a web site, the site must offer the ability
to download a copy of the Notice.
The privacy regulations
specify the components of the Notice in some detail -- including
that it be written in "plain language." With the
exception of the first of the nine requirements listed below,
however, the regulations do not specify the order of the required
content.
Since all the content
requirements add up to a very long document, DHHS has indicated
that the Notice provisions can be satisfied by providing the
individual with both a short Notice that briefly summarizes
the individual's rights, as well as other information; and
a longer Notice, layered beneath the short Notice, that contains
all the required elements.
(DHHS has also
take the position that "[n]othing relieve[s] a covered
entity of its duty to provide the entire Notice in plain language
so the average reader can understand it.")
First, the Notice
must include the following "prominently displayed"
heading:
THIS NOTICE DESCRIBES
HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
IT CAREFULLY.
Second, it must
contain:
- a description,
again including examples, of the other purposes for which
uses or disclosures of PHI may be made, and identifying
whether the individual's additional authorization
is required for each;
- a description
of prohibitions on or limitations of uses and disclosures
stemming from the preemption
by "more stringent" state laws;
- a statement
that any other uses and disclosures will be made only with
the individual's written authorization and that the individual
may revoke such authorization; and
- the descriptions
must "include sufficient detail to place the individual
on notice of the uses and disclosures that are permitted
or required by [HIPAA] and other applicable law."
Third, if the covered
entity intends to engage in any of the following activities,
its Notice must also provide a separate, sufficiently detailed
description:
- contacting the
individual to provide appointment reminders;
- providing information
about treatment alternatives or other heath-related benefits
and services that may be of interest (cf. marketing
limitations);
- contacting the
individual for fundraising
activities on behalf of the covered entity; or
- for group health
plans, or health insurance issuers or HMOs with respect
to a group health plan, disclosures of PHI to the sponsor
of the plan.
Fourth, the Notice
must contain a statement of the individual’s rights with
respect to protected health information and a brief description
of how the individual may exercise them. This includes the
right to:
- request
restrictions on certain uses and disclosures of PHI,
including a statement that the covered entity is not required
to agree to a requested restriction;
- receive the
Notice of Privacy Practices electronically or on paper upon
request.
Fifth, the Notice
must specify the covered entity’s duties with respect
to protected health information, including statements that
it is required to:
- maintain the
privacy of PHI and to provide individuals with notice of
its legal duties and privacy practices with respect to PHI
(i.e., the Notice itself);
- abide by the
terms of the Notice currently in effect; and
- provide notification
to individuals if it changes the terms of its handling of
PHI.
The last of these
must include a description of how it will provide individuals
with a revised Notice. Note that:
- the covered
entity must promptly revise and distribute its Notice of
Privacy Practices whenever there is a material change to
the use or disclosure practices, the individual’s rights,
the covered entity’s legal duties, or other privacy
practices stated in the Notice;
- except when
required by law, a material change to any term of the Notice
may not be implemented prior to the effective date of the
Notice in which such material change is reflected.
Sixth, the Notice
must contain a statement that individuals may complain to
the covered entity and/or to the Secretary of DHHS if they
believe their privacy rights have been violated. This includes:
- a brief description
of how the individual may file a complaint with the covered
entity, and a statement that the individual will not be
retaliated against for filing a complaint;
- the name, or
title, and telephone number of a person or office to contact
for complaints, or for further information. Normally this
will be the covered entity's privacy
office/officer.
Seventh, the Notice
must contain the date on which it is first in effect, which
may not be earlier than the date on which the Notice is printed
or otherwise published.
Eighth, if a covered
entity elects to restrict its information practices beyond
what HIPAA and any other applicable federal or state laws
require, it must describe these limitations in the Notice.
(The entity cannot limit uses or disclosures that are otherwise
required by law or explicitly permitted by the regulations.)
Ninth, covered
entities that participate in organized health care arrangements
may comply with the requirements by a joint Notice, provided
that:
- it describes
with "reasonable specificity" all the entities,
service delivery sites and classes of service that are covered
by the joint Notice, and any PHI sharing among these that
may occur;
- all participating
entities do in fact agree to abide by identical information
practices for these sites and services; and
- the joint Notice
meets all of the other content and notification requirements
above.
HIPAA allows the
Notice to be delivered via electronic mail, if an individual
agrees to that form. If the e-mail transmission fails, a paper
copy of the Notice must be sent. The individual also retains
the right to obtain a paper copy upon request.
Notices distributed
on paper through the mail may be part of another mailing to
the individual. (Electronic mailings of Notices may also include
additional materials.) However, the regulations prohibit a
covered entity from combining its Notice in a single document
with an authorization.
A covered entity
must document compliance by retaining copies of all versions
of the Notice and acknowledgments of receipt of it (including
documentation of failure to obtain acknowledgment) for the
standard records retention
period.
Note, finally,
that an inmate does not have a right to Notice, and the requirements
of this section do not apply to a correctional institution
that is a covered entity.
See also:
|
