A HIPAA Notice of Privacy Practices is a notice that explains to individuals how their Protected Health Information (PHI) can be used or disclosed by a HIPAA covered health plan, pharmacy, or healthcare provider. The notice also explains what rights individuals have under HIPAA and how individuals can exercise their rights.
Additionally, a HIPAA Notice of Privacy Practices must include a statement relating to covered entity’s legal duties and privacy practices with respect to PHI – making it clear that the covered entity is required by law to protect the privacy of health information, provide individuals with a Notice, and follow the terms of the Notice.
However, although the content of a HIPAA Notice of Privacy Practice must comply with §164.520 of the Privacy Rule, it is rare to find two notices the same. This article looks at why differences exist between Notices, and provides a Notice of Privacy Practices template covered entities can adopt to meet their specific requirements.
HIPAA Notice of Privacy Practices Requirements
When providing an individual with a Notice of Privacy Practices, HIPAA §164.520 stipulates what must be included in the Notice. Although the HIPAA Notice of Privacy Practices requirements can vary depending on the nature of a covered entity’s activities, the basics that must be included in a Notice of Privacy Practices are the same:
- The Notice must include how the covered entity may use and disclose health information for treatment, payment, and health care operations, and include an example of each type of use or disclosure.
- It must also include a list of uses and disclosures the covered entity is permitted to make subject to certain restrictions (for example, the minimum necessary standard) or subject to the individual not opting out.
- There must also be a section explaining that all other uses and disclosures of health information are subject to the individual’s authorization and that the individual has the right to revoke their authorization at any time.
With regards to individuals’ rights, the HIPAA privacy notice requirements state individuals must be told they can request access to and copies of their health information, request amendments to their health information in the event of any omissions or inaccuracies, and request an accounting of disclosures.
It must be explained in the Notice how individuals can exercise their rights, and how they can request restrictions on uses and disclosures of their health information or how they can request to be contacted by alternate means. Individuals should also be informed they will be notified in the event their health information is compromised.
The Notice must explain an individuals’ rights to make a complaint if they feel their privacy rights have been violated, that their health information has been improperly accessed, used, or disclosed, or have concerns about the covered entities privacy practices. The contact information for whom a complaint can be made to must also be included.
Why Differences Exist in HIPAA Privacy Notices
Differences exist in HIPAA Privacy Notices because different health plans, pharmacies, and healthcare providers use and disclose health information in different ways. For example, a health plan would not disclose health information to organize the transportation of a patient to hospital, and a healthcare provider would not disclose health information for underwriting purposes.
Additionally, some healthcare providers may be permitted to disclose health information within a Health Information Exchange or Organized Health Care Arrangement. In these circumstances, these permitted disclosures must be included in the HIPAA Privacy Notice, as must any required disclosures if a state law mandates the disclosure of certain types – or causes of – injury.
Differences in HIPAA Privacy Notices may also exist if a covered entity chooses to include more information than is required by §164.520 of the Privacy Rule. For example, one HIPAA Privacy Notice may include an explanation of the minimum necessary standard, while another might include a section on the entity’s policy for communicating via unsecure communication channels.
HIPAA Notice of Privacy Practices Template
Despite there being no one-size-fits-all Notice, Healthcare Compliance Journal has prepared a HIPAA Notice of Privacy Practices template that visitors are invited to download and customize as necessary. The template includes all the Notice of Privacy Practices requirements mandated by §164.520 and includes an example of how covered entities may choose to address the risk of unsecure electronic communications.
The template will be suitable for most covered entities. However, it will be necessary to customize the template if a state law preempts HIPAA, if a covered entity participates in a Health Information Exchange or Organized Health Care Arrangement, or if patients are provided with connected mobile apps (authorization is required before health information collected by apps can be disclosed).
If you experience challenges in customizing the HIPAA Notice of Privacy Practices template, or have questions regarding how or when an individual should receive a copy of the Notice of Privacy Practices, it is recommended you seek professional compliance advice. The failure to provide a HIPAA Notice of Privacy Practices when required is a violation of the HIPAA Privacy Rule.
Download HIPAA Notice of Privacy Practices Template
(Word document, 48Kb)