Most healthcare practices covered under the HIPAA Privacy Rule have had their Notice of Privacy Practices (NPP) in place since the law took effect in 2003. What many organizations may not realize is that the language in the Notice must be updated to reflect new information required under the Omnibus Rule. The mandated changes to the NPP took effect in 2013.
Your Notice of Privacy Practices must inform your patients of the following:
1. The ways protected health information may be used and disclosed, including:
For treatment
Payment for services
Conducting healthcare operations
Public and health safety response
Research
Complying with the law
Responding to organ and tissue donor requests
Working with a medical examiner or funeral director
Addressing workers’ compensation, law enforcement, and other government requests
Replying to lawsuits and legal actions
2. Patient rights:
Right to receive an electronic or paper copy of their healthcare records
Right to request a correction of their healthcare records
Right to request confidential communications
Right to a limit on using and sharing certain PHI
Right to a list (accounting) of uses and disclosures
3. Choices in how their PHI is shared:
Family members and friends
Disaster relief
Hospital directory
Mental health care
Marketing
Fundraising
Health plans, if allowable by law and services are paid for out-of-pocket and in full
4. The right to receive a copy of the Privacy Notice
5. Complaint contact information:
The practice Privacy Officer
The U.S. Department of Health and Human Services Office for Civil Rights
6. The responsibilities of the practice:
To maintain the confidentiality of PHI
To comply with breach notification protocols according to the law
Not to share or use PHI for purposes other than as described in the Notice unless written permission is obtained
7. Changes to the terms of the Notice will be made available in the office, on the practice website, and upon request, and
8. State-specific health privacy disclosure restrictions
Copies of your Notice of Privacy Practices must be offered to all new patients, and a signed acknowledgement of receipt should be retained in their record. It is not necessary to obtain another signed acknowledgement from existing patients who have already received a Notice. Secondly, a copy of the latest Notice must be displayed in a clear and prominent location within the office, such as the waiting room or a similar location. Lastly, if applicable, be sure to post your latest NPP on your website.