Notice of Privacy Practices: Get it Right!
By: Dr. Jeff Brown | updated on
The Notice of Privacy Practices document patients sign is likely the one, and only, well understood HIPAA requirement. However, based on my experience working with hundreds of healthcare providers and staff there are a few things you may not know.
This is a quick overview of lesser known Notice of Privacy Practices requirements to help you be complaint.
You must make a good faith effort to obtain an individual's written acknowledgment that they have received your Notice of Privacy Practices no later than the date of first service. This is a one-time only activity—you do not need to obtain acknowledgement from an individual more than once. For example, there is no requirement to obtain patient signatures annually.
Because your Notice of Privacy Practices is a notice, not consent, you are simply obtaining the person's acknowledgement of receipt instead of their authorization. Meaning, the intent of the notice is to inform patients about your legal use of their information, you are not asking them for permission.
This also means you may still see patients who refuse to sign the acknowledgement. In the rare event a patient refuses to sign your Notice of Privacy Practices acknowledgement form, be certain to document your attempt and the patient's refusal.
Somewhere on your intake paperwork have new patients sign a HIPAA acknowledgment, something like this:
I have reviewed the HIPAA Notice of privacy Practices, have been provided an opportunity to discuss my right to privacy, and know that upon request I will be given a copy.
If you provide services at a physical office location then you must post your entire notice in a clear and prominent location within the facility. The format and design is your choice, as long as the information is the same as what you distribute to individuals.
Here's a sample Notice of Privacy Practices document.
If your business has a website you must include your Notice of Privacy Practices somewhere on the site. There is not the same "post in a prominent location" language like there is for your physical office location; therefore, you needn't include the notice on your homepage so long as the notice is viewable somewhere. Just create a page containing your Notice of Privacy Practices text and link to it from your website's footer.
Good news. If you revise your Notice of Privacy Practices you don't need to mail or otherwise notify patients of the change, nor obtain new signatures from existing patients. You must, however, make the up-to-date notice available upon request, post it prominently in your office, and add it to your website.
No face-to-face first visit?
Health and Human Services (HHS) provides thorough guidance on this subject. Here is what they say:
A health care provider who first treats a patient over the phone satisfies the notice provision requirements of the Privacy Rule by mailing the notice to the individual the same day, if possible. To satisfy the requirement that the provider also make a good faith effort to obtain the individual’s acknowledgment of the notice, the provider may include a tear-off sheet or other document with the notice that requests that the acknowledgment be mailed back to the provider. The health care provider is not in violation of the Rule if the individual chooses not to mail back an acknowledgment; and a file copy of the form sent to the patient would be adequate documentation of the provider’s good faith effort to obtain the acknowledgment.
To improve the patient experience in your office you can offer a "layered" notice, which means giving the patient a short summary sitting on top of the longer Notice of Privacy Practices itself (hence layered). Think of this as putting a bullet point style brochure on top of the more complex notice. Offering a summary of complex material can be a wonderful gesture.
H.H.S. provides great examples of layered notices that you can use.
Let's conclude this article with what the Notice of Privacy Practices is NOT. Your notice is not a substitute for an individual's authorization. This means if you want to use or disclose patient information not automatically permitted by the Privacy Rule then you must still get separate written authorization from the patient.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.