Editor's note: This update supplants the February 2011 practice brief "Notice of Privacy Practices."
Timely, accurate, and complete health information must be collected, maintained, and made available to members of an individual's healthcare team so that members of the team can accurately diagnose and care for that individual. Most individuals understand and have no objections to this use of their information.
On the other hand, individuals may not be aware that their health information may also be used as a:
- Legal document describing the care rendered
- Verification of services for which the individual or a third-party payer is billed
- Tool in evaluating the adequacy and appropriateness of care
- Tool in educating health professionals
- Source of data for healthcare research
- Source of information for tracking disease so that public health officials can manage and improve the health of the nation
- Source of data for facility planning and marketing
- Source of data for responding to state law requirements (e.g. cancer registry, communicable disease, dog bites, etc.)
- Business record of the organization's operations
- As a foundation upon which certain 'rights' have been inferred to them, such as the right to access and request copies.
Although consumers trust their caregivers to maintain the privacy of their health information, they often are skeptical about the confidentiality and security of their information when it is maintained electronically or disclosed to others. Increasingly, consumers want to be informed about which information is collected, disclosed and viewed. Additionally, they want some control over how their information is used.
Federal rules require providers to notify patients of the full uses, disclosures, and protections of the information they collect. This practice brief outlines the federal requirements for the Notice of Privacy Practices (NPP).
In general, the Federal Standards for Privacy of Individually Identifiable Health Information, also known as the Health Insurance Portability and Accountability Act (HIPAA) privacy rule (45 CFR Parts 160–164), require that except for certain variations or exceptions for health plans and correctional facilities, an individual has a right to receive adequate notice of how a covered entity (CE) may use and disclose his or her protected health information (PHI). The notice also must describe the individual's rights and the CE's legal duties with respect to that information. A CE that is required to provide such a notice may not use or disclose PHI in a manner inconsistent with such notice. Due to the Health Information Technology for Economic and Clinical Health (HITECH) Act under the American Recovery and Reinvestment Act (ARRA) of 2009, the HIPAA Privacy Rules have evolved and took final form with the release of the Omnibus Privacy Final Rules issued in January of 2013. As these rules have been finalized, "material" changes were introduced that require updates to the NPP by all CEs. These changes must be made permanent and implemented no later than September 23, 2013.
In general, the NPP must contain the following:
- A header such as "THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
- A description, including at least one example of the types of uses and disclosures that the CE is permitted to make for treatment, payment, and healthcare operations.
- A description of each of the other purposes for which the CE is permitted or required to use or disclose PHI without the individual's written consent or authorization.
- A statement that other uses and disclosures will be made only with the individual's written authorization, and a notation that the individual may revoke such authorization at any time.
- When applicable, separate statements that the CE may contact the individual to provide appointment reminders or information about treatment alternatives and other health-related benefits and services that may be of interest to the individual..
- A statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information require authorization.
- CEs that do not record or maintain psychotherapy notes are not required to include a statement in their NPPs about the authorization requirement for uses and disclosures of psychotherapy notes.
- A statement in the NPP regarding fundraising communications and an individual's right to opt out of receiving such communications, if a CE intends to contact an individual to raise funds for the CE.
Note: If a CE does not make fundraising communications then this statement does not need to be included on the NPP.
- The mechanism of the opt-out does not have to be included in the NPP because individuals will be provided the opportunity to opt out of fundraising communications with each solicitation.
- For health plans that perform underwriting activities only, a statement must be included in the NPP indicating the health plan is prohibited from using or disclosing genetic information for underwriting purposes.
- A statement of the individual's rights with respect to PHI and a brief description of how the individual may exercise these rights, with certain exceptions, including:
- The right to request restrictions on certain uses and disclosures as provided by 45 CFR 164.522(a), including a statement that the CE is not required to agree to a requested restriction
- For healthcare providers only, a statement indicating the right to restrict certain disclosures of PHI to a health plan when the individual pays out of pocket in full for the healthcare item or service
- The right to receive confidential communications of PHI
- The right to access, inspect, and receive a copy of PHI on paper, including the right to have electronic copies if kept in electronic form
- The right to request electronic copies of PHI be forwarded to a third party
- The right to request an amendment of PHI
- The right to receive an accounting of disclosures
- The right to be notified of the CE's privacy practices
- The right to control PHI use for marketing, sales, and research
- The right to be notified of a breach to PHI
- The right to file complaints with the Office for Civil Rights
- A statement that the CE is required by law to maintain the privacy of PHI and to provide individuals with a notice of its legal duties and privacy practices with respect to PHI.
- A statement that the CE is required to abide by the terms of the notice currently in effect.
- A statement that the CE reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains.
- A statement describing how the CE will provide individuals with a revised notice.
- A statement that individuals may complain to the CE and to the Secretary of Health and Human Services if an individual believes their privacy rights have been violated; a brief description of how to file a complaint with the CE; and a statement that the individual will not be retaliated against for filing a complaint.
- The name or title and the telephone number of a person or office to contact for further information.
- An effective date, which may not be earlier than the date on which the notice is printed or otherwise published.
A covered healthcare provider with a direct treatment relationship with an individual must:
- Provide the notice no later than the date of the first service delivery, including service delivered electronically, or in an emergency treatment situation, as soon as reasonably practicable after the emergency situation.
- Have the notice available at the service delivery site for individuals to request and take with them; this availability does not include requiring the patient to ask for the NPP. It should be prominently displayed and made available within waiting rooms and waiting areas.
- Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered healthcare provider to be able to easily locate and read the notice.
- When e-mailing the notice, provide a paper copy if the transmission fails.
- The NPP must be posted on the CE's website, if one is maintained.
- Except in emergency situations, make a good faith effort to obtain written acknowledgment of receipt and, as appropriate, document good faith efforts and reasons why the acknowledgment could not be obtained.
- If providing notices electronically, capture the individual's acknowledgment of receipt electronically in response to that transmission.
Redistributing Updated Notices
The Final Omnibus Rule requires changes to the NPP so redistribution must follow. However, an NPP may be updated for other reasons, such as a change in the use and disclosure of PHI within an organization. Regardless of the reason, every time a NPP is updated, it must be redistributed to all patients seeking treatment. Redistribution does not mean physically handing the revised NPP out to each patient. The requirements for redistribution have not changed as originally defined by the HIPAA Privacy Rule and are as follows:
- The revised NPP must be posted in a clear and prominent location.
- The revised NPP must be made easily available to the patient on or after the effective date of the revision at the delivery site.
- Providers are not required to print and hand out the revised NPPs.
- The Office for Civil Rights (OCR) clarifies that providers may post a summary of the notice in such a location as long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up without any additional burden on their part. It would not be appropriate, however, to require the individual to have to ask the receptionist for a copy of the full NPP.
- The revised NPP must be provided to every new patient with a good faith acknowledgment of receipt.
- If a provider has already revised their NPP and it is fully compliant with the Final Omnibus Rules, they are not required to reprint or redistribute.
- If providing care to its workforce related to medical surveillance, work-related illness, or injury, provide a written notice to individuals seeking such care at the time care is provided; and
- Document compliance with the notice requirements by retaining copies of the notices issued and acknowledgments received for the minimum six-year HIPAA-retention time frame.
- To the extent a CE is required to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, the CE has an obligation to take steps that may be necessary to ensure effective communication with individuals with disabilities, which could include making the revised NPP or notice of material changes to the NPP available in alternate formats, such as Braille, large print, or audio.
- According to Title VI of the Civil Rights Act of 1964, the CE must take reasonable steps to ensure meaningful access for Limited English Proficient persons to the services of the CE, which could include translating the NPP into frequently encountered languages.
- Must prominently post the revised NPP or material changes to their websites by the compliance date, September 23, 2013.
- Must redistribute revised NPP, or information about the material change and how to obtain it in the health plan's next annual mailing to individuals covered by the plan (e.g. at the beginning of the plan year or during open enrollment).
- Health plans that do not have customer service websites must provide the revised NPP or information about the material changes and how to obtain it to individuals covered by the plan within 60 days of the NPP's update.
See Appendix A for a sample NPP.
Privacy Act of 1974 and Related Laws
The Privacy Act of 1974 (as amended) requires that federal agencies or organizations that collect and maintain information on behalf of the federal government provide individuals with a NPP. This notice must identify:
- The statute or order that authorizes the government to solicit the information and whether the provision of this information is mandatory or voluntary.
- The principal purposes for which the information is intended to be used.
- The routine uses of the information.
The notice may be written on the form on which the information is solicited or on a separate form that the patient can keep.
Confidentiality of Drug and Alcohol Patient Records
The Confidentiality of Alcohol and Drug Abuse Patient Records rules establish the following notice provisions for patients of federally assisted drug or alcohol abuse programs.
At the time of admission, or as soon thereafter as the patient is capable of rational communication, each substance abuse program must communicate to the patient that federal law and regulations (42 CFR, Chapter 1, Part 2) protect the confidentiality of alcohol and drug abuse patient records. The program also must provide the patient with a written summary of the federal law and regulations that includes:
- A general description of the limited circumstances under which a program may acknowledge that an individual is present at a facility, or disclose outside the program information identifying a patient as an alcohol or drug abuser.
- A statement that violation of the federal law and regulations by a program is a crime and that suspected violations may be reported to appropriate authorities in accordance with these regulations.
- A statement that information related to a patient's commission of a crime on the premises of the program or against personnel of the program is not protected.
- A statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected.
- A citation to the federal law and regulations.
The program may devise its own notice or use the sample provided by the federal government. In addition, the program may include in the written summary information concerning state law and any program policy not inconsistent with state and federal law on the subject of confidentiality of alcohol and drug abuse patient records.
The following steps are recommended to develop and maintain a NPP:
- Identify applicable notice requirements in both federal and state law.
- Collect sample notices from associations and other organizations. See Appendix A for a sample NPP.
- Identify annually the way information is used and disclosed in your organization and ensure that these types of uses are reflected in the NPP.
- Determine participation in shared electronic health record arrangements or health information exchanges and include this information in the notice. If participating in these arrangements, the organized healthcare arrangement (OHCA) may have a joint NPP.
- Ensure that an appointed staff member or department serves as an initial point of contact for individuals requesting additional information–and for those who would like to file a complaint relative to information privacy practices
- Communicate material changes in the notice to the organizational staff and introduce process changes where necessary.
- Identify which acknowledgment option is best for the organization—that is, leave space for the acknowledgment on the notice or on a separate form.
- Place a copy of the individual's acknowledgment in their health record.
- Refer to legal counsel when appropriate.
- Ensure organization-wide policies and procedures relative to the notice are reviewed and updated accordingly and as needed, or at a minimum, annually.
- Post the notice and make copies available for distribution where notice acknowledgments are obtained.
- Implement and monitor compliance. For example, run reports on individuals who were seen but did not sign a NPP acknowledgement form and document efforts to obtain.
Appendix A: Sample Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
If you have any questions about this Notice of Privacy Practices ("Notice"), please contact:
Phone Number: <Insert phone number / contact info>
Section A: Who Will Follow This Notice?
This Notice describes <Insert site name>* (hereafter referred to as "Provider") Privacy Practices and that of:
*Note: It is up to the organization, but some choose to list affiliated entities and groups here as well.
Any workforce member authorized to create medical information referred to as protected health information (PHI) that may be used for purposes such as treatment, payment and healthcare operations. These workforce members may include:
- All departments and units of Provider
- Any member of a volunteer group
- All employees, staff and other Provider personnel
- Any entity providing services under Provider's direction and control will follow the terms of this notice. In addition, these entities, sites and locations may share medical information with each other for treatment, payment or healthcare operations as described in this notice
Section B: Our Pledge Regarding Medical Information
We understand that medical information about you and your health is personal. We are committed to protecting medical information about you. We create a record of the care and services you receive at the Provider. We need this record to provide you with quality care and to comply with certain legal requirements. This Notice applies to all the records of your care and records related to payment for that care, generated or maintained by the Provider, whether made by Provider personnel or your personal doctor.
This Notice will tell you about the ways in which we may use and disclose medical information about you. We also will describe your rights and certain obligations we have regarding the use and disclosure of medical information.
We are required by law to:
- Make sure that medical information that identifies you is kept private
- Give you this Notice of our legal duties and privacy practices with respect to medical information about you
- Follow the terms of the Notice currently in effect
Section C: How We May Use and Disclose Medical Information About You
The following categories describe different ways that we use and disclose medical information. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
- Treatment. We may use medical information about you to provide you with medical treatment or services. We may disclose medical information about you to doctors, nurses, technicians, healthcare students, or other Provider personnel who are involved in taking care of you at the Provider. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if you have diabetes so that we can arrange for appropriate meals. Different departments of the Provider also may share medical information about you in order to coordinate the different services you need, such as prescriptions, lab work, x-rays and clergy. We also may disclose medical information about you to people outside the Provider involved in your medical care upon discharge from Provider, such as family members or other healthcare professionals.
- Payment. We might use and disclose medical information about you so that the treatment and services you receive at the Provider can be billed properly, whether payment is collected from you, an insurance company, or a third party. For example, we might need to give your health plan information about a surgery you underwent at Provider so your health plan will reimburse you or us for the cost of the procedure. We also may tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.
- Healthcare Operations. We may use and disclose medical information about you for Provider operations, and they are necessary to make sure that all of our patients receive quality care. For example, we may use medical information to review our treatments and services and to evaluate the performance of our staff in caring for you. We also might combine medical information about many of the Provider's patients to decide what additional services the Provider should offer, what services are not needed, and whether certain new treatments are effective. We also might disclose information to doctors, nurses, technicians, healthcare students, and other Provider personnel for review and learning purposes. We also may combine the medical information we have with medical information from other providers to compare how we are doing and see where we can make improvements in our care and service. We might remove information that identifies you from this set of medical information so others can use it to study healthcare and healthcare delivery without learning a patient's identity.
- Appointment Reminders. We may use and disclose medical information to contact you as a reminder that you have an appointment for treatment or medical care at the Provider.
- Treatment Alternatives. We may use and disclose medical information to tell you about or recommend possible treatment options or alternatives that may be of interest to you.
- Health & Related Benefits and Services. We may use and disclose medical information to tell you about health and related benefits or services that could be of interest to you.
- Fundraising Activities. If we intend to use your medical information for fund-raising purposes, we will inform you of such intent and let you know that you have the right to opt out of receiving fundraising communications. We might use such information to contact you in an effort to raise money for the Provider and its operations. We may disclose information to a foundation related to the Provider so that the foundation may contact you about raising money for the Provider. We would only release contact information, such as your name, address, phone number and the dates you received treatment or services at the Provider. If you do not want the Provider to contact you for fundraising efforts, you must notify us in writing and you will be given the opportunity to opt-out of these communications.
- Authorizations Required. We will not use your PHI for any purposes not specifically allowed by federal or state laws or regulations without your written authorization. Specifically, the following types of uses and disclosures of your medical information require an authorization: 1) disclosure of psychotherapy notes; 2) disclosures for marketing purposes; and 3) disclosures that constitute a sale of PHI. Other uses and disclosures not described in the NPP will not be made unless an individual provides an authorization and that authorization may be revoked prospectively at any time by written revocation.
- Emergencies. We may use or disclose your medical information if you need emergency treatment or if we are required by law to treat you but are unable to obtain your consent.
- Communication Barriers. We may use and disclose your health information if we are unable to obtain your consent because of substantial communication barriers and we believe you would want us to treat you if we could communicate with you.
- Provider Directory. We may include certain limited information about you in Provider's directory while you are a patient here. This information may include your name, location, general condition (e.g., fair, stable, etc.) and religious affiliation. The directory information, except for your religious affiliation, also may be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if they do not ask for you by name. This is so your family, friends and clergy can visit and generally know how you are doing.
- Individuals Involved in Your Care or Payment for Your Care. We may release medical information about you to a friend or family member who is involved in your medical care and we also may give information to someone who helps pay for your care, unless you object and ask us not to provide this information to specific individuals, in writing. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location.
- Research. Under certain circumstances, we may use and disclose medical information about you for research purposes. For example, a research project could involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of medical information, trying to balance the research needs with patients' need for privacy of their medical information. All research projects are subject to an approval process involving an Institutional Review Board (IRB). The IRB evaluates proposed research projects and their use of PHI, balancing research needs and a patients' right to privacy. We may disclose PHI about you to people preparing to conduct a research project in order to help identify patients with specific medical needs. PHI disclosed during this process never leaves our control. We might ask for specific permission from you if the researcher will have access to your name, address or other information that reveals who you are, or will be involved in your care at the Provider.
- As Required By Law. We will disclose medical information about you when required to do so by federal, state, or local law.
- To Avert a Serious Threat to Health or Safety. We may use and disclose your medical information when necessary to prevent a serious threat to the health and safety of the public or another person.
- E-mail Use E-mail will only be used for communications in accordance with this organization's current policies and practices and with your permission. The use of secured, encrypted e-mail is encouraged.
Section D: Special Situations
- Organ and Tissue Donation. If you are an organ donor, we may release medical information to organizations that handle organ, eye, and tissue procurement as necessary to facilitate donation and transplantation.
- Military and Veterans. If you are a member of the armed forces, we may release medical information about you as required by military command authorities. We also might release medical information about foreign military personnel to the appropriate foreign military authority.
- Workers' Compensation. We may release medical information about you for workers' compensation or similar programs.
- Public Health Risks. We may disclose medical information about you for public health activities. These activities generally include the following:
- To prevent or control disease, injury or disability
- To report births and deaths
- To report child abuse or neglect
- To report reactions to medications or problems with products
- To notify people of recalls of products they may be using
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
- To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
- Health Oversight Activities. We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
- Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
- Law Enforcement. We may release medical information if asked to do so by a law enforcement official:
- In response to a court order, subpoena, warrant, summons or similar process
- To identify or locate a suspect, fugitive, material witness, or missing person
- About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement
- About a death we believe may be the result of criminal conduct
- About criminal conduct at Provider
- In emergency circumstances, to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime
- Coroners, Medical Examiners and Funeral Directors. We may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We also may release medical information about Provider patients to funeral directors as necessary to carry out their duties.
- National Security and Intelligence Activities. We may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
- Protective Services for the President and Others. We may disclose medical information about you to authorized federal officials so they may provide protection to the President, foreign heads of state, or other authorized persons to conduct special investigations.
- Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary for the correctional institution to provide you with healthcare, to protect your health and safety or the health and safety of others, as well as for the safety of the institution itself.
Section E: Your Rights Regarding Medical Information About You
You have the following rights regarding medical information we maintain about you:
- Right to Access, Inspect, and Copy. You have the right to access, inspect, and copy the medical information that may be used to make decisions about your care, with a few exceptions. Usually, this includes medical and billing records, but may not include psychotherapy notes.
- If we maintain your information electronically you may request a copy of your records via a mutually agreed upon electronic format. If we fail to agree upon an electronic format for delivery of electronic copies we will provide you with a paper copy for your records. If you request a copy of the information in either paper or electronic format, we may charge a fee for the costs of copying, mailing or other supplies associated with your request.
- We may deny your request to inspect and copy medical information in certain very limited circumstances. If you are denied access to medical information, in some cases, you may request that the denial be reviewed. Another licensed health care professional chosen by Provider will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
- Right to Amend. If you feel that medical information we have about you is incorrect or incomplete, you may request that we amend the information. You have the right to request an amendment for as long as the information is kept by or for the Provider. In addition, you must provide a reason that supports your request.
- We may deny your request for an amendment if it is not in writing or does not include a reason to support the request or for other reasons. Typical reasons for denial of an amendment request include if you ask us to amend information that:
- Was not created by us, unless the person or entity that created the information is no longer available to make the amendment
- Is not part of the medical information kept by or for Provider
- Is not part of the information which you would be permitted to inspect and copy
- Is accurate and complete
- Right to an Accounting of Disclosures. You have the right to request an "Accounting of Disclosures.". This is a list of the disclosures we made of medical information about you. Your request must state a time period which may not be longer than six years. Your request should indicate in what form you want the list (for example, on paper or electronically, if available). The first list you request within a 12-month period will be complimentary. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
- Right to Request Restrictions. You have the right to request a restriction or limitation on the medical information we use or disclose about you for payment or healthcare operations. We require that any requests for use or disclosure of medical information be made in writing. In some cases we are not required to agree to these types of requests, however, if we do agree to them we will abide by these restrictions. We will always notify you of our decisions regarding restriction requests in writing. We will not comply with any requests to restrict use or access of your medical information for treatment purposes.
You have the right to request, in writing, a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, such as a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had to your spouse. In your request, you must tell us what information you want to limit, whether you want to limit our use, disclosure or both, and to whom you want the limits to apply.
You have the right to request a restriction on the use and disclosure of your medical information about a service or item to your health plan. This right only applies to request for restrictions to a health plan and cannot be denied. The service or item requested for restriction from the health plan must be paid in full and out of pocket by you before the restriction will be applied. We are not required to accept your request for this type of restriction until you have completely paid your bill (zero balance) for the item or service. It is your responsibility to notify other healthcare providers of these types of restrictions. We are not required to do so.
- Right to Receive Notice of a Breach. We are required to notify you by first class mail or by e-mail (if we offered and you have indicated a preference to receive information by e-mail), of any breaches of Unsecured Protected Health Information as soon as possible, but in any event, no later than 60 days following the discovery of the breach. "Unsecured Protected Health Information" is information that is not secured via a methodology identified by the Secretary of the U.S. Department of Health and Human Services (HHS) that renders the protected health information unusable, unreadable, and indecipherable to unauthorized users. The notice is required to include the following information:
- A brief description of the breach, including the date of the breach and the date of its discovery, if known
- A description of the type of Unsecured Protected Health Information involved in the breach
- Steps you should take to protect yourself from potential harm resulting from the breach
- A brief description of actions we are taking to investigate the breach, mitigate losses, and protect against further breaches
- Contact information, including a toll-free telephone number, e-mail address, website, or postal address where you can ask questions or obtain additional information.
In the event the breach involves 10 or more patients whose contact information is out of date, we will post a notice on the home page of our website or in a major print or broadcast media. If the breach involves more than 500 patients in the state or jurisdiction, we will send notices to prominent media outlets. If the breach involves more than 500 patients, we are required to immediately notify the Secretary. We also are required to submit an annual report to the Secretary detailing a list of breaches that involve more than 500 patients during the year and maintain a written log of breaches involving less than 500 patients.
- Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or hard copy or e-mail. We will not ask you the reason for your request, but will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. Right to a Paper Copy of This Notice. You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy. You may obtain a copy of this Notice at our website. <Insert website link, if appropriate>. To exercise the above rights, please contact <Insert appropriate contact information> to obtain a copy of the relevant form you will need to complete to make your request.
Section F: Changes To This Notice
We reserve the right to change this Notice. We reserve the right to make the revised or changed Notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current Notice in our organization as well as on our website. In addition, each time you register, are admitted, or receive inpatient or outpatient services from a Provider, we will offer you a copy of the most current Notice.
Section G: Complaints
If you believe your privacy rights have been violated, you may file a complaint with Provider or with the Secretary of the Department of Health and Human Services; http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
To file a complaint with the Provider, contact the individual listed on the first page of this Notice. All complaints must be submitted in writing. You will not be penalized for filing a complaint.
Section H: Other Uses of Medical Information
Other uses and disclosures of medical information not covered by this Notice or the laws that apply to you will be made only with your written permission. If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.
Section I: Organized Healthcare Arrangement (OHCA)
The Provider, the independent contractor members of its ,medical staff (including your physician), and other healthcare providers affiliated with the provider have agreed, as permitted by law, to share your health information among themselves for purposes of treatment, payment, or healthcare operations, enabling us to better address your healthcare needs. Providers participating in an Organized Healthcare Arrangement may share the same NPP.
Revised Date: April 20, 2013. Compliant with HIPAA Omnibus Privacy Rules
Original Effective Date: April 14, 2003
Kelly McLendon, RHIA, CHPS
Angela Dinh Rose, MHA, RHIA, CHPS
Rebecca Buegel, RHIA, CHP,CHC
Dana DeMasters, RN, MN, CHPS
Jane DeSpiegelaere, MBA, RHIA, CCS, FAHIMA
Jean Foster, RHIA
Elisa R. Gorton, RHIA, CHPS, MAHSM
Sandra L. Joe, MJ, RHIA
Michele Kruse, MBA, RHIA, CHPS
Mary Poulson, RHIT, MA,CHC,CHPC
Kim Turtle Dudgeon, RHIT, HIT Pro-IS/TS, CMT
Diana Warner, MS, RHIA, CHPS, FAHIMA
Prepared by (2011)
Patricia Cunningham, MS, RHIA
Kelly McLendon, RHIA, CHPS
Nancy Davis, RHIA
Angela Dinh, MHA, RHIA, CHPS
Julie Dooling, RHIT
Lisa Fink, MBA, RHIA, CPHQ
Margaret Foley, PhD, RHIA, CCS
Gwen Jimenez, RHIA
Peg Schmidt, RHIA
Diana Warner, MS, RHIA, CHPS
Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR
Prepared by (Original)
Gwen Hughes, RHIA
Mary Brandt, MBA, RHIA, CHE, CHP
Jill Burrington-Brown, MS, RHIA
Jill Callahan Dennis, JD, RHIA
AHIMA. "Redisclosure of Patient Health Information (Updated)." Journal of AHIMA 80, no. 2 (Feb. 2009): 51–54.
American Health Information Management Association, American Medical Informatics Association. "Handling Complaints and Mitigation (Updated)." Journal of AHIMA (Updated June 2010).
Heubusch, Kevin. "Too Much Privacy? OCR Proposes Easing Protections on Decedent Records." Journal of AHIMA 81, no. 9 (Sept. 2010): 50–51.
HITECH Act Regulations, 41 CFR: Parts 412, 413, 422 and 105 and 45 CFR: Subtitle A Subchapter D.
Federal Trade Commission. Privacy Act of 1974; 5 USC, Section 552A; 16 CFR Part 313; Privacy of Consumer Financial Information; Final Rule; Federal Register 65, no. 101 (May 24, 2000).
Public Health Service, Department of Health and Human Services. "Confidentiality of Alcohol and Drug Abuse Patient Records." Code of Federal Regulations, 2000. 42 CFR, Chapter I, Part 2.
Rode, Dan. "Keeping HITECH in Context: Flurry of Regulation Fits within a Larger, More Familiar Picture." Journal of AHIMA 81, no. 10 (Oct. 2010): 18–20.
45 CFR Parts 160 and 164; Standards for Privacy of Individually Identifiable Health Information: Final Rule; Federal Register 67 no. 157 (Aug. 14, 2002). http://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf.
45 CFR Parts 160 and 164; HIPAA Administrative Simplification: Standards for Privacy of Individually Identifiable Health Information: Final Rule; Federal Register 74, no. 193 (Oct. 7, 2009). http://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf
"Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules." Federal Register, vol. 78, no. 17 (January 25, 2013), 5702.
AHIMA. "Analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach NotificationRules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rule." January 25, 2013.
McLendon, Kelly; Rose, Angela Dinh.
"Notice of Privacy Practices (2013 update)"
(AHIMA Practice Brief, October 2013)