Issue: Notice of Privacy Practices (AHIMA Practice Brief)

Background

Timely, accurate and complete health information must be collected, maintained and made available to members of an individual's healthcare team so that members of the team can accurately diagnose and care for that individual. Most consumers understand and have no objections to this use of their information.

• a legal document describing the care rendered
• verification of services for which the individual or a third-party payer is billed
• a tool in evaluating the adequacy and appropriateness of care
• a tool in educating heath professionals
• a source of data for research
• a source of information for tracking disease so that public health officials can manage and improve the health of the nation
• a source of data for facility planning and marketing

Although consumers trust their caregivers to maintain the privacy of their health information, they are often skeptical about the security of their information when it is placed on computers or disclosed to others. Increasingly, consumers want to be informed about what information is collected, and to have some control over how their information is used.

With this in mind, some states and more recently, the federal government passed legislation requiring that health plans, healthcare clearinghouses; and healthcare providers furnish individuals with a notice of information practices.

Federal Requirements

Standards for Privacy of Individually Identifiable Health Information

In general, the federal Standards for Privacy of Individually Identifiable Health Information , also known as the HIPAA Privacy Rule(45 CFR Part 160-164) requires that:

Except for certain variations or exceptions for health plans and correctional facilities, an individual has a right to notice as to the uses and disclosures of protected health information that may be made by the covered entity, as well as the individual's rights, and the covered entity's legal duties with respect to protected health information.

In general, the content of the notice must contain:

1. A header "THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
2. A description, including at least one example of the types of uses and disclosures that the covered entity is permitted to make for treatment, payment, and healthcare operations.
3. A description of each of the other purposes for which the covered entity is permitted or required to use or disclose protected health information without the individual's written consent or authorization.
4. A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization.
5. When applicable, separate statements that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual; raise funds for the covered entity, that the group health plan or health insurance issuer or HMO may disclose protected health information to the sponsor of the plan.
6. A statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights including:
   • the right to request restrictions on certain uses and disclosures as provided by 45 CFR 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction
   • the right to receive confidential communications of protected health information as provided by 164.522(b), as applicable
   • the right to inspect and copy protected health information as provided by 164.524
   • the right to amend protected health information as provided in 164.526
   • the right to receive an accounting of disclosures as provided in 164.528
   • the right to obtain a paper copy of the notice upon request as provided in 164.520
7. A statement that the covered entity is required by law to maintain the privacy of protected health information and to provide individuals with a notice of its legal duties and privacy practices with respect to protected health information.
8. A statement that the covered entity is required to abide by the terms of the notice currently in effect.
9. A statement that the covered entity reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains.
10. A statement describing how it will provide individuals with a revised notice.
11. A statement that individuals may complain to the covered entity and to the Secretary of Health and Human Services if they believe their privacy rights have been violated; a brief description as to how one files a complaint with the covered entity; and a statement that the individual will not be retaliated against for filing a complaint.
12. The name or title, and telephone number of a person or office to contact for further information.
13. An effective date, which may not be earlier than the date on which the notice is printed or otherwise published.

A covered entity that is required to have a notice may not use or disclose protected health information in a manner inconsistent with such notice.

A covered healthcare provider with a direct treatment relationship with an individual must:

• provide the notice no later than the date of the first service delivery, including service delivered electronically, or in an emergency treatment situation, as soon as reasonably practicable after the emergency situation;
• have the notice available at the service delivery site for individuals to request and take with them;
• post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered healthcare provider to be able to read the notice.

A covered healthcare provider that provides care to its work force related to medical surveillance, work-related illness, or injury must provide a written notice to individuals seeking such care at the time healthcare is provided, or by posting a notice in a prominent place at the location where healthcare is provided.

The covered entity may provide the notice by e-mail if the individual agrees and agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual.

Except in an emergency situation, the covered entity must make a good faith effort to obtain written acknowledgement of receipt of the notice. If it is not obtained, document the good faith effort and the reason why the acknowledgement was not obtained. If the notice is mailed, along with an acknowledgement form, the covered entity is not required to follow up to ensure the individual returns the acknowledgement form.

According to the August 14, 2002 final rule preamble, the Department of Health and Human Services believes that providers who provide notices electronically should be capable of capturing the individual's acknowledgement of receipt electronically in response to that transmission. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected.

A covered entity must document compliance with the notice requirements by retaining copies of the notices issued and acknowledgements received.

Privacy Act of 1974 and Related Laws

The Privacy Act of 1974 (as amended) requires that federal agencies or organizations that collect and maintain information on behalf of the federal government provide individuals with a notice of privacy practices. This notice must identify:

• the statute or order that authorizes the government to solicit the information and whether either provision of the information is mandatory or voluntary
• the principal purposes for which the information is intended to be used
• the routine uses of the information

the effects, if any, of not providing all or any part of the requested information

The notice may be written on the form on which the information is solicited or a separate form that can be kept by the individual.

The Gramm Leach Bliley Act requires financial institutions to provide customers with a notice of privacy policies and procedures and to satisfy various disclosure and consumer opt-out requirements.

The Privacy of Consumer Financial Information Final Rule implements the requirements outlined in the Act. Among its standards are procedural and content requirements for a notice of privacy practices.

Confidentiality of Drug and Alcohol Patient Records

The Confidentiality of Alcohol and Drug Abuse Patient Records rules (42 CFR, Chapter 1, Part 2) establish the following notice provisions for patients of federally assisted drug or alcohol abuse programs:

At the time of admission or as soon thereafter as the patient is capable of rational communication, each substance abuse program shall communicate to the patient that federal law and regulations protect the confidentiality of alcohol and drug abuse patient records. The program must also provide the patient with a written summary of the federal law and regulations.

The written summary of the federal law and regulations must include:

• A general description of the limited circumstances under which a program may acknowledge that an individual is present at a facility or disclose outside the program information identifying a patient as an alcohol or drug abuser
• A statement that violation of the federal law and regulations by a program is a crime and that suspected violations may be reported to appropriate authorities in accordance with these regulations
• A statement that information related to a patient's commission of a crime on the premises of the program or against personnel of the program is not protected
• A statement that reports of suspected child abuse and neglect made under State law to appropriate State or local authorities are not protected
• A citation to the federal law and regulations

The program may devise its own notice or use the sample provided by the federal government illustrated below. In addition, the program may include in the written summary information concerning State law and any program policy not inconsistent with State and federal law on the subject of confidentiality of alcohol and drug abuse patient records.

Sample notice provided in the Confidentiality of Alcohol and Drug Abuse Patient Records rule:

Confidentiality of Alcohol and Drug Abuse Patient Records

State Requirements

Some states have laws or regulations and provide specific requirements for a notice of health information practices.

Recommendations

1. Identify applicable notice requirements in both federal and state law.
2. Collect sample notices from associations and other organizations.
3. Identify the way information is used and disclosed in your organization.
4. Decide whether your organization will participate in an organized t healthcare arrangement.
5. Assign an individual or department to serve as an initial point of contact for individuals requesting additional information or who would like to file a complaint relative to information privacy practices.
6. Decide how material changes in the notice will be communicated.
7. Although not a required element, consider providing space on the notice to allow an individual to request a restriction to the uses and disclosures of his or her health information.
8. Decide whether your organization will provide space for the acknowledgement on the notice or on a separate form.
9. Draft a notice that complies with federal and state law and regulations and accurately describes your organization's health information practices. (Although models are helpful, they cannot be used without adapting them to reflect actual practices in your organization.)
10. Decide whether to place a copy of the current notice in the individual's record with the individual's acknowledgement, or simply to maintain a copy of each version of the notice with the dates it was in effect in a separate file.
11. Ask legal counsel to help develop or review the notice.
12. Generate policies and procedures relative to the notice.
13. Educate and train staff.
14. Post the notice and make copies available for distribution where notice acknowledgements are obtained.
15. Implement and monitor compliance.
16. Prior to making material changes in information practices, generate a new notice and provide that new notice to individuals about whom protected health information is maintained.

Prepared by: Gwen Hughes, RHIA

Acknowledgements

Assistance from the following individuals is gratefully acknowledged: Mary Brandt, MBA, RHIA, CHE, CHP Jill Callahan Dennis, JD, RHIA Jill Burrington-Brown, MS, RHIA
Issued: November 2002

References

Privacy Act of 1974. 5 USC, Section 552A. Available at http://www.usdoj.gov/foia/privstat.htm "Privacy of Consumer Financial Information; Final Rule." 16 CFR Part 313. Federal Register 65, No. 101.

Public Health Service, Department of Health and Human Services. "Confidentiality of Alcohol and Drug Abuse Patient Records." Code of Federal Regulations, 2000. 42 CFR, Chapter I, Part 2.

"Standards for Privacy of Individually Identifiable Health Information: Final Rule." 45 CFR Parts 160 and 164. Federal Register 67. No. 157 (August 14, 2002).

Sample forms:

Sample Notice of Health Information Practices

Sample Acknowledgement of Receipt (When not included as part of Notice)