Frank Ruelas (francisco.ruelas@dignityhealth.org) is Facility Compliance Professional at St. Joseph’s Hospital and Medical Center/Dignity Health in Phoenix, and Tina Daha (tmdaha@gmail.com) is an ethics and compliance professional in Scottsdale, AZ.
Some clinics and offices seem to be backsliding in regard to compliance with the Health Insurance Portability and Accountability Act (HIPAA) requirement of providing either an electronic copy or a hard copy of an important document called the Notice of Privacy Practices (NPP). Individuals who come to covered-entity locations are often asked to sign an acknowledgement that they received a copy of the NPP, but they are never actually provided a copy of it. This happens all too frequently, and if so, a covered entity’s efforts are inadequate to promote its compliance with the provision of the NPP to individuals, as described in the HIPAA regulations.
Individuals have rights in terms of the privacy and security of their medical information that a covered entity, such as a physician’s office or a hospital, may create, maintain, receive, or store. HIPAA is the federal law that identifies the requirements that covered entities must follow to protect an individual’s protected health information (PHI). One of these requirements is that a covered entity is required to provide a copy of its NPP to individuals. The NPP explains the manner in which the covered entity is permitted to use or disclose an individual’s PHI. The NPP also describes the individual’s rights under HIPAA.
What is a Notice of Privacy Practice?
An NPP outlines how PHI may be shared and protected under specific circumstances. This includes educating and describing to individuals how the covered entity may use or disclose an individual’s PHI. For example, the NPP describes when PHI may be used or disclosed with an individual’s authorization or permission and when an authorization is not needed. Given the NPP’s focus on privacy, it also provides information to the individual about their rights under the HIPAA regulations. The NPP also contains information about the covered entity, including:
-
What legal obligations the covered entity is responsible for,
-
Who to contact when complaints and questions arise, and
-
The patient’s right to be notified promptly if a breach occurs.
Note: Check the HHS.gov website for a quick and easy guide to assess if your organization qualifies as a covered entity as defined by HIPAA regulations and has to comply.[1]
Are patients actually receiving your NPP?
The HIPAA Privacy Rule, generally speaking, clarifies an individual’s rights to adequate notice of how a covered entity may use and disclose PHI and the covered entity’s obligations to safeguard an individual’s PHI. Specifically, one of these rights is the individual’s right to receive a copy of an NPP that describes how their PHI may be used and disclosed, and what rights an individual may exercise under HIPAA. For example, the NPP describes that the individual has the right to request a restriction on the use or disclosure of PHI, the right to request an amendment/correction to their own PHI, and the right to receive an accounting of disclosures. This is very useful and important information, which also underscores the reason why providing a copy of its NPP is such an important process and requirement for a covered entity under the HIPAA regulations.
When do individuals receive the NPP?
An individual has the right to obtain and acknowledge the receipt of a covered entity’s NPP when the individual first arrives at a covered entity’s physical location where healthcare services are provided. Thereafter, the individual also has the right to request a copy from the covered entity at any time. In addition to distributing the NPP, additional requirements are placed upon covered entities to promote awareness of their NPP as well as to provide information to individuals. These requirements include that NPPs must be prominently posted in locations where individuals are expected to see them. If a covered entity maintains a website, the NPP must be prominently posted on the website, and the NPP must also be available electronically.[2]
Because more covered entities are providing services to individuals by electronic means, there are additional requirements on providing the NPP to these individuals. In cases where an individual’s first service is delivered electronically, the covered entity is required to provide a copy of the NPP automatically and at the same time as the service delivery. A covered entity’s NPP may be provided to an individual by email if the individual has agreed to receive email communications from the covered entity. If the NPP is sent by email and the covered entity finds that the email transmission has failed, such as through an undeliverable notice from the email service provider, a paper copy of the NPP must be provided to the individual.
Who is responsible for obtaining acknowledgements?
Yes, it may be the individual’s responsibility to be practical and ask questions regarding their healthcare, but covered entities should not assume that an individual understands HIPAA and how it applies to safeguarding the privacy and security of their PHI. Therefore, it is important that covered entities make the effort to present the NPP to the individual and make a good faith attempt to receive an acknowledgement from the individual to confirm that a copy of the covered entity’s NPP has been received. This can be accomplished in a number of ways. For example, in the case where an electronic medical record system is used, the individual may sign on an electronic signature pad to acknowledge receipt. Another method, when a hard copy-based process is used, is to attach the acknowledgement of receipt as the cover page for the individual to sign. This helps increase the form’s visibility and acts as a prompt or reminder to the covered entity’s staff to get the acknowledgement signed. Sometimes covered entities attach the acknowledgement form to the last page of the NPP. This is an acceptable process, but when things get busy and the staff is interacting with many patients and multitasking, it may be easier to overlook the receipt form than if it was attached as a cover page.
What is required to be contained within an NPP?
The HIPAA regulations detail what must be included in a covered entity’s NPP. As listed in 45 C.F.R. §164.520, there are required elements as well as several optional elements. Covered entities looking to draft their NPP may also take advantage of a model NPP that HHS has made available.[3] The release of the Omnibus Final Rule on January 17, 2013, resulted in modifications to the NPPs already in use.[4] Some noteworthy areas that covered entities needed to address included:
-
A statement that any type of use or disclosure not mentioned in the NPP, other than those clearly permitted, will be made only with written authorization ( 45 C.F.R. § 164.520 );
-
Patients have rights to restrict and opt out of certain disclosures ( 45 C.F.R. § 164.520(b)(1) );
-
A covered entity has a duty to notify affected individuals of a breach of unsecured PHI;
-
Use of genetic information is limited. Certain health plans are prohibited from using or disclosing an individual’s genetic information for underwriting purposes ( 45 C.F.R. § 164.520(b)(1)(iii)(C) );
-
When a covered entity maintains psychotherapy notes, the NPP must include a statement indicating uses and disclosures will be made only with authorization;
-
Statements on PHI used for marketing purposes, subsidized treatment communications, sale of PHI, and other disclosures are explained, if they are not defined elsewhere in the NPP;
-
An individual has a right to opt out of a covered entity’s intended fundraising efforts ( 45 C.F.R. § 164.520(b)(1)(iii)(B) ); and
-
An individual who paid “fee for service” (out of pocket) for their healthcare has the right to ask their healthcare provider to restrict disclosure of PHI, except where the healthcare provider is required by law to make a disclosure ( 45 C.F.R. § 164.520(b)(1)(iv)(A) ).
The NPP must contain the date when this version of the NPP became effective. Given that NPPs must be prominently posted, some covered entities, such as hospitals or large clinics, may have NPPs posted in a number of areas. It is easy to sometimes lose track of all of the locations where NPPs are posted. Consequently, it is not difficult to miss replacing an NPP with an updated version. Using the effective date on an NPP is one way that covered entities can easily identify if a specific NPP is still current or if needs to be replaced.
What are some common mistakes when distributing the NPP?
The following is a list of common errors or areas that can contribute to a covered entity’s failure to comply with HIPAA’s NPP requirements:
-
Make sure all posted NPPs and distributed NPPs are current by using copies with the most current effective date.
-
Check that electronic copies of the NPP are also current and contain the most current effective date.
-
Before obtaining an acknowledgement of receipt, ensure that the individual actually received a copy of the NPP.
-
Establish a reliable process to identify which patients have received a copy of the NPP so they are not asked to receive and acknowledge additional copies unnecessarily.
-
List the name or title and phone number of the person or office that individuals may contact if they have questions about the NPP.
-
Make sure to revise the NPP as needed to reflect any material changes in the privacy practices of the covered entity or changes in regulations.