Patient-focused health care providers understand that privacy is important to patients. Providing patients with an explanation of their health information privacy rights has been a standard part of provider office procedures when patients present for medical care since HIPAA was enacted. If patients are being handed a Notice of Privacy Practices (NPP) dated before the January 17, 2013, Final Rule was issued, or if the website publishes an old form, providers have until September 23, 2013, to revise and distribute it. The Final Rule applies to “covered entities” -- you know who you are!
The new HIPAA regulations explain the details required to be part of the NPP (even down to capitalized headers), and must be consulted to ensure that a compliant NPP is developed and publicized. An overview of the change process provides a roadmap for providers undertaking this task. NPPs must be made more “user friendly” and include additional descriptions of patient’s rights concerning their Protected Health Information (PHI).
What happens if the NPP is not revised?
- Covered entities may be exposed to patient complaints, governmental investigations, and civil and criminal penalties.
What new information needs to be added to the NPP?
- Authorized uses under HIPAA; examples. A description of how information may be used without patient authorization, and at least one example of what is meant by treatment, payment, and healthcare operations (e.g., “for example…”).
- Provider’s intentions. Disclosure if PHI will be used to give appointment reminders, provide alternative treatment information, disclose to plan sponsor, or for fundraising.
- How patients can obtain access to PHI. Right to inspect records and obtain paper copy of electronic PHI.
- Where patient authorization is needed. List must include psychotherapy notes, marketing, subsidized treatment communications, sale, and certain other uses.
- How patients may pro-actively restrict disclosure. Specific written request; may not be honored with regard to health insurer unless services completely paid out-of-pocket.
- Opting out of fundraising. Inform patients of right to opt out of each solicitation.
- Accounting to patients for disclosure.
- How patients may complain about privacy violation. How to file a complaint; non-retaliation.
- Breach notification. Statement covered entity is required to notify patient of each breach.
- List of provider duties. Include contact for privacy office.
- Health plans only. Provide notice genetic information may not be used for underwriting, with exceptions for some long-term care policies.
What must be done after the NPP is revised?
- Make available. Copy to new patients; available to existing patients; NPP or notice of material change in next mailing of health insurer.
- Post. On website, in office (or post summary with full NPP available).
- Keep records. Keep copies of prior versions of NPPs and written patient acknowledgements of receipt.
This is a only a roadmap of the major highways, but the path is clear. With reasonable effort and attention to detail, enhanced patient communication concerning privacy can be implemented as required.