Does HIPAA require my practice to have a Notice of Privacy Practices?
Yes. The Notice of Privacy Practices is a HIPAA-required document. HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law that protects patient health records. HIPAA compliance is not optional for practices handling patient protected health information (PHI). Noncompliance can lead to costly fines.
The Notice of Privacy Practices includes the privacy rights of your patients. It also informs patients how your practice may use or share their PHI.
What should my practice do with our Notice of Privacy Practices?
The law requires that you ask your patients to state in writing that they received this notice. Give your patients a physical copy of the Notice of Privacy Practices on their first visit, and have them sign the Acknowledgement of Receipt. You should also give returning patients a physical copy if your document has been updated. Mail a copy of the notice to your patients if necessary.
However, the patient’s signature does not give your practice consent to any special uses or disclosures of their PHI.
What if a patient won’t sign the Acknowledgement?
Your patients aren’t required by law to sign the Acknowledgement of Receipt. If your patient refuses to sign the Notice of Privacy Practices, just write “Refused to Sign” on the Acknowledgement, initial your note, and file it in the patient’s chart. Refusal to sign the document does not prevent your practice from using or disclosing health information as HIPAA permits.
Where should my practice post the HIPAA Notice of Privacy Practices?
The document must be posted on your practice website.
Previously, your document needed to be physically posted in your practice. However, the law hasn’t required this of practices since 2013.
In the rare event that a patient asks for a copy of the document, you must provide them with one.
What must my document include?
The Notice of Privacy Practices must include:
- How the Privacy Rule allows your practice to use and disclose PHI.
- Explanation that the patient’s authorization is required for the practice to share their PHI for any other reason.
- The patient’s privacy rights, and their right to complain to the U.S. Department of Health & Human Services (HHS) or your practice.
- How to contact your practice for more information, and how to make a complaint at your practice.
After my practice writes our Notice of Privacy Practices, it’s done, right?
No. Your practice’s document is not static. It should reflect changes in your practice’s privacy policies and procedures.
Special Offer for Platinum+ Clients
Smart Training’s Certified HIPAA Professional, Jim Moore, created a new version of the Notice of Privacy Practices. This new document limits the amount of paper your practice will need to use. If you are a Platinum+ client, Jim Moore will customize this new version of the Notice of Privacy Practices for your office at no cost. If you are interested, please contact your Compliance Adviser.
Does your practice need HIPAA help?