HIPAA Privacy

NOTICE OF PRIVACY PRACTICES
For Protected Health Information

Background

The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information.

Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.

How the Rule Works

General Rule

The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information.

The Privacy Rule does not require the following covered entities to develop a notice:

• Health care clearinghouses, if the only protected health information they create or receive is as a business associate of another covered entity.
• A correctional institution that is a covered entity.
• A group health plan that provides benefits only through one or more contracts of insurance and does not create or receive protected health information other than summary health information or enrollment/disenrollment information.

Content of the Notice

Covered entities are required to provide a notice in plain language that describes:

• How the covered entity may use and disclose protected health information.
• The individual’s rights and how to exercise them, including how to file a complaint.
• The covered entity’s legal duties, including the obligation to maintain the privacy of protected health information.
• Whom individuals can contact for further information.

The notice must include an effective date. Covered entities must revise and redistribute the notice when privacy practices materially change.

Providing the Notice

• Must be available to anyone upon request.
• Must be posted prominently on any website maintained by the entity that discusses services or benefits.

Health Plans Must:

• Provide the notice to current enrollees by April 14, 2003 (or April 14, 2004 for small plans).
• Provide the notice to new enrollees upon enrollment.
• Distribute revised notices within 60 days of material revisions.
• Notify individuals every three years of the notice’s availability and how to obtain it.

Covered Direct Treatment Providers Must:

• Provide the notice no later than the date of first service delivery.
• Make a good faith effort to obtain written acknowledgment of receipt (if not, document the effort and reason).
• Send an electronic notice automatically when services are initiated online or by email.
• Provide notice as soon as practicable after emergency treatment situations.
• Post the latest notice in a prominent location and make it available at the facility.

A notice may be emailed to an individual if they agree to receive it electronically.

Organizational Options

• Covered entities may issue multiple notices for different covered functions.
• Entities in an organized health care arrangement may produce a joint notice if certain criteria are met.

Frequently Asked Questions

To see Privacy Rule FAQs, visit:

• FAQs on Notice of Privacy Practices
• FAQs on ALL Privacy Rule Topics

(You can also go to http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php, then
select “Privacy of Health Information/HIPAA” from the Category drop down list and
click the Search button.)