HIPAA and the Importance of a Notice of Privacy Practice
Let me share what a Notice of Privacy Practice (NPP) is along with what my findings were at this recent visit to a specialist.
A NPP is a document that is required by the Health Insurance Portability and Accountability Act (HIPAA) to all new patients of a provider who is considered a “covered entity.” Along with all returning patients when there has been a change to the NPP. The notice is intended to provide individuals information about their patient rights, any privacy issues or concerns, and how to exercise their rights.
When checking into the surgery center, I was offered a mountain of paperwork. As the person providing oral explanation of each document, signing each, I was then asked to sign the Acknowledgement that stated I had received the NPP. As I signed this acknowledgment I asked for a copy of their NPP.
Of course, being the HIPAA Geek I am, I reviewed the Notice, only to discover many requirements missing. “The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information.”
With the passing of the Final Rule (Omnibus Rule) of 2013, NPP are to reflect the regulatory changes, such as the new patient right to access their electronic information held in an electronic health record, if their provider has an EHR in their practice. Additionally, all NPP are to have been updated.
Additional missing elements were:
30-day requirement to provide medical records
60-day requirement to provide written response for correction or amendment of medical record
No sale of Protected Health Information (PHI) or use in fundraising
Choose someone to act for you
HHS and the Office for Civil Rights (OCR) announced their comprehensive audit protocol covering both the Privacy Rule and Security Rule in March of 2016. Below are some of those audit protocols which will be reviewed and addressed:
Notice of Privacy Practices for Protected Health Information (PHI)
Rights to request privacy protection for PHI
Access of individuals to PHI
Uses and disclosures of PHI
Amendment of PHI
Accounting of disclosures
So, what a better way to understand if you have a compliant NPP, but to review the U.S. Department of Health and Human Services (HHS) website where models have been provided NPP models? * At least you can see what your current NPP may be missing, then update it before another HIPAA Geek visits your facility!
Judith is an accredited Certified HIPAA Professional (CHP) and member of HIMSS. As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com.
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.