• HIPAA and the Importance of a Notice of Privacy Practice

  • Let me share what a Notice of Privacy Practice (NPP) is along with what my findings were at this recent visit to a specialist.

    A NPP is a document that is required by the Health Insurance Portability and Accountability Act (HIPAA) to all new patients of a provider who is considered a “covered entity.” Along with all returning patients when there has been a change to the NPP. The notice is intended to provide individuals information about their patient rights, any privacy issues or concerns, and how to exercise their rights.

    When checking into the surgery center, I was offered a mountain of paperwork. As the person providing oral explanation of each document, signing each, I was then asked to sign the Acknowledgement that stated I had received the NPP. As I signed this acknowledgment I asked for a copy of their NPP.

    Of course, being the HIPAA Geek I am, I reviewed the Notice, only to discover many requirements missing.  “The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information.” 

    With the passing of the Final Rule (Omnibus Rule) of 2013, NPP are to reflect the regulatory changes, such as the new patient right to access their electronic information held in an electronic health record, if their provider has an EHR in their practice. Additionally, all NPP are to have been updated.

    Additional missing elements were:

    • 30-day requirement to provide medical records

    • 60-day requirement to provide written response for correction or amendment of medical record

    • No sale of Protected Health Information (PHI) or use in fundraising

    • Choose someone to act for you

    HHS and the Office for Civil Rights (OCR) announced their comprehensive audit protocol covering both the Privacy Rule and Security Rule in March of 2016. Below are some of those audit protocols which will be reviewed and addressed:  

    1. Notice of Privacy Practices for Protected Health Information (PHI)

    2. Rights to request privacy protection for PHI

    3. Access of individuals to PHI

    4. Administrative requirements

    5. Uses and disclosures of PHI

    6. Amendment of PHI

    7. Accounting of disclosures

    So, what a better way to understand if you have a compliant NPP, but to review the U.S. Department of Health and Human Services (HHS) website where models have been provided NPP models? * At least you can see what your current NPP may be missing, then update it before another HIPAA Geek visits your facility!

    * http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/

    Judith is an accredited Certified HIPAA Professional (CHP) and member of HIMSS. As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com.

    Follow JAL:

    Twitter @ judithconsult
    Instagram judithconsult   

    “Copyright” © JAL Consulting 2017