Corporate Compliance

How often do you have to get patient signatures on the HIPAA Notice of Privacy? How often does a practice have to give a copy to the patient? Is it once per lifetime or every year or every visit?

Compliance Monitor, February 6, 2004

The basic answer is this: getting the patient acknowledgement (or documenting that you attempted to do so) must be done once only. This should be done at the first "encounter" with the individual, such as at the first visit, or at enrollment. If it is an emergency treatment situation, you should deliver the NPP and get the acknowledgement signed at the earliest time practicable following the emergency.

However, there are other conditions you must be aware of. There is an exception for indirect treatment providers, who provide health care services without direct contact with the patient. These providers do not need to get acknowledgements from all patients. They are only required to have their NPP available on request.

In addition to delivering the NPP at enrollment, health plans must remind all subscribers no less than every three years about the availability of the Notice, and how to obtain it. Health plans must also notify all subscribers of any material change in the NPP within 60 days of the change.

Health care providers with a direct treatment relationship and a "service delivery site" must not only have patients receive the NPP at the first service delivery, but also have the current NPP available on request, and a copy of it displayed.

Any provider with a web site that provides information about customer services or benefits, must have the NPP placed prominently on the site, and must deliver a copy electronically on request. If the first service delivery to a patient is provided electronically, the NPP must also be provided electronically at the same time.

This question was answered by Marion Neal, president of

Most Popular