What should a notice of privacy practices include?
HIPAA Weekly Advisor, September 17, 2001
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What should a notice of privacy practices include?
A: Under HIPAA's Privacy Rules, covered entities are required to provide adequate notice of their privacy practices to affected individuals in the following instances:
Providers: when first giving service to a new patient
Health plans: when the privacy rule goes in effect to all subscribers, and subsequently when new subscribers enroll
Clearinghouses: when creating or receiving protected health information in a capacity other than that of a business associate
An adequate privacy notice must include all of the following:
- The required heading
- A statement of uses and disclosures
- A statement of individual rights
- A statement of the covered entity's duties
- An explanation of how to complain
- Required contract information
- Optional information if desired
The notice rule is rather long and complex. Before drafting a privacy notice, it is essential to read this section of the rule and the preamble. Here are some key points to keep in mind when you write your HIPAA privacy notice:
1. The notice must be "adequate."
Your notice will only be adequate if it meets all of the requirements of the rule, not just some of them. The rule is a set of minimums, not best practices.
2. You may need to draft more than one notice.
Covered entities that do business in multiple states must write a notice for each state because most states have different laws, and if those laws are more stringent than HIPAA, they must be followed.
Also, providers may need separate notices for separate lines of business. For example, an OB/GYN group may provide on-call coverage as part of an arrangement with a hospital and also run a private group practice. Here, the group might distribute one notice developed by the hospital and another notice for the private group.
For more tips on drafting a notice of privacy practices, see the September 2001 issue of Briefings on HIPAA.
Answered by Edward F. Shay, a partner in the national health law practice at the Philadelphia-based law firm of Post & Schell, P.C. Mr. Shay may be reached at eshay@postschell.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- COT basics to best
- Searched