Are we required to use a "layered" notice of privacy practices??
HIPAA Weekly Advisor, April 18, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: The final privacy changes mention a "layered" notice of privacy practices. Are we required to use one?
A: Covered entities, while encouraged to use a layered notice, are not required to do so.
According to Section 164.520 of the final privacy changes, a layered notice of privacy practices should contain the following:
- A short notice that briefly describes the entity's principal uses and disclosures of an individual's health information, as well as the individual's rights with respect to that information
- A longer notice, layered beneath the short notice, which contains all the elements required by the rule
Consider providing a short notice that touches on key points, along with the regular notice of privacy practices. Make the short notice the first page of the whole packet.
The short notice should use simple vocabulary and consist of no more than seven elements. It's not a summary. It gives key points. A short notice cannot be a legally compliant notice or a substitute for a long notice.
A short notice should include the following:
1. Preamble
Include an explanation of the short notice and reference to the complete notice.
2. Common uses and disclosures
List the following:
- Treatment, payment, or health care operations
- Research
- Public health uses
- Fundraising
- Marketing (or communications to inform about health-related products and services, and to recommend other treatments and health care providers, which are exempt from the definition of marketing)
- Required by law
3. Rights and choices
Facilities must allow patients to do the following:
- Have access to PHI
- Request amendments
- Receive an accounting of disclosures
- Have information delivered to an alternate address
- Ask that information not be shared with friends or family members
4. Other important information
This section is optional, but facilities may choose to provide more information on fundraising, marketing, or other aspects of the privacy rule.
5. Contact information
List three ways patients can contact the facility.
Editor's note: Adapted from the May 2003 issue of Briefings on HIPAA and answered by Lisa J. Sotto, Esq., partner at Hunton & Williams, in New York. Sotto is also director of the Center for Information and Policy Leadership's HIPAA Highlights Notice Project.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- HIPAA Q&A: Level of encryption needed for email
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Hospitals are not bound by InterQual criteria for determining patient status
- ED-to-inpatient transfers are flawed with safety gaps
- Searched