HIPAA Violations, Notice of Privacy Practices

How to Think About Your HIPAA Notice of Privacy Practices

MARLENE MAHEU

December 4, 2019 | Reading Time: 2 Minutes

 426

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Behavioral health practices are considered covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule requires CEs to distribute a Notice of Privacy Practices (NPP) to new patients upon intake. A Notice of Privacy Practices dictates how protected health information (PHI) can be used and disclosed. In addition an NPP describes patients’ rights in regards to their PHI.

What is Included in a Notice of Privacy Practices?

HIPAA requires specific information to be included in a Notice of Privacy Practices. It must be written in a clear manner, that can be easily understood by patients, and must include the following:

The statement must begin with: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
How PHI will be used for treatment, payment, and healthcare operations.
The circumstances in which patient authorization will be required to use or disclose PHI.
The circumstances in which patient authorization will not be required to use or disclose PHI.
The contact information of the office or person that patients can contact with questions or further information.
The date in which the notice is effective.
A statement that notifies the patient that they have the right to revoke authorization.

Patient Rights to their Information

Within the Notice of Privacy Practices, there must be a section that clearly states what rights a patient has in regards to their PHI.

The right to request restrictions on certain uses and disclosures of PHI.
The right to inspect and copy PHI.
The right to amend PHI, as permitted by law.
The right to receive an accounting of disclosures of PHI.
The right of an individual to obtain a paper copy of the notice, upon request.
The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes his or her privacy rights have been violated.

Covered Entities Obligations in Regards to PHI

Lastly, the statement must include the covered entity’s responsibilities in regards to maintaining the privacy of PHI.

A statement that the covered entity is required by law to maintain the privacy of PHI.
A statement that the covered entity must provide individuals with notice of its legal duties and privacy practices with respect to PHI.
A statement that the covered entity must notify affected individuals following a breach of unsecured PHI.
A statement that the covered entity must abide by the conditions of the notice currently in effect.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.