Behavioral health practices are considered covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule requires CEs to distribute a Notice of Privacy Practices (NPP) to new patients upon intake. A Notice of Privacy Practices dictates how protected health information (PHI) can be used and disclosed. In addition an NPP describes patients’ rights in regards to their PHI.
What is Included in a Notice of Privacy Practices?
HIPAA requires specific information to be included in a Notice of Privacy Practices. It must be written in a clear manner, that can be easily understood by patients, and must include the following:
- The statement must begin with: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
- How PHI will be used for treatment, payment, and healthcare operations.
- The circumstances in which patient authorization will be required to use or disclose PHI.
- The circumstances in which patient authorization will not be required to use or disclose PHI.
- The contact information of the office or person that patients can contact with questions or further information.
- The date in which the notice is effective.
- A statement that notifies the patient that they have the right to revoke authorization.
Patient Rights to their Information
Within the Notice of Privacy Practices, there must be a section that clearly states what rights a patient has in regards to their PHI.
- The right to request restrictions on certain uses and disclosures of PHI.
- The right to receive confidential communications of PHI, as permitted by law.
- The right to inspect and copy PHI.
- The right to amend PHI, as permitted by law.
- The right to receive an accounting of disclosures of PHI.
- The right of an individual to obtain a paper copy of the notice, upon request.
- The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes his or her privacy rights have been violated.
Covered Entities Obligations in Regards to PHI
Lastly, the statement must include the covered entity’s responsibilities in regards to maintaining the privacy of PHI.
- A statement that the covered entity is required by law to maintain the privacy of PHI.
- A statement that the covered entity must provide individuals with notice of its legal duties and privacy practices with respect to PHI.
- A statement that the covered entity must notify affected individuals following a breach of unsecured PHI.
- A statement that the covered entity must abide by the conditions of the notice currently in effect.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Cyber Security: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice and Your Clients/Patients
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.