Behavioral health practices are considered covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule requires CEs to distribute a Notice of Privacy Practices (NPP) to new patients upon intake. A Notice of Privacy Practices dictates how protected health information (PHI) can be used and disclosed. In addition an NPP describes patients’ rights in regards to their PHI.
What is Included in a Notice of Privacy Practices?
HIPAA requires specific information to be included in a Notice of Privacy Practices. It must be written in a clear manner, that can be easily understood by patients, and must include the following:
- The statement must begin with: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
- How PHI will be used for treatment, payment, and healthcare operations.
- The circumstances in which patient authorization will be required to use or disclose PHI.
- The circumstances in which patient authorization will not be required to use or disclose PHI.
- The contact information of the office or person that patients can contact with questions or further information.
- The date in which the notice is effective.
- A statement that notifies the patient that they have the right to revoke authorization.
Patient Rights to their Information
Within the Notice of Privacy Practices, there must be a section that clearly states what rights a patient has in regards to their PHI.
- The right to request restrictions on certain uses and disclosures of PHI.
- The right to receive confidential communications of PHI, as permitted by law.
- The right to inspect and copy PHI.
- The right to amend PHI, as permitted by law.
- The right to receive an accounting of disclosures of PHI.
- The right of an individual to obtain a paper copy of the notice, upon request.
- The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes his or her privacy rights have been violated.
Covered Entities Obligations in Regards to PHI
Lastly, the statement must include the covered entity’s responsibilities in regards to maintaining the privacy of PHI.
- A statement that the covered entity is required by law to maintain the privacy of PHI.
- A statement that the covered entity must provide individuals with notice of its legal duties and privacy practices with respect to PHI.
- A statement that the covered entity must notify affected individuals following a breach of unsecured PHI.
- A statement that the covered entity must abide by the conditions of the notice currently in effect.