Deadline looms on updating HIPAA privacy materials

Physician practices are required to revise notices to patients that cover protection and use of their health information.

By — Posted Aug. 26, 2013.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

As part of recent changes to the Health Insurance Portability and Accountability Act of 1996, physician groups are among those required to update a document called “Notices of Privacy Practices” by Sept. 23. Failure to have a notice reflecting new requirements is a violation of HIPAA and could result in fines and penalties.

The Office for Civil Rights of the Dept. of Health and Human Services issued a final rule in January implementing various provisions of the Health Information Technology for Economic and Clinical Health Act. The rule revised HIPAA, and included in that rule were requirements affecting notices.

A “Notice of Privacy Practice” is a written notice that physician groups, hospitals and others are required under HIPAA and the HITECH Act to provide to patients. It explains their rights about their health information and the privacy practices of the health care organization. Notices are intended to encourage patients to have discussions with their doctors and hospitals about these rights.

Health care organizations must provide patients with a notice that is written in plain language and includes several elements.

First, the notice should describe how the health care organization can use and disclose a patient’s protected health information. A change imposed by the final rule requires that notices include a description of certain types of uses and disclosures of protected health information that require an authorization.

That means notices must state explicitly that if a health care organization will use or disclose a patient’s information for marketing purposes or in a sales transaction, or if such health information includes psychotherapy notes, then the organization must first obtain an authorization from the patient. Further, the authorization must acknowledge explicitly that payment for the information is involved.

Second, the notice must contain a statement of the patient’s rights with respect to his or her health information and how the patient can exercise these rights. Such rights include requesting restrictions on certain uses and disclosures of a patient’s health information, receiving confidential communications of a patient’s health information, inspecting and copying records containing a patient’s health information, amending such records, receiving an accounting of disclosures of a patient’s health information, and getting a paper copy of the notice.

Third, the notice must identify the health care organization’s legal duties with respect to patients’ protected health information by including a statement that it is required by law to maintain the privacy of protected health information. A change imposed by the final rule mandates that notices include a statement that the health care organization notify the patient in the event of a breach of the patient’s unsecured protected health information.

Notices must include a statement explaining how patients can submit complaints about their privacy rights, and whom patients can contact for more information about the health care organization’s privacy policies.

How to distribute the notice

Absent an emergency situation, health care organizations with direct patient contact must make the notice available to patients no later than the date of the first service delivery. A physician group should post the notice in a clear and prominent location in the office and on the practice’s website, if it has one. Whenever the noticed is revised, the revisions should be made available in the same ways.

Health care organizations are required to make a good-faith effort to obtain a written acknowledgement from the patient that he or she received the notice. If the notice has been revised since the patient’s last written acknowledgment, a new written acknowledgment from the patient should be obtained. If a written acknowledgement is not obtained, the health care organization should document the good-faith efforts to obtain the acknowledgment and the reason why it was not obtained.

Now is the time to get compliant. If you either do not have a Notice of Privacy Practices or have not updated your notice to include the changes mandated by the final rule, you must do so before the Sept. 23 deadline. A health attorney experienced in HIPAA and the HITECH Act can help create a notice or revise one, if a practice is unsure how it should look.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn