Deadline looms on updating HIPAA privacy materials
■ Physician practices are required to revise notices to patients that cover protection and use of their health information.
As part of recent changes to the Health Insurance Portability and Accountability Act of 1996, physician groups are among those required to update a document called “Notices of Privacy Practices” by Sept. 23. Failure to have a notice reflecting new requirements is a violation of HIPAA and could result in fines and penalties.
The Office for Civil Rights of the Dept. of Health and Human Services issued a final rule in January implementing various provisions of the Health Information Technology for Economic and Clinical Health Act. The rule revised HIPAA, and included in that rule were requirements affecting notices.
A “Notice of Privacy Practice” is a written notice that physician groups, hospitals and others are required under HIPAA and the HITECH Act to provide to patients. It explains their rights about their health information and the privacy practices of the health care organization. Notices are intended to encourage patients to have discussions with their doctors and hospitals about these rights.
Health care organizations must provide patients with a notice that is written in plain language and includes several elements.
First, the notice should describe how the health care organization can use and disclose a patient’s protected health information. A change imposed by the final rule requires that notices include a description of certain types of uses and disclosures of protected health information that require an authorization.
That means notices must state explicitly that if a health care organization will use or disclose a patient’s information for marketing purposes or in a sales transaction, or if such health information includes psychotherapy notes, then the organization must first obtain an authorization from the patient. Further, the authorization must acknowledge explicitly that payment for the information is involved.
Second, the notice must contain a statement of the patient’s rights with respect to his or her health information and how the patient can exercise these rights. Such rights include requesting restrictions on certain uses and disclosures of a patient’s health information, receiving confidential communications of a patient’s health information, inspecting and copying records containing a patient’s health information, amending such records, receiving an accounting of disclosures of a patient’s health information, and getting a paper copy of the notice.
Third, the notice must identify the health care organization’s legal duties with respect to patients’ protected health information by including a statement that it is required by law to maintain the privacy of protected health information. A change imposed by the final rule mandates that notices include a statement that the health care organization notify the patient in the event of a breach of the patient’s unsecured protected health information.
Notices must include a statement explaining how patients can submit complaints about their privacy rights, and whom patients can contact for more information about the health care organization’s privacy policies.
How to distribute the notice
Absent an emergency situation, health care organizations with direct patient contact must make the notice available to patients no later than the date of the first service delivery. A physician group should post the notice in a clear and prominent location in the office and on the practice’s website, if it has one. Whenever the noticed is revised, the revisions should be made available in the same ways.
Health care organizations are required to make a good-faith effort to obtain a written acknowledgement from the patient that he or she received the notice. If the notice has been revised since the patient’s last written acknowledgment, a new written acknowledgment from the patient should be obtained. If a written acknowledgement is not obtained, the health care organization should document the good-faith efforts to obtain the acknowledgment and the reason why it was not obtained.
Now is the time to get compliant. If you either do not have a Notice of Privacy Practices or have not updated your notice to include the changes mandated by the final rule, you must do so before the Sept. 23 deadline. A health attorney experienced in HIPAA and the HITECH Act can help create a notice or revise one, if a practice is unsure how it should look.