Section 1. Required Components of the Privacy Notice
- The covered entity must state in the patient notification that it is obligated by law to protect the privacy of the patient and limit disclosures of protected health information.
- It must state that the covered entity is required to provide notice of their privacy practices, as well as state their legal obligation to adhere to protecting the patient's privacy as outlined therein.
- The notification should detail the manner in which the patient's protected health information will be used or transmitted by the covered entity.
- The notice must list the name and contact information of the individual responsible for fielding and resolving privacy complaints received by the covered entity.
Section 2. Notice of Privacy Practices Distribution
It is the responsibility of the covered entity to ensure that the privacy practices notice has been disseminated to all patients. Also, it is required that the covered entity provide a copy of its privacy practices to any party upon request.
Health care professionals with a "direct treatment relationship" to the patient, such as a doctor or psychologist, were required to have disseminated their privacy practice notification to patients by April 14, 2003.
To ensure that reasonable efforts are taken to broadcast the notice, the following guidelines should be met:
- Patients who are seen in person should be given a copy of the notice at the first service encounter.
- An automatic Web- or email-based copy of the notice should be furnished to those receiving electronic services from a covered entity.
- For services delivered by phone, a copy of the notice should be mailed to the patient immediately after the phone encounter.
- A copy of the privacy notice must be housed on any informational websites, or online treatment portals operated by the covered entity.
- In the case of an emergency, it is not practical to have the patient read the privacy notice before treatment. In this case, the patient should be provided with a copy of the privacy notice as soon as is realistic after treatment.
Joint Notice of Privacy Practices
Many health care providers operate within a medical group, or other organized health care facility, in which there are multiple practitioners. In this instance, the group can develop and distribute a joint privacy practice notice and be in compliance with the notification rules.
When issuing a joint notice, each practitioner is obligated to adhere to the policies outlined within, and to take responsibility for the protection of protected health information, as outlined in the joint privacy practices notification.
Health plans are also responsible for disseminating a privacy practices notice to members, detailing how they intend to use and safeguard their protected health information. Each plan has a specific compliance date and all members must be notified of the policy by that time.
When providing notice of its privacy practices, a health plan must ensure that:
- All new plan participants receive a copy of the privacy practices notice upon enrolling in the health plan
- The notice is addressed to the insured individual by name, which constitutes notice to any dependents listed with the health plan, such as a spouse or children.
Written Acknowledgment of Receipt From the Patient
In order to ensure receipt and review of the privacy practices notification, the covered entity should undertake efforts to secure written acknowledgment from the patient that they have read and understood the notice. This also serves as documentation of notification in the case of a patient complaint or audit by the U.S. Department of Health and Human Services.
The notice acknowledgment form is developed by the covered entity and contains language that affirms the patient's review and understanding of the information listed in the notice. If, for some reason, the covered entity is unable to secure acknowledgment from the patient, they are to thoroughly document the steps they took to notify the patient and the reason for the failure to retain written acknowledgment of receipt of the privacy notice. It is not required to attain a written acknowledgment from patients who are being treated on an emergency basis, as the circumstances usually do not allow it.
Food for Thought