Notice of Privacy Practices
Download
Report
Transcript Notice of Privacy Practices
Notice of Privacy Practices
Nebraska SNIP Privacy Subgroup July 18, 2002
Michael J. Brown, MHA, CPA
Vice-President, Administrative & Regulatory Affairs,
Children’s Healthcare Services
Standard - 45 CFR 164.520
“Except as provided by paragraph (a)(2) or (3)
(certain variations & exceptions for health plans
and correctional facilities), an individual has a
right to adequate notice of the uses and disclosures
of protected health information that may be made
by the covered entity, and of the individual’s rights
and the covered entity’s legal duties with respect
to protected health information”
Note: This presentation nor any of the information contained therein
constitutes legal advice; consult legal counsel for such advice.
Required Elements
Written in plain language.
Header with prescribed language - “This notice
describes how medical information about you may
be used and disclosed and how you can get access
to this information. Please review it carefully.”
Description with at least one example of the types
of uses and disclosures that the covered entity
(“CE”) is permitted to make for treatment,
payment & healthcare operations.
Required Elements(Cont.)
Description of each of the other purposes for
which the CE is permitted or required to use or
disclose PHI without the individual’s explicit
authorization.
A statement that other uses and disclosures will be
made only with the individual’s written
authorization and that the individual may revoke
such authorization.
Required Elements(Cont.)
Statement of the individual’s rights with respect to
their PHI and a brief description of how the
individual may exercise these rights, as follows:
–
–
–
–
Right to request restrictions on certain uses and
disclosures of PHI including a statement that the CE is
not required to agree to a requested restriction.
Right to receive confidential communications in a
certain way at a certain time.
The right to inspect and copy PHI.
The right to amend PHI.
Required Elements(Cont.)
Patient Rights(Cont.)
–
–
Right to receive an accounting of disclosures of PHI.
Right to receive a paper copy of the Privacy Notice
even if the individual has agreed to receive the notice
electronically.
Statement that the CE is required by law to
maintain the privacy of PHI and to provide
individuals with a notice of its legal duties and
privacy practice with respect to PHI.
Required Element(Cont.)
Statement that the covered entity is required to
abide by the terms of the notice currently in effect.
Statement that the CE reserves the right to change
the terms of the notice and to make the new notice
provisions effective for all PHI maintained.
Statement describing how the CE will provide
individuals with a revised notice.
Statement that individuals may file complaints
with the CE or the secretary of HHS if they
believe their privacy rights have been violated.
Required Elements(Cont.)
Description of how to file a complaint with the CE
and a statement that there will be no retaliation for
filing a complaint.
Name, or title and telephone number of a person
or office to contact for further information.
The date on which the notice is first in effect,
which may not be earlier than the date on which
the notice is printed or otherwise published.
Separate Statements for Certain
Uses & Disclosure
When applicable, separate statements are required
if:
–
–
–
The CE will be contacting individuals to provide
appointment reminders or information about treatment
alternatives or other health-related benefits and services
that may be of interest to the individual.
The CE will be contacting individuals to raise funds for
the CE.
If a group health plan, health insurer or HMO may
disclose PHI to the sponsor of the plan.
Notice Changes
CE must promptly revise and redistribute the
notice when there is a material change to:
–
–
–
–
Uses or disclosures of PHI.
Individual’s rights.
CE’s legal duties.
Other privacy practices stated in the notice.
Except when required by law, a material change to
any term of the notice may not be implemented
prior to the effective date of the notice in which
the change is reflected.
Implementation Specifications for CE’s
with a Direct Treatment Relationship
Provide the notice no later than the date of the first service
delivery including services delivered electronically.
Have the notice available at all physical service delivery sites
for individuals to request and keep.
Posting of the notice in a clear and prominent location where
it is reasonable to expect individuals seeking service to be
able to read.
Make a revised notice available upon request on or after the
effective date of the revision.
Document compliance by retaining copies of notices issued.
Electronic Notices
CE that maintains a website with information about
services or benefits must prominently post and make the
notice available through the website.
May be provided by e-mail if the individual agrees to
electronic notice and the agreement has not been
withdrawn.
If CE knows that e-mail failed, a paper copy of the notice
must be provided.
If first service delivery is electronic then notice must be
provided electronically.
Recipient of electronic notice retains the right to receive
written copy upon request.
Distribution &
Acknowledgement
Notice must be posted in clear and prominent
place and made available in all service delivery
locations. Make available as soon as practicable
in emergency situations.
March 2002 NPRM requires CE’s to make a good
faith effort to obtain an acknowledgement no later
than the first service delivery date.
Must document in writing the patient’s receipt of
the Notice or their efforts to obtain if patient
refuses to acknowledge.
Entity Structural Issues
Single Affiliated Covered Entity (ACE) - Legally
separate CE’s affiliated through common control
may designate themselves as an ACE.
–
–
–
–
Must meet common ownership or common control
tests.
Requires formal documented designation.
May have single privacy officer and may respond to
individual requests as a single entity.
Must use single combined Notice of Privacy Practices.
Entity Structural Issues
Organized Health Care Arrangement (OHCA) Clinically integrated health care setting where
individuals receive care from more than one
provider or organized system of health care in
which more than one CE participates and in which
the CE’s hold themselves out to the public as
participating in a joint arrangement and participate
in joint activities.
–
–
May use joint Notice of Privacy Practices
Each CE must designate its own Privacy Officer but
may share the same one.
OHCA Notice Requirements
CE’s participating in OHCA agree to abide by the
terms of the joint notice with respect to PHI
created or received as part of participation in the
OHCA. Medical Staff rule.
Notice describes with reasonable specificity the
CE’s or classes of CE’s to which the joint notice
applies.
Notice describes with reasonable specificity the
service delivery sites or classes of delivery sites to
which the joint notice applies.
OHCA Notice Requirements
Notice states that the CE’s participating in the
OHCA will share PHI with each other as
necessary to carry out treatment, payment or
health care operations relating to the OHCA.
Provision of a joint notice by any one of the CE’s
included in the OHCA will satisfy the distribution
requirement with respect to all others covered by
the joint notice.
References
HIPAA Privacy Final Rule Table - 45 CFR Sections 160 &
164.
AHIMA Practice Brief , Notice of Information Practices,
May 2001 - www.ahima.org/journal/pb
American Medical Association, HIPAA Notice of Privacy
Practices - www.ama-assn.org/ama/pub
Sample Notices of Privacy Practices - Children’s
Healthcare Services, BryanLGH Medical Center,
Methodist Health System, Tri-County Area Hospital