§ 164.520 Notice of privacy practices for protected health information
Introductory Comment: For reasons that are near and dear to providers, this section on notice is critically important. It has, as far as we can tell, been universally adopted in some way, shape, or form by all providers. For some this section may encompass, to a large degree, what it means to be HIPAA compliant (an HHS auditor will certainly beg to differ). This section covers about 5 pages. Because of its importance, we make a more concerted effort at rigorous dissection. That said, we do not do it justice, and cannot within the objectives of this guide. At most, our analysis may prompt a provider to review their current notice to determine if it meets the notice requirements contained herein.
(a) Standard: notice of privacy practices.
(1) Right to notice. Except as provided by paragraph (a)(2) or (3) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the Covered Entity, and of the individual's rights and the Covered Entity's legal duties with respect to protected health information.
(2) Exception for group health plans.
(3) Exception for inmates.
HIPAA Survival Guide Note
The general rule is contained in (1) with a couple of exceptions. Notice regarding uses and disclosures, as well as the CE's duties regarding PHI must be provided.
(b) Implementation specifications: Content of notice.
(1) Required elements. The Covered Entity must provide a notice that is written in plain language and that contains the elements required by this paragraph.
(i) Header. The notice must contain the following statement as a header or otherwise prominently displayed:
"THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
(ii) Uses and disclosures.
(iii) Separate statements for certain uses or disclosures.
(iv) Individual rights.
(v) Covered Entity's duties.
(vi) Complaints.
(vii) Contact.
(viii) Effective date.
HIPAA Survival Guide Note
There are a number of "technical" required elements that must be included in the notice. In addition, the mandate that the notice be written in plain language must likewise be honored, despite the fact that these objectives appear somewhat contradictory. In short, plain language does not mean that the required elements can be ignored. The result is that a compliant notice must be somewhat "legalistic" in nature (if not completely so). This is true despite the fact it will almost certainly make the notice more difficult for the "average" patient to digest.
(2) Optional elements.
HIPAA Survival Guide Note
A Covered Entity can decide to limit it uses and disclosure that it is entitled to make as long as it does so consistent with the rules. It would appear that a Covered Entity would want to have a strategic reason for imposing such limits, especially in light of the fact that it will have to live with whatever is contained in its notice. The obvious question is "why add additional complexity unless it is absolutely necessary?"
(3) Revisions to the notice.
HIPAA Survival Guide Note
The Covered Entity must promptly revise and distribute the notice whenever there is a material change to it. A material change might include changes to uses or disclosures, individual rights, the CE's legal duties, etc. Such revised notice may not be implemented prior to its effective date.
(c) Implementation specifications: Provision of notice. A Covered Entity must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable.
HIPAA Survival Guide Note
For the sake of brevity the following sections are succinctly paraphrased. A provider is strongly encouraged to read the full text and/or seek advice of counsel. This is especially true since how notice is provided is integral to a successful compliance strategy.
(1) Specific requirements for health plans.
(2) Specific requirements for certain health care providers.
(i) Provide the notice: no later than the date of first service delivery and in emergency situations as soon as reasonably practicable.
(ii) Except in emergency situations, make a good faith effort to obtain a written acknowledgement of receipt of notice, and if not obtained document the good faith effort.
(iii) If the provider has a physical delivery site then the notice must be available for individuals to take with them and it should also be posted in a clear and prominent location.
(iv) Whenever the notice is revised, it must be made available upon request on or after its effective date.
HIPAA Survival Guide Note
Clearly the above necessitates having suitable processes in place and providing staff with appropriate training. In order to develop a "good story" the processes and training materials should be documented and "visible" to staff (e.g. in a practice Intranet). The required administrative processes are contained in §164.530. Needless to say the latter section should be used as a roadmap for what needs to be implemented.
(3) Specific requirements for electronic notice. A Covered Entity that maintains a website must make the notice prominently available on its website. A Covered Entity may provide notice via email if the individual has agreed to such notice and other requirements of this section are met.
(d) Implementation specifications: Joint notice by separate covered entities.
(e) Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section.
HIPAA Survival Guide Note
The notice requirement, as written, is considerably more complex than what many providers may conceive it to be. Providers, in light of recent legislation or simply by way of additional due diligence, should revisit their notice provision process. How notice is provided will likely be a prominent HHS audit point. We encourage providers to develop a plan for how to achieve HIPAA compliance and then methodically work the plan one section at a time; otherwise the sheer scope of the rules will overwhelm (we understand that you are likely already overwhelmed). The notice requirement is a good place to start a review.
Download our Free HIPAA Project Plan.