The HIPAA Privacy Rule gives patients the right to be informed of 1) a provider’s privacy practices; and 2) their privacy rights regarding their personal health information (PHI). Providers, including therapy practices that are covered entities (CE), are subject to HIPAA and are required to develop and distribute a notice of privacy practices (NPP) to patients with clear “notice” in an understandable fashion about your NPP. The HHS website contains resources for providers detailing the required elements for the NPP, but also offers Model Notices of Privacy Practices. The model NPP contains required information in several formats and allows the provider to enter practice specific information.
HIPAA Privacy Rule – Make Sure Your Notice of Privacy Practices is Up-To-Date
The HIPAA Privacy and Security Rules were updated in 2013 requiring providers to update their NPP to be in compliance. Many patients, accustomed to be advised of their HIPAA privacy rights since 2002, may not attend to the detail of your NPP during the therapy registration process at your practice. Now is a good time to ensure that your practice has an updated NPP, is prominently posted in your clinic and is on your website. Make sure that you have carefully reviewed all required sections in your NPP as well as your policies and procedures. You must inform patients of:
- Their rights concerning their health information
- Their choices, for certain health information, about what you can share
- Your uses and disclosures and how you typically use and share information
- Your responsibilities including changes to your NPP
We’ll have a blog post for each of the four required section in the NPP. In the meantime, have you updated your NPP? Does it contain the 2013 required updates? Have you updated your HIPAA policies and procedures?