Advanced Search

Health Information Compliance Alert

HIPAA Privacy:

NOTICES REAM PROVIDERS, DEMAND REAMS OF PAPER

Published on Sun Sep 01, 2002

Providers, the final privacy rule is in the books, and now is the best time to evaluate what's required of you with regard to the notice of privacy practices and tuning up for the tome of HHS' list of requirements isn't going to be a walk in the park.

Under the Health Insurance Portability and Accountability Act's privacy rule, the Department of Health and Human Services requires covered entities to provide every patient with a notice of privacy practices and obtain written acknowledgement from each patient that she has received the document.

And HHS isn't giving providers much leeway on what they have to include in the privacy practices notice, which likely will run at least 12 pages in length,according to attorney John Gillil and with Gilliland & Caudill in Indianapolis.

HHS has issued the following list of what physicians and other covered entities must include in the document:

  • A boldfaced heading that reads, "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."

  • A description, including at least one example for each category, of how information is used and disclosed for treatment, payment and health care operations purposes.

  • A description of other situations in which the practice might use or disclose patient information without authorization. This requirement, and the one above it, must also reflect any state laws that are more stringent than HIPAA, notes attorney Larri Short with Washington-based Arent Fox Kintner Plotkin & Kahn.

  • A statement that certain protected health information (PHI) will be used for fundraising purposes, if applicable (This requirement will not apply to most physician practices).

  • If applicable, a statement that the provider may contact the patient for appointment reminders or information about treatment alternatives or other health-related benefits or services.

  • A statement that other uses and disclosures of PHI will be made only with the individual's written authorization.

  • An explanation of the patient's right to revoke an authorization at any time, access and copy records, request restrictions on uses and disclosures of PHI, request confidential communications, request amendments to records, obtain an accounting of certain disclosures, and obtain a paper copy of the notice of privacy practices upon request.

  • A statement that the practice is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices.

  • A statement that the practice is required to abide by the terms of the notice currently in effect.

  • A statement that the practice reserves the right to change its privacy practices and the terms of its privacy notice at any time and to make the new practices and notice provisions effective for all PHI that it maintains (i.e., even that collected under prior policies). "This statement is particularly important," Short emphasizes. "Without it, the law requires PHI to be segregated and treated in accordance with the privacy policies in effect when it was collected."

  • An explanation of the patient's right to enter privacy complaints, along with contact information at both the practice and at HHS.

  • A statement that the practice will not retaliate against individuals who enter privacy complaints.

  • A contact person at the practice for questions and additional information about privacy practices.

    "Given the length of the laundry list, it's obvious that the notice cannot be a short document," notes Short. Nor can practices take a cookie-cutter approach to developing this document, she says. The notice has to reflect what actually goes on in your particular practice, and should not be filled with generic language.

    That means practices should develop their notice of privacy practices toward the end of their HIPAA compliance efforts, says Gilliland. Even though HHS has told providers what to include in the notice, you can't "fine-tune it until you know what your policies and practices are," he points out. "You need to get all your own policies in place and then finalize the notice."

    And you must give a copy to each patient individually, post a copy in an area where patients will see it (such as the waiting room) and post it on your Web site if you have one, Gilliland continues. He recommends printing the notice front-and-back to cut down on paper costs.

    And it's best not to bother with professional printing, Gilliland offers. The document will change as your policies and procedures change, so there's no sense in shelling out extra money for professionally printed documents that might be rendered useless before you get rid of them all, Gilliland explains. "This is something that lends itself to being put together in your word processor and printing out copies as you need them."

    While HHS has been very specific about what providers must include in the notice, don't feel limited to just the required elements. The privacy practices notice can double as a public relations or teaching tool, offers attorney Robyn Meinhardt with Foley & Lardner in Denver.

    For example, disclosure of PHI to law enforcement officials might be a particular concern in a community with a high population of migrant workers, Meinhardt notes. If that's the case, the notice of privacy practices could "take special pains to spell out the facility's approach to disclosing PHI to law enforcement and the protections in place that work to limit those disclosures," she says.

    And keep in mind that the HHS Office of Civil Rights requires health care providers to accommodate non-English speaking patients.

    For practices looking to keep the page count as low as possible, "putting the bare minimum information required by the rules is a viable approach, albeit not one that the regulators encourage," Meinhardt says.

    Finally, make sure the people responsible for distributing the notice in your practice are familiar enough with its contents to answer any questions a patient might have, Short concludes.

    Go The Extra Mile When Tracking Notices

    According to Tom Grove, a principal at Phoenix Health Systems, most providers that have a direct treatment relationship are planning to distribute their notice of privacy practices like many other required documents they distribute at the point of registration. "Along with signing in and signing a consent for treatment for the hospital to submit information for payment, [patients] receive a handful of other documents [hospitals] are required to give them," he said in a Sept. 25 audio conference.

    Most hospitals that Grove has spoken to are planning to implement exactly this type of arrangement with the notice of privacy practices. "The key decision, of course, is whether or not [providers] track whether the notice has been received, and only give it to patients who need to receive it, or whether they give it to every patient at every registration each time."

    Grove says the key discriminator on how organizations are making that decision depends on the presence of a convenient tracking mechanism. In a physician's office, for example, where a chart is handy, paper tracking works well, he notes, since health care staffers can look inside the chart and see if the signed acceptance of the notice is there. If it's there, you don't need to give one out, Grove explains.

    But Grove admits that sometimes there isn't a convenient way to do that tracking. In those cases, he says most hospitals choose to hand out the notice of privacy practices each time. "That seems to solve the problem," explains Grove. "The signed acknowledgement can take any form that the organization chooses."

    And if entities are thinking about that signed acknowledgment as a piece of paper, anything smaller than a half a page is probably too small and will get lost within the charts, he advises.

    Additionally, "if you're counting on that acknowledgement as a visual sign that a notice has been signed, then perhaps that page would be some color to make it clearly distinctive within the pile of paper that makes up the chart," he notes.

    • Other Articles in this issue of

    Health Information Compliance Alert

    View All