Second, Notices of Privacy Practices must contain a statement of the patient’s rights with respect to his or her health information and how the patient can exercise these rights. Such rights include the right to 1) request restrictions on certain uses and disclosures of a patient’s health information; 2) receive confidential communications of a patient’s health information; 3) inspect and copy records containing a patient’s health information; 4) amend such records; 5) receive an accounting of disclosures of a patient’s health information; and 6) receive a paper copy of the Notice of Privacy Practices.
Third, Notices of Privacy Practices must identify the healthcare provider’s legal duties with respect to patients’ protected health information by including a statement that the healthcare provider is required by law to maintain the privacy of protected health information. A new change imposed by the Final Rules mandates that Notices of Privacy Practices include a statement that the healthcare provider notify the patient in the event of a breach of the patient’s unsecured protected health information.
Also, Notices of Privacy Practices must include a statement explaining how patients can submit complaints regarding their privacy rights, and whom patients can contact for more information about the healthcare provider’s privacy policies.
Implementing and Revising the Notice of Privacy Practices
Absent an emergency situation, healthcare providers with direct patient contact must make the Notice of Privacy Practices available to patients no later than when service is first delivered to the patient. Healthcare providers with a physical service delivery site must have the Notice of Privacy Practices available on-site and posted in a clear and prominent location. In addition, if the healthcare provider has a website that includes information about the services offered, the Notice of Privacy Practices must also be prominently posted on the website.
Whenever the Notice of Privacy Practices is revised, the healthcare provider must promptly distribute the updated version to patients. The Notice of Privacy Practices must be available to patients upon request on or after the effective date of the revision, and shall be available on-site at the facility and posted in a clear and prominent location. If a website is maintained, the updated Notice of Privacy Practices will also need to be posted on the website.
Healthcare providers are required to make a good faith effort to obtain a written acknowledgment from the patient that he or she received the Notice of Privacy Practices. If the Notice of Privacy Practices has been revised since the patient’s last written acknowledgment, a new written acknowledgment from the patient should be obtained. If a written acknowledgment is not obtained, the healthcare provider should document the good faith efforts to obtain the acknowledgment and the reason why it was not obtained.
