This policy describes the Notice of Privacy Practices (NPP), the method of distribution, and documentation of distribution.
The HIPAA Privacy Rule and HITECH regulations require that covered health care providers that provide direct care distribute to all patients who they treat on or after April 14, 2003, a Notice of Privacy Practices that describes the provider’s uses and disclosures of protected health information, a patient’s rights with regard to their own protected health information, the provider’s duties with regard to the patient’s protected health information, the complaint process, a contact number, and the effective date of the Notice of Privacy Practices.
- Each provider unit in the UW HCC will distribute a printed Notice of Privacy Practices to any patient who is treated on or after April 14, 2003. The Notice of Privacy Practices will include all of the information required by the HIPAA Privacy Rule:
- The Notice of Privacy Practices must contain the following statement as a header or otherwise predominantly displayed: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”
- The Notice of Privacy Practices must contain:
- A description, including at least one example, of the types of uses and disclosures that the provider unit is permitted to make for each of the following: treatment, payment, or health care operations.
- A description of each of the other purposes for which the provider unit is permitted or required to use or disclose protected health information without the individual’s written authorization.
- If a use or disclosure for any purposes described above is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law.
- For each purpose described above in A. or B., the description must include sufficient detail to place the individual on notice of the uses or disclosures that are permitted or required.
- A description of the uses and disclosures that require authorization are as follows:
- Psychotherapy Notes. Use or disclosure by the covered entity requires patient authorization except to carry out treatment, payment, or health care operations; to train mental health students or practitioners to improve their skills; to defend itself in a legal action; or for use by the originator for treatment.
- Marketing. Authorization is required for uses of protected health information for marketing except to communicate about treatment, care coordinator, or to describe a health-related product or service or payment for such included in the covered entity’s health plan. Authorization is required for disclosures of protected health information for remuneration made to another entity to market its services except to describe a drug or biologic already prescribed to the patient or for refill reminders.
- Sale of Protected Health Information. A covered entity must obtain authorization for any disclosure of protected health information in which the disclosure will result in remuneration to the covered entity.
- A statement that other uses and disclosures not described in the Notice of Privacy Practices will be made only with the individual’s written authorization and that the individual may revoke such authorization.
- If the provider unit intends to engage in any of the following activities, the description required above of the uses and disclosures the provider unit is permitted to make must include a separate statement, as applicable that:
- The provider unit may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual;
- The provider unit may contact the individual to raise funds for the provider unit and the individual has the right to opt out of such communications.
- The Notice of Privacy Practices must include a statement about the individual’s rights with respect to protected health information, and a brief description of how to exercise such rights, to:
- Request restrictions on certain uses and disclosures including that the provider unit is not required to agree except when a disclosure is made for payment or health care operations and the protected health information at issue pertains to services paid in full by the patient.
- To receive confidential communications.
- To inspect and copy protected health information.
- To amend protected health information.
- To receive an accounting of disclosures.
- To receive a paper copy of the Notice of Privacy Practices.
- The Notice of Privacy Practices must contain:
- A statement that the provider unit is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information.
- A statement that the provider unit is required by law to notify affected individuals following a breach of unsecured protected health information.
- A statement that the provider unit is required to abide by the terms of the Notice of Privacy Practices currently in effect.
- A statement that the provider unit reserves the right to change the terms of its Notice of Privacy Practices and to make the new Notice of Privacy Practices provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice.
- The Notice of Privacy Practices must contain a statement that individuals may complain to the provider unit and to the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated, a brief description of how to file a complaint with the provider unit, and a statement that the individual will not be retaliated against for filing a complaint.
- The Notice of Privacy Practices must contain the name or title, and telephone number of a person or office to contact for further information.
- The Notice of Privacy Practices must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
The Notice of Privacy Practices will ordinarily be handed to the patient or patient’s parent or guardian at the time of the first service on or after April 14, 2003, but may it be mailed or delivered by other means. In any event, the UW HCC must provide the notice within 24 hours of patient treatment.
Those UW HCC units in the UW ACE will distribute the joint ACE Notice of Privacy Practices.
- The UW HCC provider unit will provide the Notice of Privacy Practices document in either English or Spanish as the patient chooses. The notice may be translated to other languages as applicable.
- The UW HCC provider unit will document that the patient has received the Notice of Privacy Practices using the Acknowledgment for Receipt of Notice of Privacy Practices or the applicable Notice of Privacy Practices acknowledgment form for the joint ACE Notice of Privacy Practices. The UW HCC provider unit will maintain a record of this completed form in either paper or electronic image format. The UW HCC provider unit will document the completion of the acknowledgment form electronically wherever possible.
- Each UW HCC provider unit with a physical service delivery site will have the Notice of Privacy Practices available at the site for patients to request to take with them and will post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service will be able to read it.
- The UW HCC provider unit will revise its Notice of Privacy Practices whenever there is a material change to the uses or disclosures, the individual’s rights, the UW HCC provider unit’s legal duties, or other privacy practices stated in the notice. The Notice of Privacy Practices will be made available upon request on or after the effective date of the revision and posted as required in “V.” above.
- If the UW HCC provider unit has a website, the unit will post the Notice of Privacy Practices on its website and make the notice available electronically through the website.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the U.S. Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa.