Your HIPAA rulesBen Burton, JD, MBA, RHIA, CHP, CHC

Notice of Privacy Practices

ObjectivesWho needs Notice of Privacy Practices

(NPP)How to create your NPPBe able to use it

InternallyExternally

Compliments your existing compliance program

Tools

Who needs a NPP§164.500   Applicability.

Covered entitiesClearinghouses?

When there is PHI some one needs a NPP

Notice vs. ConsentConsent

Requires agreement

NoticeAgreement not necessary

45 CFR §164.520 

§164.520   Notice of privacy practices for protected health information.Patient’s rightCE’s duty

Exceptions (not covered here) Group health plansInmates

45 CFR §164.520 (b)Written in “plain language”

Think about your patientsFirst visit or soon afterRequired elements

Header - “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

Required by law to provide noticeWill notify of substantive changes – changes apply to

all PHIWho they can contact regarding complaintsContact informationEffective date

Uses and disclosures without a written authorizationTreatment, Payment, and Operations (TPO)

exceptionsMaine – except in an emergency mental

health notes disclosed outside “the office, practice or organizational affiliate” require patient authorization – not required to be in the NPPExceptions (HIE, treatment, and payment)

Uses and disclosures without a written authorization (cont.)Other permissible uses without consent

(cont.) Law

Public health and welfare (protection and reporting) – examples: victims of crime, FDA, communicable diseases, etc.

Crime (limited)Court order or subpoena

Other Care relatedTreatment optionsBenefits Non- CE involved in care (with certain restrictions)

Uses and disclosures without a written authorization (cont.)

Other Research Healthcare oversight (e.g. Joint Commission) To organizations attorney (to defend) Immunizations (specific organizations, federal law requires consent) General information (directory under HIPAA) HIE (other information sharing) Decease patient (medical examiner or corner) Organ and tissue donation Threats to health or safety Work Comp. Correctional institutions Required by military (legally allowed) National security (protect the President)

If engaged in the following Fundraising (need to know about opt. out) Health Plan only

Use of PHI for underwriting Exclude GINA for underwriting purposes

Patient RightsList the rights and how to exercise the rightRights

Request restrictions (Must agree in limited circumstances)

Receive confidential communications must comply with reasonable requests

Copies and inspect designated record setAccounting of disclosures (non routine

disclosures)Paper copy of the noticeTo complainTo complete an authorizationNotification of a Breach

Recommendations Lead with what the patient wants to hear

This is to protect your privacyAllows us to provide the best care

Include contact information multiple placesWant patients to call you with questionsMake sure you are available to answer

questions promptly

Use NPPInternally

ROIClinical staff

Externally

Used across departmentsNPP should be used with compliance

programs, etc.Reference NPP

One NPPDon’t duplication forms or P&Ps

Toolshttp://www.ecfr.gov/cgi-bin/text-idx?

SID=2fd6a3d8787d454df3fdabfb170bde47&node=se45.1.164_1520&rgn=div8 (45 CFR § 164.520)

http://www.mainelegislature.org/legis/statutes/22/title22sec1711-C.html (22 MRSA § 1711-C)

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.html (hhs.gov notice of privacy practices)

http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html (FAQs)