Notice of Privacy Practices: Required Elements
Direct treatment providers, including EDs, soon will be required to provide each patient with detailed information about their privacy practices. The notification must be written in plain language, and must contain the following elements:1
1. The prominently displayed phrase, "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."
2. A description and at least one example of how the health care provider can use and disclose protected health information for the purposes of treatment, payment, and health care operations, and a description of how the health care provider can use and disclose protected health information without the patient’s consent or authorization. These descriptions must reflect any applicable laws more stringent than the Privacy Rule.
3. A statement that the health care provider will make other uses and disclosures only with the patient’s written authorization, and that the patient has the right to revoke authorization previously granted.
4. A statement advising the patient of the following rights:
- The right to request a restriction on uses and disclosures, including a statement that the health care provider need not comply with such requests.
- The right to receive confidential communications of protected health information, as well as the right to request and receive these communication via a specified mode.
- The right to inspect and copy certain protected health information.
- The right to amend protected health information.
- The right to receive an accounting of certain disclosures.
- The right to obtain a paper copy of the health care provider’s privacy practices notice upon request.
5. A statement that the health care provider is required by law to maintain the privacy of protected health information; that the health care provider must abide by the terms of its privacy practices notice, and if the health care provider intends to modify its privacy practices, a statement that this right has been reserved.
6. A statement advising patients of the method by which they may complain about privacy violations to the health care provider and to the Secretary of Heath and Human Services, and that privacy complaints will not cause retaliation.
7. The identity and telephone number of an individual or office that can provide additional information about the health care provider’s privacy practices.
8. The effective date of the notice.
Health care providers who intend to contact patients with appointment reminders, information about available health-related services, or fundraising requests must include separate statements to this effect in their notices.2 Privacy practices notices may be delivered via e-mail, but the patient retains the right to receive a paper version of the notice upon request or when the health care provider knows that electronic delivery has failed.3 Health care providers who post information about their services on a web site must display a privacy practices notice along with that information.4
References
1. See Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. § 164.520(b)(1) (2002).
2. See 45 C.F.R. § 164.520(b)(1)(iii).
3. See 45 C.F.R. § 164.520(c)(3)(ii).
4. See 45 C.F.R. § 164.520(c)(3)(i).
Direct treatment providers, including EDs, soon will be required to provide each patient with detailed information about their privacy practices. The notification must be written in plain language, and must contain the following elements.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.