The notice of privacy practices (NPP) is a requirement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The NPP is a document that you as a HIPAA-covered provider must distribute to your patients. This notice fulfills a three-fold purpose:
- Describe to the patient the uses and disclosures your organization can make of their protected health information (PHI)
- Explain your organization’s legal responsibilities and privacy practices designed to protect PHI
- Inform patients of their individual rights to their PHI and how they can exercise those rights
What Goes in a Notice of Privacy Practices?
The NPP must prominently display this header:
“THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
In the body of the notice, you must include many statements about your organization’s responsibilities and the patient’s rights, including the following:
The Covered Entity’s Responsibilities
- Your organization is required by law to maintain the privacy of PHI
- Your organization must get patient authorization for uses and disclosures of psychotherapy notes, PHI for marketing purposes, and the sale of PHI
- Your organization must get patient authorization to use or disclose PHI for purposes not described in the NPP or permitted under the Privacy Rule
- [If applicable] Your organization intends to contact patients for appointment reminders, information about treatment alternatives, or other health-related benefits or services
- [If applicable] Your organization intends to contact patients for fundraising purposes
The Individual’s Rights
- The right to request restrictions on certain uses and disclosures of PHI
- The right to receive confidential communications of PHI
- The right to inspect and copy PHI
- The right to amend PHI
- The right to receive an accounting of disclosures
- The right to revoke an authorization
- The right to opt out of communications and fundraising from your organization
- The right to file a complaint to your organization or to the secretary of the Department of Health and Human Services (HHS)
- The right to be notified of a breach of unsecured PHI
See CFR 45, §164.520b(1) for a complete list of statements that you must include in your NPP.
In the notice, you should include the information of someone whom patients can contact to learn more about your organization’s policies. Also include the notice’s effective date on the document. Your NPP shouldn’t predate September 2013, which was the compliance date for the HIPAA Omnibus Rule.
How Should You Design a Notice of Privacy Practices?
HHS provides NPP templates you can customize for your organization. There are three standard formats:
- Booklet (folded and stapled). HHS found that patients preferred this format, as booklets are approachable and portable.
- Layered design (first page summary of key rights, uses, and disclosures, followed by detailed description). A layered design is easier for patients to skim for key information.
- Full page (printed on 8 ½ X 11” paper). This is easier to assemble than a booklet.
When choosing a format and design, remember the purpose of the NPP is to make patients aware of their rights to their health information and your organization’s privacy practices. So, the notice should be user-friendly, accessible, and easy to understand. Consider some accessibility best practices:
- Use plain language that anyone can understand
- Translate the notice into frequently encountered languages, such as Spanish
- Provide alternate formats for patients with disabilities, such as large print, audio, or Braille
- Use high-contrast color to highlight key information and make the document easier to read
How Should You Distribute a Notice of Privacy Practices?
As a healthcare organization, you are legally required to provide a copy of your NPP to patients with whom you have a direct treatment relationship, as well as to anyone who requests a copy.
When a patient first presents for care, you must give them a copy of the NPP. You must also make a good faith effort to get a signature from the patient acknowledging they have received a copy of the NPP. In an emergency treatment situation, supply the NPP and get their signature reasonably soon after the emergency is over. If the patient refuses to sign the acknowledgment, you must initial and date the acknowledgement and note why the patient refused to sign.
Additionally, if your organization has a website that provides information to customers, you must keep a copy of your NPP prominently on the website.
Some other great ways to distribute your NPP include:
- Hang larger laminated copies of the NPP in examination rooms and waiting room, allowing patients to read it while waiting for their doctor
- Set a stack of printed copies of the NPP at point-of-service locations
- Email the NPP to patients who have agreed to electronic communications
When you change or revise your NPP, you must make the new copies available upon request and update your website to provide the revised NPP or information about how to obtain it. You do not need to redistribute the revised NPP to patients who have received a copy of the previous version.
The HIPAA Privacy Rule requires you to distribute a notice of privacy practices to every patient under your care. The NPP should make patients aware of their rights to their health information, how they can exercise those rights, and your organization’s responsibilities and practices designed to keep their information private.
Make sure you include all required statements, design the NPP for patients’ ease of use, and distribute it appropriately. Supply your staff members with copies of the NPP and make sure they understand their responsibilities.