As the HIM Director of an acute care hospital you are charged with the responsibility of maintaining the hospital-wide confidentiality policies and procedures and managing the access and disclosure of

Notice of Privacy Practices (2011 update) This practice brief has been updated. See the latest version here . This version is made available for historical purposes only. Editor's note: This update supplants the November 2002 practice brief " Notice of Privacy Practices. " Background Timely, accurate, and complete health information must be collected, maintained, and made available to members of an individual's healthcare team so that members of the team can accurately diagnose and care for that individual.

Most consumers understand and have no objections to this use of their information. On the other hand, consumers may not be aware of the fact that their health information also may be used as a: Š Legal document describing the care rendered Š Verification of services for which the individual or a third - party payer is billed Š Tool in evaluating the adequacy and appropriateness of care Š Tool in educating health professionals Š Source of data for research Š Source of information for tracking disease so that public health officials can manage and improve the health of the nation Š Source of data for facility planning and marketing Š Business record of the organization's operations Although consumers trust their caregivers to maintain the privacy of their health information, they are often skeptical about the security of their information when it is maintained electronically or disclosed to others. Increasingly, consumers want to be informed about which information is collected and to have some control over how their information is used. Federal rules require providers to notify patients of the full uses and protections of the information they collect. This practice brief outlines the federal requirements for notice of privacy practices (NPP). Federal Requirements In general, the federal Standards for Privacy of Individually Identifiable Health Information, also known as the Health Insurance Portability and Accountability Act (HIPAA) privacy rule (45 CFR Parts 160 – 164), require that except for certain variations or exceptions for health plans 1 and correctional facilities, an individual has a right to receive adequate notice of how a covered entity may use and disclose his or her protected health information (PHI). The notice also must describe the individual's rights and the covered entity's legal duties with respect to that information.

A covered entity that is required to have a notice may not use or disclose PHI in a manner inconsistent with such Copyright © 2011 by The American Health Information Management Association. All Rights Reserved. notice. In general, the NPP must contain: 1. A header such as "THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." 2. A description, including at least one example of the types of uses and disclosures that the covered entity is permitted to make for treatment, payment, and healthcare operations 3. A description of each of the other purposes for which the covered entity is permitted or required to use or disclose PHI without the individual's written consent or authorization 4. A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization 5. When applicable, separate statements that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives and other health - related benefits and services that may be of interest to the individual; or to raise funds for the covered entity, the group health plan or health insurance issuer or health maintenance organization may disclose PHI to the sponsor of the plan 6. A statement of the individual's rights with respect to PHI and a brief description of how the individual may exercise these rights including: » The right to request restrictions on certain uses and disclosures as provided by 45 CFR 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction and (b) those services for which the individual has paid him - or herself » The right to receive confidential communications of PHI as provided by 164.522(b), as applicable » The right to inspect and copy PHI as provided by 164.524 » The right to amend PHI as provided in 164.526 » The right to receive an accounting of disclosures as provided in 164.528 » The right to obtain a paper copy of the notice upon request as provided in 164.520 7. A statement that the covered entity is required by law to maintain the privacy of PHI and to provide individuals with a notice of its legal duties and privacy practices with respect to PHI 8. A statement that the covered entity is required to abide by the terms of the notice currently in effect 9. A statement that the covered entity reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains 10. A statement describing how the covered entity will provide individuals with a revised notice 11. A statement that individuals may complain to the covered entity and to the Secretary of Health and Human Services if they believe their privacy rights have been violated; a brief description of how one files a complaint with the covered entity; and a statement that the individual will not be retaliated against for filing a complaint 12. The name or title and the telephone number of a person or office to contact for further information 13. An effective date, which may not be earlier than the date on which the notice is printed or otherwise published A covered healthcare provider with a direct treatment relationship with an individual must: Š provide the notice no later than the date of the first service delivery, including service delivered electronically, or in an emergency treatment situation, as soon as reasonably practicable after the emergency situation; Š have the notice available at the service delivery site for individuals to request and take with them; Š post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered healthcare provider to be able to read the notice; Š when e - mailing the notice, provide a paper copy if the transmission fails; Š except in emergency situations, make a good faith effort to obtain written acknowledgment of receipt and, as appropriate, document good faith efforts and reasons why the acknowledgment could not be obtained; Copyright © 2011 by The American Health Information Management Association. All Rights Reserved. Š if providing notices electronically, capture the individual's acknowledgment of receipt electronically in response to that transmission; Š promptly revise and distribute the notice whenever there is material change to the uses or disclosures, the individual's rights, the covered entities legal duties, or other privacy practices stated in the notice; Š post the notice prominently on the Web site, if one is maintained; Š if providing care to its workforce related to medical surveillance, work - related illness, or injury, provide a written notice to individuals seeking such care at the time care is provided; and Š document compliance with the notice requirements by retaining copies of the notices issued and acknowledgments received. See appendix A for sample NPP. Privacy Act of 1974 and Related Laws The Privacy Act of 1974 (as amended) requires that federal agencies or organizations that collect and maintain information on behalf of the federal government provide individuals with an NPP. This notice must identify: Š The statute or order that authorizes the government to solicit the information and whether provision of the information is mandatory or voluntary Š The principal purposes for which the information is intended to be used Š The routine uses of the information The notice may be written on the form on which the information is solicited or a separate form that can be kept by the individual. Confidentiality of Drug and Alcohol Patient Records The Confidentiality of Alcohol and Drug Abuse Patient Records rules establish the following notice provisions for patients of federally assisted drug or alcohol abuse programs. At the time of admission or as soon thereafter as the patient is capable of rational communication, each substance abuse program must communicate to the patient that federal law and regulations (42 CFR, Chapter 1, Part 2) protect the confidentiality of alcohol and drug abuse patient records. The program must also provide the patient with a written summary of the federal law and regulations that includes: Š A general description of the limited circumstances under which a program may acknowledge that an individual is present at a facility or disclose outside the program information identifying a patient as an alcohol or drug abuser Š A statement that violation of the federal law and regulations by a program is a crime and that suspected violations may be reported to appropriate authorities in accordance with these regulations Š A statement that information related to a patient's commission of a crime on the premises of the program or against personnel of the program is not protected Š A statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected Š A citation to the federal law and regulations The program may devise its own notice or use the sample provided by the federal government. In addition, the program may include in the written summary information concerning state law and any program policy not inconsistent with state and federal law on the subject of confidentiality of alcohol and drug abuse patient records. Copyright © 2011 by The American Health Information Management Association. All Rights Reserved. HITECH Act of 2009 The HITECH Act of 2009 has the potential to affect the content of the NPP. At the time this brief was revised, final rules enacting the provisions had not been published. However, HITECH modifies HIPAA in the following ways: Š Allows patients to request restrictions of disclosure of their PHI to a health plan if they pay in full for the items or services out of pocket Š Requires organizations that use electronic health records to provide individuals with an accounting of disclosure for treatment, payment, or healthcare operations. The accounting must cover the preceding three years Š Requires organizations that use electronic health records to provide patients with PHI in electronic format upon request Š Increases requirements and restrictions related to marketing and fund raising and prohibits the sale of an individual's PHI unless covered by a valid authorization or limited exception Further, HITECH requires the Department of Health and Human Services to issue guidance on what constitutes "minimum necessary" under HIPAA. Recommendations The following steps are recommended to develop and maintain an NPP. Š Identify applicable notice requirements in both federal and state law. Š Collect sample notices from associations and other organizations. Š Annually identify the way information is used and disclosed in your organization and ensure that these types of uses are reflected in the NPP. Š Determine participation in shared electronic health record arrangements or health information exchanges and include this information in the notice. If so, the organized healthcare arrangement may have a joint NPP. Š Ensure an individual or department serves as an initial point of contact for individuals requesting additional information or who would like to file a complaint relative to information privacy practices. Š Communicate material changes in the notice to the organizational staff. Š Identify which acknowledgment option is best for the organization - that is, leave space for the acknowledgment on the notice or on a separate form. Š Place a copy of the current notice in the individual's health record with the individual's acknowledgment. Š Refer to legal counsel when appropriate. Š Ensure organization - wide policies and procedures relative to the notice are reviewed annually. Š Post the notice and make copies available for distribution where notice acknowledgments are obtained. Š Implement and monitor compliance. Prepared by Patricia Cunningham, MS, RHIA Acknowledgments Nancy Davis, RHIA Angela Dinh, MHA, RHIA, CHPS Julie Dooling, RHIT Copyright © 2011 by The American Health Information Management Association. All Rights Reserved. Lisa Fink, MBA, RHIA, CPHQ Margaret Foley, PhD, RHIA, CCS Gwen Jimenez, RHIA Peg Schmidt, RHIA Heidi VanLaecken Diana Warner, MS, RHIA, CHPS Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR Prepared by (original) Gwen Hughes, RHIA Acknowledgments (original) Mary Brandt, MBA, RHIA, CHE, CHP Jill Burrington - Brown, MS, RHIA Jill Callahan Dennis, JD, RHIA References AHIMA. "Redisclosure of Patient Health Information (Updated)." Journal of AHIMA 80, no. 2 (Feb. 2009): 51 – 54. American Health Information Management Association, American Medical Informatics Association. "Handling Complaints and Mitigation (Updated)." Journal of AHIMA (Updated June 2010).  Heubusch, Kevin. "Too Much Privacy? OCR Proposes Easing Protections on Decedent Records." Journal of AHIMA 81, no. 9 (Sept. 2010): 50 –51. HITECH Act Regulations, 41 CFR: Parts 412, 413, 422 and 105 and 45 CFR: Subtitle A Subchapter D.

http://frwebgate.access.gpo.gov/cgi - bin/getdoc.cgi?dbname=111_cong_bills&docid=f%3Ah1enr.txt.pdf . Federal Trade Commission. Privacy Act of 1974; 5 USC, Section 552A; 16 CFR Part 313; Privacy of Consumer Financial Information; Final Rule; Federal Register 65, no. 101 (May 24, 2000). http://ecfr.gpoaccess.gov/cgi/t/text/text - idx?c=ecfr&tpl=/ecfrbrowse/Title42/42cfr2_main_02.tpl . Public Health Service, Department of Health and Human Services. "Confidentiality of Alcohol and Drug Abuse Patient Records." Code of Federal Regulations , 2000. 42 CFR, Chapter I, Part 2. http://ecfr.gpoaccess.gov/cgi/t/text/text - idx?c=ecfr&tpl=/ecfrbrowse/Title42/42cfr2_main_02.tpl . Rode, Dan. "Keeping HITECH in Context: Flurry of Regulation Fits within a Larger, More Familiar Picture." Journal of AHIMA 81, no. 10 (Oct. 2010): 18 –20. 45 CFR Parts 160 and 164; Standards for Privacy of Individually Identifiable Health Information: Final Rule; Federal Register 67 no. 157 (Aug. 14, 2002). http://www.gpo.gov/fdsys/pkg/FR -2002 -08 - 14/pdf/02 - 20554.pdf . 45 CFR Parts 160 and 164; HIPAA Administrative Simplification: Standards for Privacy of Individually Identifiable Health Information: Final Rule; Federal Register 74, no. 193 (Oct. 7, 2009). http://www.gpo.gov/fdsys/pkg/FR - 2002 -08 - 14/pdf/02 - 20554.pdf Note: Copyright © 2011 by The American Health Information Management Association. All Rights Reserved. 1. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 requires health plans that use or disclose PHI for underwriting to include a statement in their NPP making clear that they are prohibited from using or disclosing PHI that is genetic information about an individual for such purposes. Article citation : AHIMA. "Notice of Privacy Practices (2011 update)." (Updated February 2011). Copyright © 2011 by The American Health Information Management Association. All Rights Reserved.