Notice of Privacy Practices

1. Notice of Privacy Practices Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC

2. Objectives • Who needs Notice of Privacy Practices (NPP) • How to create your NPP • Be able to use it • Internally • Externally • Compliments your existing compliance program • Tools

3. Who needs a NPP • §164.500   Applicability. • Covered entities • Clearinghouses? • When there is PHI some one needs a NPP

4. Notice vs. Consent • Consent • Requires agreement • Notice • Agreement not necessary

5. 45 CFR §164.520  • §164.520   Notice of privacy practices for protected health information. • Patient’s right • CE’s duty • Exceptions (not covered here) • Group health plans • Inmates

6. 45 CFR §164.520 (b) • Written in “plain language” • Think about your patients • First visit or soon after • Required elements • Header - “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.” • Required by law to provide notice • Will notify of substantive changes – changes apply to all PHI • Who they can contact regarding complaints • Contact information • Effective date

7. Uses and disclosures without a written authorization • Treatment, Payment, and Operations (TPO) exceptions • Maine – except in an emergency mental health notes disclosed outside “the office, practice or organizational affiliate” require patient authorization – not required to be in the NPP • Exceptions (HIE, treatment, and payment)

8. Uses and disclosures without a written authorization (cont.) • Other permissible uses without consent (cont.) • Law • Public health and welfare (protection and reporting) – examples: victims of crime, FDA, communicable diseases, etc. • Crime (limited) • Court order or subpoena • Other Care related • Treatment options • Benefits • Non- CE involved in care (with certain restrictions)

9. Uses and disclosures without a written authorization (cont.) • Other • Research • Healthcare oversight (e.g. Joint Commission) • To organizations attorney (to defend) • Immunizations (specific organizations, federal law requires consent) • General information (directory under HIPAA) • HIE (other information sharing) • Decease patient (medical examiner or corner) • Organ and tissue donation • Threats to health or safety • Work Comp. • Correctional institutions • Required by military (legally allowed) • National security (protect the President) • If engaged in the following • Fundraising (need to know about opt. out) • Health Plan only • Use of PHI for underwriting Exclude GINA for underwriting purposes

10. Patient Rights • List the rights and how to exercise the right • Rights • Request restrictions (Must agree in limited circumstances) • Receive confidential communications must comply with reasonable requests • Copies and inspect designated record set • Accounting of disclosures (non routine disclosures) • Paper copy of the notice • To complain • To complete an authorization • Notification of a Breach

11. Recommendations • Lead with what the patient wants to hear • This is to protect your privacy • Allows us to provide the best care • Include contact information multiple places • Want patients to call you with questions • Make sure you are available to answer questions promptly

12. Use NPP • Internally • ROI • Clinical staff • Externally

13. Used across departments • NPP should be used with compliance programs, etc. • Reference NPP • One NPP • Don’t duplication forms or P&Ps

14. Tools • http://www.ecfr.gov/cgi-bin/text-idx?SID=2fd6a3d8787d454df3fdabfb170bde47&node=se45.1.164_1520&rgn=div8 (45 CFR § 164.520) • http://www.mainelegislature.org/legis/statutes/22/title22sec1711-C.html (22 MRSA § 1711-C) • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.html (hhs.gov notice of privacy practices) • http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html (FAQs)