180 likes | 311 Views
Notice of Privacy Practices. Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs, Children’s Healthcare Services. Standard - 45 CFR 164.520.
E N D
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs, Children’s Healthcare Services
Standard - 45 CFR 164.520 • “Except as provided by paragraph (a)(2) or (3) (certain variations & exceptions for health plans and correctional facilities), an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information” • Note: This presentation nor any of the information contained therein constitutes legal advice; consult legal counsel for such advice.
Required Elements • Written in plain language. • Header with prescribed language - “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.” • Description with at least one example of the types of uses and disclosures that the covered entity (“CE”) is permitted to make for treatment, payment & healthcare operations.
Required Elements(Cont.) • Description ofeach of the other purposes for which the CE is permitted or required to use or disclose PHI without the individual’s explicit authorization. • A statement that other uses and disclosures will be made only with the individual’s written authorization and that the individual may revoke such authorization.
Required Elements(Cont.) • Statement of the individual’s rights with respect to their PHI and a brief description of how the individual may exercise these rights, as follows: • Right to request restrictions on certain uses and disclosures of PHI including a statement that the CE is not required to agree to a requested restriction. • Right to receive confidential communications in a certain way at a certain time. • The right to inspect and copy PHI. • The right to amend PHI.
Required Elements(Cont.) • Patient Rights(Cont.) • Right to receive an accounting of disclosures of PHI. • Right to receive a paper copy of the Privacy Notice even if the individual has agreed to receive the notice electronically. • Statement that the CE is required by law to maintain the privacy of PHI and to provide individuals with a notice of its legal duties and privacy practice with respect to PHI.
Required Element(Cont.) • Statement that the covered entity is required to abide by the terms of the notice currently in effect. • Statement that the CE reserves the right to change the terms of the notice and to make the new notice provisions effective for all PHI maintained. • Statement describing how the CE will provide individuals with a revised notice. • Statement that individuals may file complaints with the CE or the secretary of HHS if they believe their privacy rights have been violated.
Required Elements(Cont.) • Description of how to file a complaint with the CE and a statement that there will be no retaliation for filing a complaint. • Name, or title and telephone number of a person or office to contact for further information. • The date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
Separate Statements for Certain Uses & Disclosure • When applicable, separate statements are required if: • The CE will be contacting individuals to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual. • The CE will be contacting individuals to raise funds for the CE. • If a group health plan, health insurer or HMO may disclose PHI to the sponsor of the plan.
Notice Changes • CE must promptly revise and redistribute the notice when there is a material change to: • Uses or disclosures of PHI. • Individual’s rights. • CE’s legal duties. • Other privacy practices stated in the notice. • Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which the change is reflected.
Implementation Specifications for CE’swith a Direct Treatment Relationship • Provide the notice no later than the date of the first service delivery including services delivered electronically. • Have the notice available at all physical service delivery sites for individuals to request and keep. • Posting of the notice in a clear and prominent location where it is reasonable to expect individuals seeking service to be able to read. • Make a revised notice available upon request on or after the effective date of the revision. • Document compliance by retaining copies of notices issued.
Electronic Notices • CE that maintains a website with information about services or benefits must prominently post and make the notice available through the website. • May be provided by e-mail if the individual agrees to electronic notice and the agreement has not been withdrawn. • If CE knows that e-mail failed, a paper copy of the notice must be provided. • If first service delivery is electronic then notice must be provided electronically. • Recipient of electronic notice retains the right to receive written copy upon request.
Distribution & Acknowledgement • Notice must be posted in clear and prominent place and made available in all service delivery locations. Make available as soon as practicable in emergency situations. • March 2002 NPRM requires CE’s to make a good faith effort to obtain an acknowledgement no later than the first service delivery date. • Must document in writing the patient’s receipt of the Notice or their efforts to obtain if patient refuses to acknowledge.
Entity Structural Issues • Single Affiliated Covered Entity (ACE) - Legally separate CE’s affiliated through common control may designate themselves as an ACE. • Must meet common ownership or common control tests. • Requires formal documented designation. • May have single privacy officer and may respond to individual requests as a single entity. • Must use single combined Notice of Privacy Practices.
Entity Structural Issues • Organized Health Care Arrangement (OHCA) - Clinically integrated health care setting where individuals receive care from more than one provider or organized system of health care in which more than one CE participates and in which the CE’s hold themselves out to the public as participating in a joint arrangement and participate in joint activities. • May use joint Notice of Privacy Practices • Each CE must designate its own Privacy Officer but may share the same one.
OHCA Notice Requirements • CE’s participating in OHCA agree to abide by the terms of the joint notice with respect to PHI created or received as part of participation in the OHCA. Medical Staff rule. • Notice describes with reasonable specificity the CE’s or classes of CE’s to which the joint notice applies. • Notice describes with reasonable specificity the service delivery sites or classes of delivery sites to which the joint notice applies.
OHCA Notice Requirements • Notice states that the CE’s participating in the OHCA will share PHI with each other as necessary to carry out treatment, payment or health care operations relating to the OHCA. • Provision of a joint notice by any one of the CE’s included in the OHCA will satisfy the distribution requirement with respect to all others covered by the joint notice.
References • HIPAA Privacy Final Rule Table - 45 CFR Sections 160 & 164. • AHIMA Practice Brief , Notice of Information Practices, May 2001 - www.ahima.org/journal/pb • American Medical Association, HIPAA Notice of Privacy Practices - www.ama-assn.org/ama/pub • Sample Notices of Privacy Practices - Children’s Healthcare Services, BryanLGH Medical Center, Methodist Health System, Tri-County Area Hospital