All-in-one Risk Management Platform

Notice of Privacy Practices under HIPAA

HIPAA's required Notice of Privacy Practices is one of the elements of the regulation that often flies under the radar, even though it is a simple thing to complete. Let's look more into what this requirement is, and how you can comply with it.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.
sana logobig sky health logowellness fx logoacuity logohealthcare.com logo

Notice of Privacy Practices for Protected Health Information For HIPAA

Quick Background 

As quoted from HHS.gov: “The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.”

How the Rule Works

General Rule

Thanks to the Privacy Rule, the individual has the right to adequate notice on how a covered entity may use and/or disclose their protected health information (PHI) about the said individual--as well as their rights and the obligation the covered entity is obligated to fulfil with respect to that information. Most if not all covered entities must develop and provide individuals with this notice of their privacy practices. The Privacy Rule does not require the following covered entities to develop a notice: 

Health care clearinghouses, which are a public or private entity, including billing services, repricing company, community health management information system or community health information system, and value-added networks and switches, that does either of the following functions:

  • (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
  • (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

A correctional institution that is a covered entity (e.g., that has a covered health care provider component). These are your state prisons, county and local jails, and other facilities operated by the department of corrections or local governmental units primarily for the purposes of punishment, correction, or rehabilitation following conviction of a criminal offense. 

A group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs (Health Maintenance Organization), and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information.

Content of the Notice

Covered entities are required to provide a notice in plain language that describes:Whom individuals can contact for further information about the covered entity’s privacy policies--this includes requesting to see their PHI or have something changed like their contact information. How the covered entity will most likely use and disclose protected health information about an individual. 

The notice must also include an effective date for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices for health plans, and for covered health care providers with direct treatment relationships with individuals. (Note: Many of you reading this probably experienced something similar with software updates for your programs that update you on the terms and conditions on your phone or computer and ask you to accept before going through the update or allowing you access to the program on your mobile device and/or computer. It’s basically the same thing).

The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity (some even provide the contact information in the privacy notice). The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.

star iconstar iconstar iconstar iconstar icon
“Saved our business.”
star iconstar iconstar iconstar iconstar icon
"Easy to use!"
star iconstar iconstar iconstar iconstar icon
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

Basic Understanding of Providing The Notice

Covered entities must make its notice available to any person who requests for it, promptly. Covered entities must prominently post and make available its notice on any website it maintains that provides information about its customer services and/or benefits. 

Health Plans must also:

  • Provide the notice to new enrollees at the time of enrollment. 
  • Provide a revised notice to individuals then covered by the plan within 60 days of a material revision. 
  • Notify individuals then covered by the plan of the availability of and how to obtain the notice at least once every three years (i.e. mail/physically or digitally).

Covered Direct Treatment Providers must:

  • Provide the notice to the individual no later than the date of first service delivery and--except in an emergency treatment situation--make a good faith effort to obtain the individual’s written acknowledgment (hand written or digital signature) of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained. 
  • When first service delivery to an individual is provided over the Internet, through email, or otherwise electronically, the provider must send an electronic notice automatically in response to the individual’s first request for service. The provider must make an earnest effort to obtain a return receipt or other transmission from the individual in response to receiving the notice. 
  • In an emergency treatment situation, provide the notice as soon as it is reasonably practicable to do so after the emergency situation has concluded. In these situations, providers are not required to make a big effort to obtain a written acknowledgment from individuals. 
  • Make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider’s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility (bulletin board or on the wall of the lounge or breakroom being some examples. Countertops by the main desk also are a good spot). 

(Note: A covered entity may email the notice to an individual if the individual consents to receiving an electronic notice for the specific requirements for providing the notice). 

Organizational Options on Creating the Notice

Any covered entity, including a hybrid entity or an affiliated covered entity, may choose to develop more than one notice if the entity performs different types of covered functions like the functions that make it a health care provider, a health plan, or a health care clearinghouse. Covered entities are encouraged to provide individuals with the most specific notice possible as to not make it difficult or confusing for the individuals in understanding what they are getting into in regard to their PHI and how the covered entity plans to use it. 

Covered entities that participate in an organized health care arrangement may choose to produce a single, joint notice if certain requirements are met. An example would be that the joint notice must describe the covered entities and the service delivery sites to which it applies. If any one of the participating covered entities provides the joint notice to an individual, the notice distribution requirement with respect to that individual is met for all the covered entities (Note: Think of it like as if instead of agreeing to several entities and reading through several notices, you only have to receive and read one join one). 

Like what you see?  Learn more below

HIPAA's required Notice of Privacy Practices is one of the elements of the regulation that often flies under the radar, even though it is a simple thing to complete. Let's look more into what this requirement is, and how you can comply with it.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
CCPA vs CPRA vs GDPR
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
HIPAA vs. GLBA
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
GDPR vs. HIPAA
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)