HIPAA Notice of Privacy Practices

By | May 1, 2020

HIPAA Notice of Privacy Practices: Timing

The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user-friendly explanation of individuals’ rights with respect to their personal health information (PHI), and the privacy practices of health plans and health care providers. This page provides options for meeting the requirement to create notices of privacy practices (NPP).

What do Covered Entities Need to Know About the HIPAA Notice of Privacy Practices?

Health care providers must provide patients with a notice of privacy practices explaining how the provider may use or disclose patient protected health information (PHI).

Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.

Per the HIPAA Privacy Rule, a covered health care provider that has a direct treatment relationship with an individual must provide the notice of privacy practices:

  • No later than the date of the first service delivery (including service delivered electronically); or
  • In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.

What Must Covered Entities Who Maintain A Website Do?

Covered entities that maintain a website that provides information about their customer services or benefits, must prominently post the notice on their website and make the notice available electronically through the website. 

Can Covered Entities Provide the Notice of Privacy Practices by Email?

A covered entity may provide the Notice of Privacy Practices by email, if the individual agrees to electronic notice and the agreement has not been withdrawn.

If a covered entity knows that the email transmission has failed, the covered entity must furnish a paper copy of the notice to the individual. 

Covered entities that provide the notice electronically must:

  • Provide the electronic notice no later than the date of the first service delivery (including medical services delivered electronically).
  • In an emergency situation, provide the notice as soon as reasonably practicable as the emergency treatment is over.

What Must the Notice Contain?

The notice must contain:

  • A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted to make for treatment, payment, and health care operations.
  • A description of each of the other purposes for which the covered entity is permitted or required under the Privacy Rule to use or disclose protected health information without the individual’s written authorization.
  • A description of the organization’s duties to protect health information privacy
  • A statement of the individual’s privacy rights, including the right to complain to HHS and to the covered entity if a patient believes his or her privacy rights have been violated. 
  • A description of how to contact the covered entity for more information and to make a complaint.