Notice of Privacy Practices

The HIPAA Privacy Rule provides that an individual has a right to adequate notice regarding how a Hybrid Entity may use and disclose Protected Health Information about the individual, as well as his or her rights and the covered entity's obligations with respect to that information. Most covered entities must provide individuals with a "Notice of Privacy Practices".

Content of the Notice

Entities are required to provide; in plain language; a notice that describes:

  • How the covered entity may use and disclose PHI
  • The individual's rights regarding PHI and how the individual may exercise these rights, including how the individual may file a complaint against the covered entity
  • The covered entity's legal duties with respect to the information, including a statement that the entity is required by law to maintain the privacy of PHI
  • Whom individuals can contact for further information

 Sample Notice of Privacy Practices

Providing the Notice

  • A covered entity must provide its notice to any person who asks for it
  • A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer service or benefits
  • Direct Treatment Providers must also:
    • Provide a notice no later than the first date of service and, make a good faith effort to obtain the individual's written acknowledgment that they received the notice. (If a signature cannot be obtained, the provider must document his or her efforts to obtain the signature and the reason why it was not obtained)
    • If the first request for service is provided over the internet, through e-mail or otherwise electronically, the provider must send an electronic notice and make a good faith effort to obtain a return receipt
    • In an emergency, provide the notice as soon as it is reasonably practicable (in an emergency the provider is not required to make a good faith effort to obtain written acknowledgment)