of Privacy Practices PDF
POLICY SUMMARY AND INTENT:
The Health Insurance Portability and Accountability Act (HIPAA)
include provisions that address the security and privacy of
a patient’s health information. Each facility will comply
with the following procedures to ensure adherence to the HIPAA
The “Privacy Rule” is part of a set of standards
under HIPAA’s “Administrative Simplification”
provisions. The final rule requires health care providers
(and other covered entitles) to provide patients with a
notice of patient’s privacy rights and the privacy
practices of the provider. Each patient will be provided
with a Notice of Privacy Practices.
The Notice of Privacy Practices must clearly describe:
• All uses and disclosure of protected health information
that the facility is permitted or required to make under
the HIPAA privacy rule
• The patient’s rights regarding their protected
• The facility’s legal obligations with respect
to protected health information
AREAS OF RESPONSIBILITY
Health care providers must provide Notice of Privacy Practices
to their patients on the first date of service delivery.
For hospitals, this would include providing the Notice as
part of the Admission and Registration process. For physician
clinics, this would include providing the Notice to each
patient upon their first visit to the clinic.
Each facility must also post its Notice
in a clear and prominent location where individuals seeking
service are able to read it. In addition, if the facility
maintains a web site, the Notice must also be available
through that web site.
Patients must acknowledge in writing that
they have received the Notice of Privacy Practices. Health
care providers are required to make “good faith”
efforts to obtain this acknowledgement. During emergency
treatment situations, however, this requirement may be delayed
until reasonably practical after the emergency situation
has ended or been established.
Since state laws regarding the release
of patient health information may very from federal regulation,
the facility HIM Director should work with the facility
and/or legal counsel to ensure that if the requirements
are inconsistent, then the more stringent of either state
or federal statutes or regulations will apply. When state
law is more stringent than a Federal standard requirement
or implementation specification of HIPAA, state law will
prevail and the facility’s Notice and all applicable
policies and procedures should be revised to reflect such.
Any requested changes to the Notice of Privacy Practices
form must be related to individual state law requirements
and must be reviewed and approved by the forms committee.
Patient records containing AIDS/HIV status,
mental health diagnosis or treatment, or alocohol or drug
diagnoses or treatment may require specific authorizations
in some states. The HIM department should work with the
facility and/or legal counsel to ensure state regulations
are included in the policy for consistent interpretation,
if necessary or appropriate.
1. The Notice of Privacy Practices must
be provided as part of the Admission process for inpatient
admissions to the hospital, or on the first date of service
delivery for outpatient visits.
2. Frequency of Providing Notice: the Notice must be provided
as part of every Inpatient admission. For recurring outpatient
services such as outpatient physical therapy, the Notice
must be provided at each registration.
3. For hospital inpatient admissions, the patient is given
the Consent to Treatment form.
4. A paragraph regarding the Notice has been added to the
Conditions to Treatment form. By signing the consent form,
the patient acknowledges that they received a copy of the
Notice of Privacy document.
5. If a patient refuses to sign, indicating that he/she
has received a copy of the Notice, the facility must document
its efforts to obtain the acknowledgement and the reason(s)
why the acknowledgement was not obtained. This documentation
should be made directly on the Consent to treat form besides
the Notice of Privacy Practices.
6. The facility must adhere to the terms of the Notice.
Should any changes be made, the Notice must promptly be
revised and made available to patients upon request.
7. Questions regarding the Notice of Privacy Practices should
be directed to the facility’s health Information Management
8. Information on filing privacy complaints should be directed
to the Facility Privacy Officer.
9. More stringent state and/or federal regulations will
supersede any and all instructions in this policy. More
stringent state regulations must be inserted behind this
policy and document and will apply as appropriate to this
Protected health information (PHI) refers to individually
identifiable health information that is transmitted or maintained
in any form which is protected under the federal regulations.
Examples include the patient’s name and other demographic
information, medical records, x-ray films etc.
DIRECT TREATMENT RELATIONSHIP
Refers to a relationship between an individual and a health
care provider in which:
1. the health care provider delivers health
care directly to the individual; and
2. the health care provider provides services or products,
or reports the diagnosis or results associated with the
healthcare, directly to the individual.