Episode 50: How to Avoid a HIPAA Danger Zone: The Notice of Privacy Practices form
The Notice of Privacy Practices is a form that many patients toss in the garbage but that actually gets you into a lot of trouble and costs an enormous amount of money. HIPAA guarantees a variety of patient rights–including a patient’s right to know how you’re going to use their Protected Health Information (PHI.) As part of that, you are required to describe your office’s privacy practices in writing in an easy-to-read document called a Notice of Privacy Practices.
The HIPAA guidelines state that you must “do your best” to get your patients to sign an acknowledgment that indicates that they have
- received a copy of your Notice of Privacy Practices
- been made aware of a notice copy posted in your waiting area, or
- been informed that a copy is available on your practice’s website
What should you include in your privacy notice:
- Rights: Your privacy notice must clearly spell out your patients’ rights
- Choice: Patient privacy choices must also be clearly listed
- Use: You are required to tell your patients how you will use their information
- Date and Sign: Although your patients are not required to sign and date your privacy notice, there must be a place for them to do so on the document
- Change: Your patients have the right to change the instructions on how you are authorized to utilize their information
Here's a HIPAA-compliant sample Notice of Privacy Practices form.
How to use the form correctly:
- Timing: Every new patient packet must contain a complete copy of your privacy notice. Have patients review your privacy notice again at least every three years.
- Availability: Post a copy of your Notice of Privacy Practices where your patients can easily see it.
- Signature: Make a “good faith” effort to document acknowledgment of your privacy notice by getting your patient to sign and date it.
- Refusal to Sign: If they refuse to sign, document the reasons.
- Language: Your Notice of Privacy Practices form needs to be available in other language options as your practice represents.
Who can Sign a Privacy Notice?
- Adults: All patients who are competent adults.
- Minors: The legal parent(s) may sign for non-emancipated children.
- Emancipated minor. The definition of an “emancipated minor” differs from state to state. Know your state requirements to avoid getting into trouble.
- Next of Kin: The designated representative of a seriously ill or comatose patient.
- Legal guardian: The designated legal guardian of an incompetent patient.
- Executor or administrator: The legal executor or administrator of the estate of a deceased person.
Enrollment in The Private Medical Practice Academy membership will be opening in January . Sign up for the waitlist now. Among other things, inside the membership, you'll find the HIPAA Notice of Privacy Practices Checklist to document your practice's compliance!