Notice of Privacy Practices
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.
The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. The agency will provide individuals with this notice of their privacy practices.
1. A notice of privacy practices (NPP) must:
a.) describe how the HIPAA Privacy Rule allows the covered entity to use and share protected health information (PHI), and state that it will obtain the client's permission for any other reason;
b.) tell clients about their rights under the HIPAA Privacy Rule;
c.) tell clients how to file a complaint with the covered entity;
d.) tell clients how to file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights;
e.) provide information about a client’s rights to restrict fundraising solicitations; and
f.) explain the need to obtain a client’s written authorization for marketing or the sale of the client’s PHI.
2. The agency will make its notice available to any person who asks for it.
3. The agency will prominently post and make available its notice on any website it maintains that provides information about its customer services or benefits.
4. Privacy practices are reviewed with all new employees during the agency orientation, and with all current employees annually.
5. All agency clients will be provided with the notice of privacy practices.
a.) Agency will provide the notice to the individual no later than the date of first service delivery and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.
b.) In an emergency treatment situation, agency will provide the notice as soon as it is reasonably practicable to do so after the emergency situation has ended. In these situations, providers are not required to make a good faith effort to obtain a written acknowledgment from individuals.
6. Agency will make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider’s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility.
7. When revisions to the privacy practices are necessary, all staff, clients, and business associates will be informed of the changes and given a revised copy of the notice.
8. The Notice of Privacy Practices is posted in a clear and prominent location within the Agency.
9. The Privacy Officer will retain copies of the original Notice of Privacy Practices and any revisions for a period of six (6) years from the date of its creation or when it was last in effect.
10. All employees and business associates of the agency are required to adhere to the privacy practices as detailed in the Notice.
11. Violations of the agency’s privacy practices will result in disciplinary action up to and including termination of employment or contracts.