Notice of Privacy Practices

Episode 56: Know The Knows! Notice of Privacy Practices

What does the HIPAA Notice of Privacy Practices mean to you?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets rules about who can look at and receive your protected health information (PHI).

When you see a provider (known as a Covered Entity), check in to a hospital, have a new prescription filled by a pharmacy, or change health insurance coverage, you will likely be asked to read and sign several different forms.

One of those forms, called the Notice of Privacy Practices (NPP), explains your rights regarding your PHI and tells you how your PHI can be used or shared. Most providers must give you the NPP at your first appointment, and most health plans must give you the NPP when you enroll.

A copy of the NPP may also be posted in a clear, easy to find location in a doctor’s office, pharmacy or hospital, be mailed to you by your health insurance company, or be posted on a provider’s or health insurance company’s website.

If you can’t find it, ask for it. And your provider or health insurance company must give it to anyone who asks for it.

What is in a NPP?

The NPP must describe:

  • →  How the HIPAA Privacy Rule allows providers to use and disclose PHI. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason.
  • →  The organization’s duties to protect health information privacy.
  • →  Your privacy rights, including the right to complain to HHS and to the organization if you believe your privacy rights have been violated.
  • →  How to contact the organization for more information and/or to make a complaint.


When and how can I receive the Notice of Privacy Practices?

You’ll usually receive the NPP at your first appointment. In an emergency, you should receive the NPP as soon as possible after the emergency.

  • →   The NPP must also be posted in a clear and easy to find location where patients are able to see it, and a copy must be provided to anyone who asks for one.
  • →  If an organization has a website, it must also post the notice on their website.
  • →  A health plan must give its notice to you at enrollment. It must also send a reminder at least once every three years that you can ask for the notice at any time.
  • →  A health plan can give the notice to the “named insured” (subscriber for coverage). It does not also have to give separate notices to spouses and/or dependents.

Do I have to sign a form?

The law requires your provider, hospital, or other care providers to ask for written proof that you received the Notice of Privacy Practices, or what they might call an “acknowledgement of receipt.” The law DOES NOT require you to sign the acknowledgement form.

If you choose NOT to sign, your provider’s must keep a record that they did not get your signature, but they still have to treat you.

But, if you sign it, you have NOT given up ANY of your rights or agreed to ANY special uses of your health records. It simply means you are acknowledging you received the providers Notice of Privacy Practices.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why would you leave yourself wide open to such risks?

Notice of Privacy Practices



For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.