Notice of Privacy Practices
Today, I visited my local dentist office for a new patient consultation and to interview them before selecting them as my Covered Entity (CE). After examining the waiting room and completing the necessary paperwork, I was called into the treatment room.
During my appointment I met several different staff members, including their office manager responsible for HIPAA followed by the provider. After asking the office manager different questions about their Notice of Privacy Practices (NPP), I decided the practice DID NOT understand their HIPAA Privacy and Security responsibilities.
I’d like to tell you I only had to do this once before I found a CE I trusted my care and my HIPAA Privacy and Security information to but say NO. I interviewed four (4) different practices and only one (1) of them would I trust and recommend with my information and care. I share this with you to help you learn what to look for when you visit your next provider of care.
CE’s are required to provide their patient’s with a Notice of Privacy Practices in plain language that describes the following:
▶️ Did your CE provide you with their Notice of Privacy Practices?
▶️ Does the Notice of Privacy Practices include a description of how the practice uses or discloses (share) your PHI?
▶️ The CE’s legal duties with respect to the information, including a statement that the CE is required by law to maintain the privacy and security of PHI.
▶️ A CE must let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
▶️ A CE must follow the duties and privacy practices described in the Notice of Privacy Practices and give you a copy of it.
▶️ A CE must not use or share your information other than as described in the Notice of Privacy Practices unless you instruct them they can in writing. If you allow it, you may change your mind at any time, in writing.
▶️ The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the CE.
▶️ Whom individuals can contact for further information about the CE’s privacy policies.
▶️ A CE must make its notice available to anyone who asks for it. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically.
▶️ A CE must prominently post and make available its notice on any website it maintains that provides information about its customer services or benefits.
▶️ The Notice of Privacy Practices must include an effective date.
For more information see 45 CFR 164.520(b) for the all Notice of Privacy Practices requirements: https://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-520.pdf Also see: Frequently Asked Questions about the Privacy Rule