Get to Know the HIPAA Notice of Privacy Practices
The first time you see a healthcare provider or dentist, (known as a Covered Entity), or check in to a hospital or change health insurance coverage, you will likely be asked to read and sign several different forms. One of those forms, called the Notice of Privacy Practices (NPP). The NPP explains your rights regarding the privacy of your protected health information (PHI) and how it can be used or shared. Most providers must give you the NPP at your first appointment, and most health plans must give you the NPP when you enroll.
A copy of the NPP must be posted in a clear, easy to find location in a doctor’s office, pharmacy or hospital, be mailed to you by your health insurance company, or be posted on a provider’s or health insurance company’s website.
If you can’t find it, ask for it, your provider or health insurance company must give it to anyone who asks for it.it
4 Things the Notice of Privacy Practices Must Include
The NPP must describe:
- How the HIPAA Privacy Rule allows providers to use and disclose PHI. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason.
- The organization’s duties to protect health information privacy.
- Your privacy rights, including the right to complain to HHS and to the organization if you believe your privacy rights have been violated.
- How to contact the organization for more information and/or to make a complaint.
When Should I Receive the Notice of Privacy Practices?
You will usually receive a copy of the organization’s NPP at your first appointment. In an emergency, you should receive the NPP as soon as possible after the emergency.
- The NPP must also be posted in a clear and easy to find location where patients are able to see it, and a copy must be provided to anyone who asks for one.
- If an organization has a website, it must also post the notice on their website.
- A health plan must give its notice to you at enrollment. It must also send a reminder at least once every three years, and you can ask for the notice at any time.*
*Note: A health plan can give the notice to the “named insured” (subscriber for coverage). It does not also have to give separate notices to spouses and/or dependents.
Do I Have to Sign it?
The law requires your provider, hospital, or other care providers to ask for written proof that you received the Notice of Privacy Practices, or what they might call an “acknowledgement of receipt.” The law DOES NOT require you to sign the acknowledgement form.
If you choose NOT to sign, your provider’s must keep a record that they did not get your signature, but they still have to treat you.
But, if you sign it, you have NOT given up ANY of your rights or agreed to ANY special uses of your health records. It simply means you are acknowledging you received the providers Notice of Privacy Practices.
Covered Entities and third-party vendors should understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.