Adobe Acrobat Sign
Does your business need to issue a notice of privacy practices?
Whether you’re a healthcare provider or trying to provide healthcare to your employees, learn what you need to do to keep people informed about information protection.
What goes into a notice of privacy practices?
- A notice of privacy practices (NPP) is a statement that outlines how you’ll safeguard your patients’ medical data.
- Federal law requires that an NPP be sent to every patient before their first appointment.
- An NPP must explain who will have access to a patient’s data and how a patient can file a complaint if they feel their privacy has been violated.
What is a notice of privacy practices?
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), a federal law that set strict standards for how healthcare operations handle and store electronic medical records. Under HIPAA’s Privacy Rule, healthcare providers and other organizations affected by the law (known as covered entities) must prepare and issue patients a notice of privacy practices (NPP), which informs them how their protected health information (PHI) will be used and shared.
An NPP safeguards a patient’s right to privacy by making them aware of how their health information will be protected before they share it. This gives the patient the option to request restrictions on the disclosure of their PHI or choose to take their business elsewhere. And it ensures that the healthcare service provider is accountable for maintaining a set of privacy standards that have been stated in advance.
If your business is a covered entity, you need to send patients an NPP by mail or electronically in advance of their first appointment. Once a patient acknowledges that they’ve received their NPP, you’re required to keep records of what you’ve sent them and make those records available upon request.
Who needs a notice of privacy practices?
All medical and dental providers are required to issue NPPs to each patient, as well as keep an NPP posted publicly either in their office or on their website. Other healthcare-adjacent businesses that handle patients’ medical information must issue NPPs as well, such as:
- Health insurance companies
- Health maintenance organizations (HMOs)
- Small practices like therapists and life coaches
- Employer-sponsored health plans
- Business associates of any of the above (such as medical billing companies, IT support, or document disposal services)
What information should be included in a notice of privacy practices?
To be in compliance with HIPAA’s rules, your notice of privacy practices needs to include several key pieces of information.
1. Header
All NPPs must have the same statement written across the top of the page: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”
2. Uses and disclosures
This is where you explain with whom you’ll share the patient’s information and whether you’ll ask for their authorization before you do it. Organizations and individuals to whom you can disclose information without asking permission include:
- Family members involved with the patient’s care or payment
- A designated personal representative
- Coroners, medical examiners, and funeral directors
- Other healthcare organizations
- Law enforcement officials who have requested or subpoenaed information as part of a criminal investigation
Especially sensitive information, such as psychotherapy notes, requires authorization from the patient before you can release it. And while it is rare that you would do so, you also need a patient’s explicit permission before you sell or release their personal health information for marketing purposes.
3. Patient rights information
Your NPP needs to include a statement of the patient’s rights, including:
- The right to request restrictions on certain uses and disclosures of their PHI
- The right to receive their PHI confidentially
- The right to inspect and copy their PHI
- The right to amend their PHI, as the law allows
- The right to receive an accounting of disclosures of their PHI
- The right to receive a paper copy of the NPP on request
- The right to file a complaint with the covered entity and the Department of Health and Human Services (HHS) if the patient feels their rights have been violated
4. Covered entity responsibilities
In this section, you must outline what your organization is required to do to protect individuals’ health records, including:
- Explaining your organization’s legal obligations and privacy practices
- Stating that you will notify affected individuals in the event of a data breach
- Clarifying that your organization is legally obligated to abide by the conditions of this notice
5. Contact information
Provide the name, title, and phone number of your organization’s privacy officer or any other employee qualified to answer questions about your privacy practices.
6. Effective date
The date that your NPP goes into effect.
How e-signatures can streamline your NPP process.
An e-signature program makes it easier to send, store, and manage every notice of privacy practices that you send to a client.
If your business is a covered entity, you’ll need to send out a lot of NPPs. With Acrobat Pro, you can create a reusable NPP template that includes all the legally required information, then personalize each individual copy before sending it out to patients for their signature.
Smart documents in Acrobat automatically track and manage workflows, so you can receive notifications when each NPP you send has been opened, viewed, and signed. This makes it easy to keep track of who has acknowledged your organization’s privacy practices and who still needs a nudge to complete their paperwork. And clients can sign securely for free at any time on virtually any device.
It’s crucial to be sure that individuals’ confidential health information is kept secure. A well-written notice of privacy practices puts your patients at ease that their data is being handled with care.