HIPAA requires health care providers and health plan administrators to provide patients with a written notice explaining how the individual’s health information may be shared. This document, known as a “notice of privacy practices” (NPP) must also include information about an individual’s right to privacy under HIPAA. Typically providers will present the NPP to a patient at their first visit, and health insurance or companies HMOs send it in the mail.

It is standard practice at most medical offices or healthcare facilities to ask patients to sign an acknowledgment that they have received the NPP. HIPAA does not require covered entities to obtain a signature, though, and patients are not legally obligated to sign an acknowledgement statement. In the event the patient refuses, it’s a good practice to document that event in writing, with one or more witnesses present if possible.

What is in a Notice of Privacy Practices?

An NPP should explain in simple terms that HIPAA’s Privacy permits the covered entity to use the patient’s protected health information (PHI), and to disclose it to certain third parties such as billing services, medical transcriptionists, insurance companies, and other healthcare providers. Typical examples include records required for treatment by another provider, payment information, health care operations, appointment reminders, treatment alternatives, health-related benefits, directories of patients admitted to hospitals, research, and any other purpose required by law.

The NPP should also explicitly state that the patient’s permission is required if PHI is to be shared for any reason that is not already allowed under HIPAA.

Since the NPP requirement was first rolled out, HIPAA regulations have been updated to mandate that the NPP include statements that the sale of PHI is prohibited without written consent; that a covered entity has a duty to notify individuals if a data breach involving their PHI has occurred; that patients may opt out of receiving fundraising appeals from the covered entity; and that patients who pay out-of-pocket may restrict disclosure of associated PHI to their health plan. Health insurers and HMO’s should also inform patients about the prohibition against using or disclosing their genetic information for the purpose of underwriting.

Some providers choose to also include a statement informing patients of their rights to obtain a copy of their medical records. This is optional, however; HIPAA does not require this notice to be part of the NPP.

The NPP should explain that the covered entity is required to safeguard the patient’s medical information, and that if an individual believes that their privacy rights have been violated, they have a right to file a complaint with the US Department of Health and Human Services (HHS) and with the covered entity directly. This notice should also include contact information for making such complaints.

When and Where Should the NPP Be Made Available?

As noted, most healthcare providers make an NPP available to their patients upon their first visit, and health plans usually send it in the mail when a patient first enrolls for coverage. Insurers and HMO’s are only required to offer the NPP to the “named insured” (that is the primary policyholder or subscriber for coverage). They are not required to send separate notices to spouses and dependents.

Providers must also post a copy of the NPP in a location where it is visible to patients, and should post it on their organization’s website if they have one. Anyone has a right to ask for and receive a copy of an organization’s NPP at any time.

It is recommended that covered entities update their NPP at least every two or three years, and that patients be provided with a copy of the new version when it becomes available, or at their next office visit. Health plans should send a copy of their most recent NPP to covered patients at least once a year, for as long as the relationship lasts.