The HIPAA Privacy Rule (45 CFR Parts 160-164) requires that HIPAA covered entities provide clients information detailing how their protected health information* will be used or disclosed. This is done through the familiar HIPAA Notice of Privacy Practices (NPP), which outlines client rights and the legal duties of the HIPAA covered entity. The practitioner may not use or disclose protected health information in a manner that is inconsistent with the NPP. HIPAA privacy rules have evolved, due to the Health Information Technology for Economic and Clinical Health Act, with changes solidified with the Omnibus Final Rules issued in January 2013. These material changes brought about by the final rule require changes to the NPP. While this occurred some time ago, in the midst of busy practices, therapists can have difficulty staying abreast of all regulatory changes, so changes that must be reflected in the NPP are reviewed herein.
Changes include the following additions to the NPP:
- A statement that clients have a right to receive notification if their PHI is breached (viewed, used or disclosed inappropriately),
- A statement must be included that states that any uses or disclosures of PHI not described in the NPP require written authorization by the individual,
- A statement that individuals must be notified that they have the right to restrict certain disclosures of their PHI to their health plan if they pay out of pocket for a service or services, if that disclosure is only for carrying out payment or healthcare operations.
- A statement indicating that the following uses and disclosures require a separate written authorization:
- Uses and disclosures for marketing purposes,
- Disclosures that constitute sale of PHI, and
- For most uses and disclosures of psychotherapy notes.
- Any uses or disclosures not listed in the NPP
- If your practice engages in fundraising activities, a statement that the client has the right to opt-out of such communications.
The good news is that you do not need to re-distribute the notice to each client, but you can instead post it conspicuously in your waiting room, and it should be posted to your website. If clients ask, you must have the updated notice available upon request. New clients should receive the updated notice, and be asked to sign the concomitant acknowledgement of their receipt of the NPP. While you must make a “good faith effort” to obtain acknowledgement of receipt of the NPP, clients are not required to sign the acknowledgement of receipt in order to receive services. Therapists should document their attempts to gain the acknowledgement signature. Because therapists can treat clients without a signed acknowledgement, the NPP is best kept as a separate document from your informed consent for treatment. NPPs may be emailed to the client should they request it.
As therapists concerned with client confidentiality, there are a couple of things to remember regarding the NPP. First, any stricter state law must be integrated into the NPP (45 CFR §164.520(b)(1)(ii)(C)). This can be confusing for both the client and the therapist. The Department of Health and Human Services notes that within the NPP, readers could be referred to a separate section of the NPP which details more stringent state privacy laws (U.S. Department of Health and Human Services, 2003). This would allow for an easier update to your NPP in the event state law changes. Thus, when there are material changes in state law affecting client privacy, the NPP must be updated to reflect those changes. It is an ethical imperative to accurately inform your clients of their privacy rights, in light of our professional ethical code, as well as state and federal laws. Be sure to note the effective date on your NPP, and keep old NPPs for a period of six years. HIPAA requires that you retain documentation for “6 years from the date of its creation or the date when it last was in effect, whichever is later.” (45 CFR § 164.316(b)(2)(i)).
You must also have a named privacy officer with whom clients can file a complaint should they believe their privacy rights have been violated. This person’s name and contact information must be provided in the NPP. For solo practices, this can be the solo practitioner. For larger practices, one person must be named as the privacy officer and is tasked with making sure the practice is complying with the HIPAA privacy regulations. A security officer must also be named, and may also be the same person as the privacy officer, though need not be. You may opt to give clients the contact information for them to be able to complain to the Office for Civil Rights, but you are not required to do so.
In summary, check your NPP to be certain you have the updated version, and be sure it can be made available to new clients, and to established clients should they ask for it.
The Department of Health and Human Services provides model notice of privacy practices in several formats that are user-friendly and using plain language (which is a requirement). You can access updated model NPPs at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html . Don’t forget that you must integrate stricter state law into your NPP.
*Protected health information is “Individually identifiable health information, including demographic data, that relates to: 1) the individual’s past, present or future physical or mental health or condition, 2) the provision of health care to the individual, or 3) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual” (45 C.F.R. §160.103).
HIPAA, Public Law 104-191, 45 CFR §160.103
HIPAA, Public Law 104-191, 45 CFR § 164.316
HIPAA, Public Law 104-191, 45 CFR §164.520
U.S. Department of Health and Human Services. Frequently asked questions. Retrieved from http://www.hhs.gov/hipaa/for-professionals/faq/464/must-a-covered-entity-with-a-notice-revise-the-notice-every-time-it-changes/index.html
Lorna Hecker, PhD, LMFT, CHPS has authored the book HIPAA Demystified: HIPAA Compliance for Mental Health Professionals (2016). She is a professor in the MFT program at Purdue University Northwest, and director of educational services at Carosh Compliance Solutions in Crown Point, Indiana. She is an AAMFT Clinical Fellow and Approved Supervisor, and is certified in healthcare privacy and security through the American Health Information Management Association.