[ Monday, July 08, 2002 ]
A note from Phoenix
The Privacy Rule requires every covered entity to create, and make available to individuals, a notice of its privacy practices. Under HIPAA, individuals have a right to know how their health information may be used or disclosed, AND that they have certain privacy rights that the covered entity is legally bound to honor.
Examples of Privacy Notices can be found on the Internet - but are of varying quality and applicability when it comes to individual covered entities' needs. If you are lucky enough to have a reasonably good model form at your disposal, it is still essential that you return to the regulations themselves to ensure your Notice meets all requirements, and tailor it carefully so that it is suitable for your particular environment and circumstances.
Through your Privacy Notice, your organization will be communicating, applying - and having to live with - this important document permanently. There is no point in putting yourself in a situation where you may have to upgrade or otherwise "fix" a poorly conceived Privacy Notice again and again.
Because the Privacy Notice is intended to inform your customers, it must be written in easy to understand language. Other how-to specifics include:
1. HIPAA requires that the following specific statement be part of the notice as a header or otherwise prominently displayed:
"THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE READ CAREFULLY". The regulations actually capitalized this statement, so it would be wise to do the same.
2. You must provide descriptive examples of the uses and disclosures that the covered entity is permitted to make for each of the following purposes: treatment, payment, and health care operations. An example could be "Information obtained by a member of our healthcare team will be recorded in a printed copy maintained in the designated record set in the Health Information Management Department. This information will be used when determining the best treatment options for you." Another example: "Information gathered during the course of your treatment may be shared with your insurance company."
3. You are also required to provide examples of how PHI may be used or disclosed without patient consent or authorization. The notice must include statements with regards to disclosures, authorization and individuals' rights, regarding requesting restrictions of uses, authorization unless specified in the Privacy Notice, the right to inspect and copy, the right to request amendment of health information, the right to obtain a paper copy of the Privacy Notice, notice that the entity is required by law to maintain privacy, instructions on how to file complaints, and more. The notice must also name a contact for further information, and indicate the effective date of the notice.
Unfortunately, we cannot offer an exhaustive tutorial on Privacy Notice how-to's in this limited space. So, to start creating your notice, head FIRST to the applicable text of the Privacy Rule (164.520), and then look for some sample notices to see how others have approached this effort. You may not have to completely "recreate the wheel" - but you must base your Notice on the realities and practical considerations inherent to YOUR organization. In any event, ensure that the legal department of your organization is involved in the development and/or final approval of this legally binding document.
The notice must be provided to patients by April 14, 2003. It seems like only yesterday, that we had two years available to get this and other privacy obligations completed. Clearly, the time to act is now.
William M. Miaoulis, Principal
Phoenix Health Systems
Jeff [9:44 AM]
Blogger: HIPAA Blog - Edit your Template