NOTICE OF PRIVACY PRACTICES
FOR PROTECTED HEALTH INFORMATION
[45 CFR 164.520]
The HIPAA Privacy Rule gives individuals a fundamental new right to
be informed of the privacy practices of their health plans and of
most of their health care providers, as well as to be informed of
their privacy rights with respect to their personal health
information. Health plans and covered health care providers are
required to develop and distribute a notice that provides a clear
explanation of these rights and practices. The notice is intended to
focus individuals on privacy issues and concerns, and to prompt them
to have discussions with their health plans and health care
providers and exercise their rights.
How the Rule Works
General Rule. The Privacy Rule provides that an individual has a
right to adequate notice of how a covered entity may use and
disclose protected health information about the individual, as well
as his or her rights and the covered entityís obligations with
respect to that information. Most covered entities must develop and
provide individuals with this notice of their privacy practices.
The Privacy Rule does not require the following covered entities to
develop a notice:
Health care clearinghouses, if the only protected health
information they create or
receive is as a business associate of another covered entity.
See 45 CFR 1 64.500(b)(1).
A correctional institution that is a covered entity (e.g.,
that has a covered health
care provider component).
A group health plan that provides benefits only through one
or more contracts of
insurance with health insurance issuers or HMOs, and that does
not create or receive protected health information other than
summary health information or enrollment or dis-enrollment
See 45 CFR 164.520(a). Content of the Notice. Covered entities are required to
provide a notice in plain language that describes:
How the covered entity may use and
disclose protected health information about
The individualís rights with respect to
the information and how the individual
may exercise these rights, including how the individual may
complain to the covered entity.
The covered entityís legal duties with
respect to the information, including a
statement that the covered entity is required by law to maintain
the privacy of protected health information.
Whom individuals can contact for further
information about the covered entityís
The notice must include an effective date.
See 45 CFR 164.520(b) for the specific requirements for developing
the content of the notice.
A covered entity is
required to promptly revise and distribute its notice whenever it
makes material changes to any of its privacy practices. See 45 CFR 1
64.520(b)(3), 1 64.520(c)(1)(i)(C) for health plans, and
164.520(c)(2)(iv) for covered health care providers with direct
treatment relationships with individuals.
Providing the Notice
A covered entity must make its notice available to any
person who asks for it.
A covered entity must prominently post and make available
its notice on any web
site it maintains that provides information about its customer
services or benefits.
Health Plans must also:
Provide the notice to
individuals then covered by the plan no later than
April 14, 2003 (April 14, 2004, for small health
plans) and to new enrollees at the time of
Provide a revised notice to
individuals then covered by the plan within 60
days of a material revision.
Notify individuals then
covered by the plan of the availability of and how
to obtain the notice at least once every three
Covered Direct Treatment Providers must also:
Provide the notice to the
individual no later than the date of first service
delivery (after the April 14, 2003 compliance date
of the Privacy Rule) and, except in an emergency
treatment situation, make a good faith effort to
obtain the individualís written acknowledgment of
receipt of the notice. If an acknowledgment cannot
be obtained, the provider must document his or her
efforts to obtain the acknowledgment and the reason
why it was not obtained.
When first service delivery
to an individual is provided over the Internet,
through e-mail, or otherwise electronically, the
provider must send an electronic notice
automatically and contemporaneously in response to
the individualís first request for service. The
provider must make a good faith effort to obtain a
return receipt or other transmission from the
individual in response to receiving the notice.
In an emergency treatment
situation, provide the notice as soon as it is
reasonably practicable to do so after the emergency
situation has ended. In these situations, providers
are not required to make a good faith effort to
obtain a written acknowledgment from individuals.
Make the latest notice (i.e.,
the one that reflects any changes in privacy
policies) available at the providerís office or
facility for individuals to request to take with
them, and post it in a clear and prominent location
at the facility.
A covered entity may e-mail the notice to an individual if
the individual agrees to
receive an electronic notice.
See 45 CFR 164.520(c) for the specific requirements for providing
Any covered entity, including a hybrid entity or an
affiliated covered entity, may
choose to develop more than one notice, such as when an entity
performs different types of covered functions (i.e., the
functions that make it a health plan, a health
care provider, or a health care clearinghouse) and there are
variations in its privacy practices among these covered
functions. Covered entities are encouraged to provide
individuals with the most specific notice possible.
Covered entities that participate in an organized health
care arrangement may
choose to produce a single, joint notice if certain requirements
are met. For example, the joint notice must describe the covered
entities and the servicedelivery sites to which it applies. If
any one of the participating covered entities provides the joint
notice to an individual, the notice distribution requirement
with respect to that individual is met for all of the covered
entities. See 45 CFR 164.520(d).