Dec 15 / CARE

Sample Notice of Privacy Practices (NPP)

Under HIPAA and HITECH, covered entities are required to provide a Notice of Privacy Practices (NPP) to individuals at the first service encounter. The NPP must detail how the entity may use and disclose protected health information (PHI), the individual's rights regarding their PHI, and the entity's legal duties with respect to the information. The HITECH Act further enhanced these requirements by mandating updates to NPPs to reflect changes in privacy protections and practices, particularly in relation to electronic health records and breach notifications. This notice must be made available to anyone upon request and prominently posted in physical locations and on the entity's website.

Below is a sample Notice of Privacy Practices for you to reference, edit and make use of!  This sample is based on models provided from HHS.gov.  

Insert the Covered Entity's Name Here.

Notice of Privacy Practices

This document outlines the ways in which your medical information might be utilized or shared, and it explains how you can obtain access to this information. It's important for you to examine this document thoroughly.

Your Rights

This section informs you about your rights regarding health information and outlines how you can exercise them:
  1. Request Medical Record Copies: You have the right to view or receive copies of your medical record, either electronically or on paper. We'll guide you on requesting this and typically respond within 30 days, possibly charging a reasonable fee for the service.
  2. Amend Your Medical Records: If any information in your records appears incorrect or incomplete, you may request a correction. We'll review your request and respond in writing within 60 days, even if we cannot fulfill it.
  3. Confidential Communications: You can request that we contact you in a specific manner or at an alternate address. We will accommodate all reasonable requests.
  4. Restrict Information Use or Sharing: You may ask us to limit how we use or share your health information, particularly for treatment, payment, or operational purposes. While we're not obligated to agree to all requests, we will comply unless it compromises your care. If you've fully paid for a service out-of-pocket, you may ask us not to share that information with your health insurer, and we will comply unless legally required to share it.
  5. List of Information Shared: You have the right to request a list of instances where we've shared your health information for six years prior to your request, including with whom and why. We'll provide one accounting per year for free and may charge a reasonable fee for any additional requests within the same year.
  6. Obtain a Privacy Notice Copy: You're entitled to receive a copy of our Notice of Privacy Practices. This document details how we handle your health information and outlines your rights.
  7. File a Complaint: If you feel your rights have been violated, you have the right to file a complaint with us or with the relevant government agency.
  8. Nominate a Personal Representative: You can designate an individual to act on your behalf concerning your health information.

Your Choices

For specific health information, you have the autonomy to instruct us on your sharing preferences. Please communicate your decisions for the following scenarios:
  1. Family and Care Circle: You can direct us to share your health information with family, close friends, or others involved in your care.
  2. Disaster Relief Situations: You can allow us to share your information in disaster relief scenarios.
  3. Hospital Directory Inclusion: You can choose to have your information included in a hospital directory.
If you're unable to express your preference, such as in cases where you are unconscious, we may share information if it's deemed in your best interest or to reduce a serious and imminent health or safety threat.
However, there are certain scenarios where we require your explicit written permission to share your information:
  • Marketing purposes.
  • Selling your information.
  • Most cases involving the sharing of psychotherapy notes.

Regarding fundraising communications, you have the option to opt out of such contacts.

Other Uses and Disclosures

We generally use or share your health information in these ways:
  1. Treatment: Your health information is used and shared with other medical professionals involved in your care. For instance, a doctor treating you might consult with another doctor about your overall health.
  2. Practice Management: Your health information is used to manage our practice, enhance your care, and for necessary contact.
  3. Billing: We use and share your health information to bill and receive payments from health plans or other entities.
For uses or sharing beyond these typical scenarios, we adhere to legal requirements which often contribute to public health and research. These include:
  1. Public Health and Safety: Sharing information for disease prevention, product recalls, reporting adverse reactions to medications, reporting abuse or neglect, and reducing serious threats to health or safety.
  2. Research: Your information may be used or shared for health research purposes.
  3. Legal Compliance: Sharing information as required by state or federal laws, including with health departments for compliance checks.
  4. Organ and Tissue Donation: In relevant situations, we share information with organ procurement organizations.
  5. Legal and Governmental Requests: Sharing information for workers’ compensation claims, law enforcement purposes, health oversight agency activities, and special government functions like military and national security.
  6. Legal Proceedings: Responding to court or administrative orders, or subpoenas, with your health information.
  7. Working with Medical Examiners: We may share your health information with coroners, medical examiners, or funeral directors when necessary, particularly in the event of an individual's death.
At this point in the document, insert special notes that:
  • Reflect the unique practices of your entity.
  • Detail any state or other laws that impose stricter limits on information disclosures than those outlined here.
  • Mention the Blue Button protocol, if it is relevant to your practices.

Our Responsibilities

We are legally obliged to protect the privacy and security of your health information. Key points include:
  1. Prompt notification of any breach impacting your information's privacy or security.
  2. Adherence to the practices and responsibilities outlined in this notice, which we will provide to you.
  3. We will only use or share your information as specified in this notice, unless you authorize otherwise in writing. You have the right to revoke this permission at any time, also in writing.

For additional details, visit: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html.

Changes to Notice Terms: We reserve the right to modify this notice's terms, effective for all your information we hold. Updated notices will be accessible upon request, in our office, and on our website.

Notice Applicability:This Notice of Privacy Practices applies to the listed organizations.

Insert the following here:
  • If your entity is part of an OHCA, describe how you share information with the OHCA.  Also, list additional entities covered by this notice and service locations. 
  • Add the covered entity's name, address, URL, and privacy officer;s email and phone number.
  • Add the Effective Date of Notice

You'll find the latest information about Notices of Privacy Practices on the HHS.gov website.