HIPAA guarantees a variety of patient rights — one of these includes a patient’s right to know how you’re going to use their PHI (Protected Health Information). In addition, HIPAA requires you to describe your office’s privacy practices in writing in an easy-to-read format, called a Notice of Privacy Practices.
Don’t take this HIPAA notification lightly. This is a required document that you must ask your patients to sign to acknowledge their receipt and understanding. The guidelines state that you must “do your best” to get your patients to sign an acknowledgment that indicates that they have:
- received a copy of your Notice of Privacy Practices,
- been made aware of a notice copy posted in your waiting area, or
- been informed that a copy is available on your practice’s website.
If you get audited for HIPAA compliance, the Office for Civil Rights (OCR) will request a copy of your Notice of Privacy Practices to review. The Agency will want to make sure your notice contains the required content. They will also ask to review your process of making your privacy notice available to your patients.
Your patients are NOT required to sign your Notice of Privacy Practices, but getting their signature can be helpful to prove your compliance with HIPAA rules. Ultimately, you are required to have some way for your patients to acknowledge that a copy of your privacy policy was made available for them to review, and what authorizations they agreed to.
Create and Use Your Privacy Notice Correctly notice of privacy practices
To ensure HIPAA compliance, you must know what you should and shouldn’t include in your privacy notice. Typically, you should provide patients with your privacy policy document during their first visit and after three years.
All staff involved in the process (including your front desk employees) must have the necessary knowledge to answer patient questions and adequately document your patients’ acknowledgment of your privacy practices policy.
Here are several items that are essential to include in your Notice of Privacy Practices to make it HIPAA compliant and to help you avoid getting hit with a violation penalty:
- Rights: Your privacy notice must clearly spell out your patients’ rights. For example, patients have a right to their medical records. Patients have a right to correct errors in their records and file a complaint if they feel their privacy rights are violated.
. - Choice: Patient privacy choices must also be clearly listed. For example, patients can choose whether they want to share information with family and friends about their condition or not, etc.
. - Use: You are required to tell your patients how you will use their information. For example, you may need to use your patients’ private information to treat them, bill them, and comply with healthcare laws. Although these are all legitimate ways to use a patient’s confidential information, you must include them within your Notice of Privacy Practices policy.
. - Date and Sign: Although your patients are not required to sign and date your privacy notice, there must be a place for them to do so on the document. Their signature indicates their acknowledgment of your Notice of Privacy Practices. It is not an agreement. A signed and dated statement gives you unambiguous proof of each patient’s instructions regarding their private information.
. - Change: Your patients have the right to change the instructions on how you are authorized to utilize their information. You should have them complete another Notice of Privacy Practices with their new preferences to indicate such a change. Also, be sure to void the previous notice, or confusion may lead to misuse of their information, patient complaints, and hefty penalties.
SAMPLE FORM: You can find a HIPAA-compliant sample Notice of Privacy Practices on the Health and Human Services (HHS) website.
Even if you have a perfect Notice of Privacy Practices that passes a HIPAA investigator’s scrutiny, you can still violate HIPAA rules if you don’t use the document correctly. Here are several specific points to consider that will help you utilize your Notice of Privacy Practices properly:
- Timing: Be sure that all new patient packets contain a complete copy of your privacy notice. You should also allow patients to to review your privacy notice again when they’ve been with you for three years.
. - Availability: Be sure to post a copy of your Notice of Privacy Practices where your patients can easily see it. A frame on the wall by your front desk or at your checkin counter are good options. Also, keep several copies behind your front desk in case a patient requests one.
. - Signature: Make a “good faith” effort to document acknowledgment of your privacy notice by getting your patient to sign and date it. Their signature indicates they have received, understood, and acknowledge your policy.
. - Refusal to Sign: “Good faith” means you have explained the form to your patients and asked them to sign the document to acknowledge it. They may refuse to sign for any number of reasons. However, their refusal shouldn’t result in denied services. There are several essential items you should document in a patient’s record if they refuse to sign your practice’s Notice of Privacy Practices: notice of privacy practices, notice of privacy practices, notice of privacy practices
- Your exact efforts to get them to sign and date the document.
- All reasons the patient gave for not wanting to sign.
- Any questions the patient asked related to the notice.
- Finally, have your staff sign and date the document as a formal record of a patient’s refusal to sign the acknowledgment.
.
- Language: If your practice treats patients that primarily speak languages other than English, you are required to make your Notice of Privacy Practices available in as many language options as appropriate. You can have your notice translated by a reputable service. Even patients with a good command of English may feel more comfortable having their medical rights and choices available in the language spoken in their homes. Realistically, you can’t have every possible language available, but preparing privacy notices for the predominant languages of your patient population is a small price to pay to avoid a HIPAA violation penalty.
. - Sensory disabilities: You need to make similar accommodations for patients who are hearing- or vision-impaired. If a portion of your patients read Braille, you may need to have your privacy notice available in Braille. If your practice regularly treats visually impaired patients, you should consider having your privacy notice available via a recording. You should document the date and time your patient listened to the audio privacy policy and whether they signed an acknowledgment form. Regardless of whether your patients listen, read, or use Braille, your Notice of Privacy Practices must be understandable and accessible.
WARNING: HIPAA guidelines put the burden on YOU to ensure your patients understand their privacy rights. So, even if you have to spend money to translate your privacy notice into Spanish, Braille, or have an audio recording made, it is sure to be less expensive than paying a $50,000 fine for a HIPAA violation.
Who can Sign a Privacy Notice?
If you have the wrong person sign your Notice of Privacy Practices acknowledgment form, you are documenting a violation for an investigator to find. Here’s the list of who can actually give authorization and acknowledge receipt of your privacy notice:
- Adults: All patients who are competent adults.
- Minors: The legal parent(s) may sign for non-emancipated children.
- Emancipated minor. The definition of an “emancipated minor” differs from state to state. Some still require parental involvement in healthcare decisions, while others give full privacy rights to the child. You need to know your state requirements to avoid getting into trouble. Go to the National Association of Insurance Commissioners website and click on your state for more information.
- Next of Kin: The designated representative or next of kin of a seriously ill or comatose patient can sign for that patient, as long as you have the appropriate documentation of their status.
- Legal guardian: The designated legal guardian of an incompetent patient may sign — be sure to keep documentation of their status on file.
- Executor or administrator: The legal executor or administrator of the estate of a deceased person may sign, but again, you must get written proof of their authority and keep it on file.
Don’t make the mistake of thinking that your Notice of Privacy Practices is simply more paperwork. Utilize this free downloadable checklist to ensure your privacy practices notice is HIPAA compliant. Protect your practice from costly violation penalties by downloading this free checklist today.
It’s impossible for you to head off every possible breach of your patients’ PHI. However, focusing on tightening your management controls at your front desk can significantly reduce your exposure and improve your HIPAA compliance. To help you ensure your front desk is HIPAA compliant, check out these two effective training options:
- Online Training: Expert, Tracy Bird, FACMPE, CPC, CPMA, CEMC, CPC-I, prepared an online training session that will walk you through exactly how to ensure your front desk HIPAA compliance. Her online training, Head Off Front Desk HIPAA Nightmares, will provide you with actionable steps to identify and resolve front desk HIPAA violations before they get you into trouble.
- Companion Expert Report and Sample Library: You get 12 chapters that breakdown front desk HIPAA risk areas and walk you through how to fix them from HIPAA expert, Jay Hodes, President of Colington Consulting HIPAA Compliance Services. In the 13th chapter of this expert report you get a resource library with compliant HIPAA forms and checklists you can put to use immediately.
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
|
|