Your HIPAA Policy and Notice of Privacy Practices: How Do They Relate?
Odds are, your healthcare practice has a Notice of Privacy Practices. But do you fully understand the document? Do you know its relation to your individualized HIPAA policy handbook? It’s critical to understand the distinction and interplay between these two required documents.
When you think about your “HIPAA documents,” two separate documents should come to mind. First, there’s your HIPAA-compliant policies and procedures—that long handbook that’s filed somewhere in the office. Second, you think of your Notice of Privacy Practices. You probably see this document regularly, or at least you should. The notice is the document about privacy that you give each new patient before administering treatment. Here, we help clarify each document’s purpose and the important relationship between the two.
Notice of Privacy Practices vs. Your HIPAA Policy Handbook
The two documents have a different but interrelated purpose. Your policies and procedures describe how you meet the standards and requirements set by HIPAA. The Notice of Privacy practices communicates those standards to your patients. Thus, the two documents go hand-in-hand.
HIPAA requires that if you want to change your policies and procedures, you must revise the Notice of Privacy Practices to reflect that change properly. In fact, HIPAA does not even allow you to implement a material change to the policies and procedures before putting that change within a new, revised Notice of Privacy Practices.
Let’s say, for example, that you decided to use a new electronic health record program and update other processes regarding how you store health records. In this situation, you would need to update your policy handbook and Notice of Privacy Practices before implementing that change. However, if you only alerted your patients of this change on your notice without changing your policies and procedures, that would be insufficient under HIPAA.
The First Document: HIPAA Policies and Procedures
Your policy and procedures handbook should specify how you meet HIPAA’s requirements. It should consider daily steps and long-term practices that you take to keep patient data secure. The handbook could include:
- How are records, referrals, and prescriptions transferred or received?
- How does your practice back up medical records with protected health information (PHI)?
- Do any employees have access to patient records when they are not physically present at the practice?
- What is your plan if an unauthorized person unlawfully accesses an individual’s PHI without the patient’s consent?
- Do you perform a yearly risk assessment? If so, what does that entail?
- What privacy training do you provide to your workforce?
As you can tell from the specificity of these questions, your policies and procedures provide the substance behind your privacy practices. It is the meat on the bones of a compliant practice.
What if you do not have HIPAA-compliant policies and procedures? In this scenario, the Notice of Privacy Practices would be notifying patients of a set of policies and procedures that do not exist. Covered entities must create and adhere to written policies and procedures that specify how they protect PHI. Failure to comply with this aspect of HIPAA can lead to steep criminal and civil penalties.
The Second Document: Notice of Privacy Practices
The Notice of Privacy Practices explains several items to your patients. It discusses patients’ privacy rights, how your practice uses their protected health information, and your duty to protect their privacy. The notice should be given to each new patient at the first appointment and made available to patients upon request. In addition, if you have a website, you should make the notice available electronically.
So, what are the limitations of a Notice of Privacy Practices? A notice alone is not sufficient under HIPAA. For instance, a patient may ask for detailed explanations on how you keep their information stored electronically. Or a patient may ask what your process entails if an unauthorized source accesses their personal information. If you were to hand them your Notice of Privacy Practices, this document would not provide sufficient answers. Instead, you need to reference your policy and procedure manual for direction and provide it as a resource for your patient.
What If Your Healthcare Practice Is Not Subject to HIPAA?
The documents discussed above are required for covered entities as defined under HIPAA. Whether or not you are a covered entity goes beyond the scope of this article, but CMS offers a helpful tool for guidance.
A question we hear from clients is, “If I am not a covered entity under HIPAA, would making privacy policies and providing a Notice of Privacy Practices turn me into a covered entity?”
Nonetheless, if you are not a covered entity under HIPAA, we strongly encourage you to create and implement privacy policies and a Notice of Privacy Practices for your patients. Doing so comes with legitimate benefits! It allows you to think through your practices related to security, privacy, password protection, and more. It also creates a sense of legitimacy that your patients will find reassuring.
It’s essential to understand the relationship between your notice and policies. If you haven’t read these documents in a while, make sure you have these critical documents and keep them updated. If you’re unsure if your HIPAA policies and Notice of Privacy Practices are up to par and you’re in one of the states where we practice, we are happy to help! Schedule a free consultation with one of Jackson LLP’s healthcare attorneys to discuss your practice’s compliance.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.