Why Your Notice of Privacy Practices Alone Doesn’t Satisfy Your HIPAA Obligations
It’s a common question: “I already have a Notice of Privacy Practices. Does that mean I don’t need the HIPAA policy you mentioned?” Here’s why the answer is a resounding no.
We understand why busy healthcare professionals look for shortcuts to HIPAA compliance. So we’re not surprised if you’re crossing your fingers and hoping that your Notice of Privacy Practices has you covered.
Unfortunately, a notice of Privacy Practices document is not a substitute for written privacy policies and procedures. Nor is it sufficient to satisfy your legal and ethical requirements to safeguard patients’ medical privacy. It’s just the tip of the HIPAA iceberg.
Let’s unpack the roles of the Notice of Privacy Practices vs. the HIPAA policy document and explore why they’re both key to your compliance.
The Role of the Notice of Privacy Practices
As a required element of the HIPAA Privacy Rule, the Notice of Privacy Practices explains your duty to protect your patients’ privacy, lets them know their privacy rights, and discloses how you use their protected health information. It also provides a point of contact for further information and for making complaints. By law, your practice must provide the notice to every patient no later than the first service encounter, except in emergency treatment situations.
We recommend that you offer paper copies at your clinic and obtain written acknowledgment that the patient has received or declined notice. If you have a website, you must make the notice available electronically.
While the process of developing your Notice of Privacy Practices can help you think through some of your requirements, the notice is ultimately for the benefit of and use by your patients.
The Role of a HIPAA Policy
In contrast to the Notice of Privacy Practices, your HIPAA policy and procedures documentation drills down to how your practice meets both the privacy and security requirements of HIPAA. It details the affirmative steps that you take to:
- Protect the privacy of patient records
- Ensure the security of all recordkeeping systems, computers, and clinic locations
- Maintain a breach notification plan
- Perform risk assessments at least yearly
- Provide all required privacy training to your workforce
So whereas the Notice of Privacy Practices communicates expectations, a HIPAA policy specifies how you meet those expectations and others. It requires that you assess the risks for your own unique circumstances. A robust policy addresses not only routine workflows but also anticipates special situations (such as lost mobile devices or a patient who attracts extra curiosity among your team).
It’s clear how written policies and procedures can help you achieve compliance and minimize your risk of a breach. Unfortunately, it’s all too easy to procrastinate doing things that are good for you. So here’s an extra incentive: HIPAA requires you to maintain written policies and procedures.
In fact, the Office for Civil Rights (OCR) – the arm of the Department of Health and Human Services that investigates HIPAA violations — reports that inadequate or non-existent policies and procedures are among the most frequent violations. The cost of noncompliance can be steep, including criminal penalties and civil penalties up to $50,000 per violation.
To Be Prepared, Create a HIPAA Policy
In summary, your Notice of Privacy Practices won’t protect you from an audit. If it’s not backed by comprehensive written policies and procedures, you can face extensive fines and penalties from regulators.
If you haven’t done so already, resolve to create your HIPAA policies and procedures. We’re happy to help! Schedule a free consultation with one of Jackson LLP’s healthcare attorneys to discuss your practice’s compliance.