HIPAA NPP: What is a Notice of Privacy Practices?

notice of privacy practices

HIPAA NPP: What is a Notice of Privacy Practices?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires its covered entities to distribute a plain-language Notice of Privacy Practices (NPPs) to all patients describing their policies for using and distributing protected health information (PHI).

What is Included in the Notice of Privacy Practices (NPP)?

By law, a HIPAA Notice of Privacy Practices acknowledgment form must include the following:

  • A prominently displayed header statement that reads, “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
  • The patient’s rights concerning their protected health information
  • The covered entity’s duties to protect PHI
  • How PHI can be used for treatment, payment, and healthcare operations
  • The types of uses and disclosures that require the patient’s authorization (and that they have the right to revoke authorization)
  • The circumstances in which the covered entity may use or disclose PHI without written authorization
  • The name, title, and phone number of a person or office to contact for further information or questions about the notice
  • The date on which the notice is first in effect

What Is Not Included in The Notice of Privacy Practices?

HIPAA Notice of Privacy Practices are a general summary of the patient’s rights and the covered entity’s policies. It won’t include specific information like to whom they’ve already released your records.

As the HIPAA NPP will explain, patients have the right to receive an accounting of their PHI disclosures, but the NPP itself doesn’t include this information. You have to submit a specific request to the entity’s Privacy Officer for that.

Does a Patient Have to Sign the Notice of Privacy Practices Acknowledgement Form?

While HIPAA requires covered entities to provide patients with a Notice of Privacy Practices acknowledgment form, patients aren’t legally required to sign the acknowledgment of receipt.

If the patient refuses to sign the acknowledgment, the covered entity must keep a record of their refusal.

If patients sign, it’s simply a confirmation that they received the notice. They do not agree to any special uses or disclosures of their health records.

Who Must Develop a HIPAA NPP?

All covered entities must develop and distribute their own HIPAA NPP.

For the Notice of Privacy Practices, the definition of a covered entity includes the following:

  • All health plans
  • All healthcare clearinghouses, and
  • Any health care provider who electronically transmits individually identifiable personal health information in connection with a HIPAA-related transaction.

However, there are a few exceptions. Covered entities do not have to develop an NPP if they’re:

  • Correctional institutions with a healthcare provider component
  • Healthcare clearinghouses that only create or receive PHI as a business associate to another covered entity
  • Group health plans that only create or receive summary health information or enrollment/unenrollment (i.e., benefits are provided through insurance contracts with other covered entities)

When Should the NPP Be Provided to a Patient?

HIPAA Notice of Privacy Practices must be provided no later than the date of the first delivery of services.

Healthcare providers typically provide patients as part of the first-visit paperwork. It’s usually delivered as a Notice of Privacy Practices acknowledgment form. If the first service delivered is in the context of an emergency, the law allows the provider to give notice after the emergency has passed but as soon as possible.

Health plans have to give notice at the time of enrollment. At least once every three years, they must also send a reminder that enrollees can ask for a copy of the Notice of Privacy Practices at any time.

A covered entity must also provide HIPAA NPPs whenever there are material changes to its privacy practices.

Who Gets a HIPAA Notice of Privacy Practices?

HIPAA NPPs must be proactively given to patients who receive services from a covered entity.

In the case of health plans, only the “named insured” (coverage subscriber) must be given a HIPAA NPP. Other people the policy covers, like spouses and dependents, don’t necessarily need to receive their own NPP.

Additionally, any entity covered under HIPAA must make its notice available to anyone who asks for it (not just patients).

Where to Post Notice of Privacy Practices

In addition to distributing copies to individuals, HIPAA requires the NPP to be prominently posted on the covered entity’s website.

If the covered entity has a physical address for patients to visit, the HIPAA NPP must be posted in a clear and easy-to-find location. For providers, the best place to post Notice of Privacy Practices is often in the lobby or waiting room.

How Do You Learn More About HIPAA Requirements?

HIPAA is a complex and important piece of legislation for people in the healthcare field. It can be challenging to understand and remember what it requires.

Luckily, one HIPAA requirement is for workers associated with the healthcare industry to get training on HIPAA and its updates if they have access to protected health information.

We make it easy to satisfy these requirements with HIPAA training crafted for various industry roles. Whether you work directly with patients, in a dental office, as a sales rep, or providing related legal services, we have a HIPAA introduction or refresher course customized to your role and your needs.

Our courses are 100% online, so that you can complete them at your own pace from anywhere with an internet connection. We’re IACET accredited so that you can earn IACET continuing education units (CEUs) for your efforts. Enroll today to get started!