DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of Contents Next Page

DHHS POLICY AND PROCEDURE MANUAL

_____________________________________________________________________________________________________________________

Section VIII:

Privacy and Security

Title:

Privacy Manual

Chapter:

Client Rights Policies, Notice of Privacy Practices

Current Effective Date:

5/1/05

Revision History:

7/10/03

Original Effective Date:

4/14/03

_____________________________________________________________________________________________________________________

Purpose

The purpose of this policy is to specify the requirements for the Notice of Privacy Practices and its distribution, and to provide a standard notice template for use by North Carolina Department of Health and Human Services (NC DHHS) agencies in the development of their agency's Notice.

This policy shall apply to all DHHS Health Insurance Portability and Accountability Act (HIPAA) covered health care components.

Background

Individuals served by a DHHS HIPAA covered agency must be informed of their privacy rights and the agency's responsibilities with respect to protected health information. Each DHHS HIPAA covered agency is required to provide the Notice of Privacy Practices in accordance with the HIPAA Privacy Regulations, 45 CFR Subtitle A, Subchapter C, Part 164.

Policy

DHHS HIPAA covered agencies shall provide a Notice of Privacy Practices to individuals applying for or receiving agency services, with the exception of inmates. Additionally, an agency shall make its Notice of Privacy Practices available to any individual(s) upon request, whether or not the individual is an agency client. The agency shall provide such notice in a manner consistent with all requirements specified within this policy.

The Notice of Privacy Practices shall outline the uses and disclosures of protected health information that may be made, and notify individuals of their rights and the agency's legal duties with respect to protected health information. DHHS agencies that must comply with this policy shall use or disclose health information in a manner consistent with their Notice of Privacy Practices.

DHHS HIPAA covered agencies that operate an Employee Health Service, that provides treatment services to employees above and beyond testing services required as a condition for employment (e.g., TB Tine Test), are required to provide employees with an Employee Health Service Notice of Privacy Practices.

Implementation

Privacy Notice Requirements Applicable to all DHHS HIPAA Covered Agencies

Additional Privacy Notice Requirements Applicable Only to Health Care Plans

    • Provision of Notice: The Division of Medical Assistance (DMA) shall ensure that health plans under the authority of DHHS provide the Notice of Privacy Practices on a timely basis to the health plan's named insured, hereafter referred to as the "casehead". Health plans shall initially provide the notice to all caseheads no later than April 14, 2003. After Notices have been distributed initially, new health plan enrollees shall receive a notice no later than the time of enrollment. New enrollee notices may be distributed at the time an application is filed, prior to determination of eligibility.


    • Notice Revisions: Whenever a DHHS health plan notice is materially revised from the previous notice, the revised notice must be provided to the caseheads then covered by the health plan within 60 days of the revision. When a notice contains translated language other than English, changes in the Notice to correct or improve the translation is not considered a material change.


    • Other Notification: At least once every three (3) years, the health plan shall notify the caseheads then covered by the plan of the availability of the notice and how to obtain a copy. At a minimum, this notification shall be presented in both English and Spanish. This notification may be combined with other communications sent routinely to caseheads (e.g., Medicaid cards).

Additional Privacy Notice Requirements Applicable Only to Health Care Providers That Have a Direct Treatment Relationship with Clients

    • Posting of Notice: DHHS agencies that are health care providers who have a direct treatment relationship (e.g., face to face) with their clients, and who have a physical site where health care is provided directly to individuals, shall post the Notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the agency will be able to read the Notice. DHHS agencies that operate an Employee Health Service shall post their Notice in the area where employees come for treatment.


    • Provision of Notice: Except in an emergency situation, these agencies shall provide the notice to clients or their personal representative no later than the date of the first treatment service delivery, including service delivered electronically or via telephone. In an emergency treatment situation, the Notice shall be provided as soon as reasonably practicable.

      If a health care provider's first treatment delivery to an individual is delivered electronically, the agency shall automatically forward an electronic notice to the individual. The individual who receives the electronic notice retains the right to receive a paper copy upon request. If the first treatment encounter with the individual is by telephone, the notice must be mailed within one working day of the telephone encounter. Scheduling an appointment is not considered a treatment encounter.

      DHHS agencies that provide residential services and must comply with the HIPAA Privacy regulations shall ensure that all clients in residence at the agency as of April 14, 2003, are provided a notice no later than April 14, 2003. Provision of the Notice can be met by having the client or personal representative read and return the notice; however, the agency must provide the client or personal representative with a copy of the notice upon request.

      DHHS facilities that are required to comply with federal regulation 42 CFR Part 2, relative to substance abuse, must provide their Notice of Privacy Practices to their substance abuse clients at the time of each admission. Otherwise, DHHS health care provider agencies that have a direct treatment relationship with clients need to provide the notice initially and when revisions are made as noted below in the Revision of Notice section.


    • Acknowledgement of Receipt of Notice: DHHS provider agencies with a direct treatment relationship shall make a good faith effort to obtain a written acknowledgment of receipt of the notice from the client or personal representative, except in an emergency situation. If the first treatment encounter with the client is by telephone, mailing the Notice to the client and asking the client to return the signed acknowledgment in person or by mail shall be considered a good faith effort. When a notice is delivered electronically, an electronic return receipt is considered valid written acknowledgment of the notice.

      Should a client or personal representative be unable to sign his/her name on the acknowledgment, an "x" or other mark/symbol is acceptable in place of a signature, as long as it is witnessed and documented, attesting to the validity of the signature.

      The top sheet of the notice template provides a section for an acknowledgment. The agency shall keep the signed page as documentation of Notice receipt.

      The agency shall not refuse to treat a patient because he/she would not sign a written acknowledgment; instead, the agency should document the good faith effort to obtain the signature. Documentation of a good faith effort shall include the date the Notice and acknowledgment was given/mailed to the individual, how it was delivered (in person, mailed, etc.), and the reason the acknowledgment was not signed (such as, patient refused or did not mail acknowledgment back to agency).

      Each provider agency shall establish a tracking process to ensure that each client was asked to sign the acknowledgment and that the signed acknowledgment was retained or a good faith effort documented.

      The acknowledgment or good faith effort shall be filed in the client's medical record and retained in accordance with the agency's retention and disposition schedule for medical records, which shall be no less than six (6) years.


    • Revision of Notice: Whenever a DHHS health care provider's notice is materially revised from the previous notice, the revised notice shall be available to clients or personal representatives upon request on or after the effective date of the revision. If a written acknowledgment was previously obtained or a good faith effort documented, another written acknowledgment is not required when the notice is revised. In addition, the revised notice must be promptly posted in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider will be able to read then notice. If the provider agency has a public web site, the revised notice shall be available on the web site.

Notice of Privacy Practices Elements

    • This statement shall be in the header of the notice, or otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
    • The notice shall contain a description of the types of uses and disclosures that the agency is permitted to make for treatment, payment, and health care operations. At least one (1) pertinent agency example shall also be included.
    • A description of all other purposes for which the agency is permitted or required to use or disclose protected health information without the individual's written authorization.
    • If a use or disclosure for any purpose is prohibited or significantly limited by another applicable law, the description of such use or disclosure shall reflect the more stringent law.
    • For each purpose described, the description shall include sufficient detail to inform the individual of the uses and disclosures that are permitted or required by federal regulations as well as state and federal law.
    • A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such an authorization.
    • If the agency intends to engage in any of the following activities, the activity description shall include a separate statement accordingly:
        1. The agency may contact the individual to provide appointment reminders or information about treatment alternatives or other heath-related benefits and services that may be of interest to the individual; or
        2. The agency may contact the individual to raise funds for the agency.
    • The notice shall contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows:
        1. The right to request restrictions on certain uses and disclosures of protected health information, including a statement that the agency is not required to agree to a requested restriction;
        2. The right to receive communications of protected health information confidentially, as applicable;
        3. The right to inspect and copy protected health information;
        4. The right to request amendment to protected health information;
        5. The right to receive an accounting of applicable disclosures of protected health information; and
        6. The right of an individual, including an individual who has agreed to receive the Notice electronically, to obtain a paper copy of the Notice from the agency upon request.
    • The notice shall contain the agency's duties, as follows:
        1. A statement that the agency is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information;
        2. A statement that the agency is required to abide by the terms of the Notice currently in effect; and
        3. A statement that the agency reserves the right to change the terms of its Notice and to make the new Notice provisions effective for all protected health information that it maintains prior to issuing a revised Notice. The statement shall also describe how it will provide individuals with a revised Notice.
    • The notice shall contain a statement that individuals may complain to the agency and to the Secretary of the United States Department of Health and Human Services if they believe their privacy rights have been violated. A brief description of how the individual may file a complaint with the agency and a statement that the individual will not be retaliated against for filing a complaint shall also be included in the notice. This statement shall conform to the DHHS Privacy Complaints policy.


    • The notice shall contain the name, or title, and telephone number of a person or office to contact for further information.


    • The notice shall contain the date on which the notice is first in effect, which shall not be earlier than the date on which the notice is printed or published.


    • The Notice may also contain the following optional elements:
      If an agency elects to limit the uses or disclosures that it is permitted to make, the agency may describe these limitations in its Notice, provided that the agency may not include in its Notice a limitation affecting its right to make a use or disclosure that is:
        1. Required by law, or
        2. If the agency, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person(s).

Reference:

DHHS Directive Number III-11; 45 CFR 164.520

For relevant forms:

DHHS Notice of Privacy Practices (form DHHS-0025)
DMH/DD/SAS Notice of Privacy Practices (form DHHS-0032)
Medicaid Notices of Privacy Practices (English)
Medicaid Notices of Privacy Practices (Spanish)



For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.

Previous PageTop Of Page Next Page



 


     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback