DHHS POLICY AND PROCEDURE MANUAL
Privacy and Security
HIPAA Privacy, Notice of Privacy Practices
Current Effective Date:
7/10/03, 8/1/12, 10/1/13
Original Effective Date:
The purpose of this policy is to specify the requirements for the Notice of Privacy Practices and its distribution, and to provide a standard Notice template for use by North Carolina Department of Health and Human Services (DHHS) HIPAA-covered entities in the development of their Notice.
This policy shall apply to DHHS HIPAA-covered entities.
Individuals served by a DHHS HIPAA-covered agency must be informed of their privacy rights and the agency’s responsibility to protect their protected health information. The NC DHHS, as a covered entity, is required to provide a Notice of Privacy Practices in accordance with the HIPAA Privacy Rule, 45 CFR Subtitle A, Subchapter C, Part 164 and the HIPAA Omnibus Final Rule.
DHHS shall develop a general departmental Notice of Privacy Practices. This general Notice shall be designed to inform individuals of the department's legal duties and privacy practices with respect to the protected health information (PHI) it collects from them in general. Given that the scope of DHHS HIPAA-covered entities' use and disclosure may vary significantly, agencies designated as covered health care providers, health plans, or health care clearinghouses shall be required to develop and provide their own individualized Notice of Privacy Practices. DHHS HIPAA-covered entities designated as internal business associates (IBA), however, will be allowed to use the general Notice of Privacy Practices, unless the DHHS Privacy Officer deems otherwise.
Both types of Notice of Privacy Practices shall outline the uses and disclosures of PHI the department/agency may make, and shall notify individuals of their rights and the department's/agency's legal duties with respect to protecting their PHI. DHHS HIPAA-covered entities shall only use and disclose PHI in a manner consistent with their Notice of Privacy Practices.
Upon request, an agency shall make its Notice of Privacy Practices available to any individual(s), whether or not the individual is an agency client. The agency shall provide such Notice in a manner consistent with all requirements specified within this policy.
NOTE: DHHS HIPAA-covered entities that operate an Employee Health Service (i.e., provides treatment services to employees above and beyond testing services required as a condition for employment (e.g., TB Tine Test)) are required to provide employees with an Employee Health Service Notice of Privacy Practices.
- Development of Notices: All Notice of Privacy Practices must contain the requirements outlined in 45 CFR § 164.520. In order to assist in ensuring that agencies’ customized Notices contain all of the required elements, agencies should rely on the Notice of Privacy Practices Checklist and applicable templates for guidance.
Notices of Privacy Practices developed by DHHS HIPAA-covered entities shall be written in plain and simple language that a client, employee, or personal representative can easily read and understand.
Notices shall be made available in languages understood by a substantial number of clients served by each agency. At a minimum, each agency shall ensure its Notice is available in English and Spanish. DHHS agencies can request Braille Notices from the Division of Services for the Blind for clients who request such a format. Notices shall contain the elements described in the Notice of Privacy Practices Required Elements section of this policy.
- Notice Revisions: DHHS agencies shall promptly revise their privacy Notice whenever there is a material change to their client's rights or the agency's uses, disclosures, legal duties, or other privacy practices described in the Notice. A revised Notice shall be available upon request on or after the effective date of the revision.
Except when required by law, an agency shall not implement a material change to any term of the Notice prior to the effective date of the Notice in which such change is reflected.
Prior versions of an agency's Notice shall be retained for a period of at least six (6) years from the date of the last Notice delivery, or retained according to the agency's retention and disposition schedule, whichever is more stringent.
- Provision of the Notice: DHHS HIPAA-covered entities shall provide a written copy of their Notice of Privacy Practices to any individual requesting a copy, regardless of whether or not the individual is an agency client.
DHHS agencies that operate an Employee Health Service shall provide a written copy of their Notice of Privacy Practices to each employee at their first treatment encounter.
When providing individuals a Notice of Privacy Practices as required in this policy, an agency may provide their Notice to an individual by electronic mail (hereafter referred to as "e-mail") with a return receipt requested, if the individual agrees to an electronic Notice and such agreement has not been withdrawn. If the agency knows that the e-mail transmission failed, a paper copy of the Notice shall be provided to the individual. When a Notice is provided electronically, it shall meet the applicable delivery time requirements specified in this policy.
Any agency that maintains a Web site that provides information to the public about the agency's services or benefits shall prominently post its Notice on the Web site and make the Notice available electronically from the Web site. The Notice on the Web site shall reflect the most recent version.
DHHS HIPAA-covered entities do not have to provide their Notice to "inmates". "Inmates"; include inmates from the NC Department of Correction and clients committed through the criminal justice system to a psychiatric hospital (i.e., clients sent for pre-trial evaluation; clients found not guilty by reason of insanity; clients found incapable to proceed to trial [House Bill 95]).
- Approval Process: All Notices and revisions to Notices must be submitted to the DHHS Privacy Officer for final approval prior to public distribution. The DHHS Privacy Officer will obtain Attorney General Office approval for agency Notices and revisions to Notices when necessary. Also, the DHHS Privacy Officer is responsible for forwarding Employee Health Service Notices to the Division of Human Resources for approval.
- Additional Privacy Notice Requirements (Health Care Plans):
- Provision of the Notice: A DHHS HIPAA-covered agency designated as a health plan (i.e., Division of Medical Assistance) shall provide its Notice of Privacy Practices on a timely basis to its named insured (hereafter referred to as the "recipient"). New health plan enrollees shall receive a Notice no later than the time of enrollment. New enrollee Notices may be distributed at the time an application is filed, prior to determination of eligibility.
- Notice Revisions: Whenever a DHHS health plan Notice is materially revised from the previous Notice, the revised Notice must be provided to the recipients then covered by the health plan within 60 days of the revision. When a Notice contains translated language other than English, changes in the Notice to correct or improve the translation is not considered a material change.
- Other Notification: At least once every three (3) years, the health plan shall notify the recipients then covered by the plan of the availability of the Notice and how to obtain a copy. At a minimum, this notification shall be presented in both English and Spanish. This notification may be combined with other communications sent routinely to recipients (e.g., Medicaid cards).
Additional Privacy Notice Requirements (Health Care Providers That Have a Direct Treatment Relationship with Clients):
- Posting of the Notice: DHHS agencies that are health care providers who have a direct treatment relationship (e.g., face to face) with their clients, and who have a physical site where health care is provided directly to individuals, shall post the Notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the agency will be able to read the Notice. DHHS agencies that operate an Employee Health Service shall post their Notice in the area where employees come for treatment.
- Provision of the Notice: Except in an emergency situation, these agencies shall provide the Notice to clients or their personal representatives no later than the date of the first treatment service delivery, including service delivered electronically or via telephone. In an emergency treatment situation, the Notice shall be provided as soon as reasonably practicable.
If a covered health care provider's first treatment of an individual is delivered electronically, the agency shall automatically forward an electronic Notice to the individual. The individual who receives the electronic Notice retains the right to receive a paper copy upon request. If the first treatment encounter with the individual is by telephone, the Notice must be mailed within one working day of the telephone encounter. Scheduling an appointment is not considered a treatment encounter.
DHHS covered health care providers that provide residential services shall ensure that all clients are provided a Notice. Provision of the Notice can be met by having the client or personal representative read and return the Notice; however, the agency must provide the client or personal representative with a copy of the Notice upon request.
DHHS covered health care providers that are required to comply with federal regulation 42 CFR Part 2, relative to substance abuse, must provide their Notice of Privacy Practices to their substance abuse clients at the time of each admission. Otherwise, DHHS covered health care providers that have a direct treatment relationship with their clients need to provide the Notice initially and when revisions are made as noted below in the Revision of Notice section.
- Acknowledgement of Receipt of the Notice: DHHS covered health care providers with a direct treatment relationship shall make a good faith effort to obtain a written acknowledgment of receipt of the Notice from the client or personal representative, except in an emergency situation. If the first treatment encounter with the client is by telephone, mailing the Notice to the client and asking the client to return the signed acknowledgment in person or by mail shall be considered a good faith effort. When a Notice is delivered electronically, an electronic return receipt is considered a valid written acknowledgment of the Notice.
Should a client or personal representative be unable to sign his/her name on the acknowledgment, an "x" or other mark/symbol is acceptable in place of a signature, as long as it is witnessed and documented, attesting to the validity of the signature.
The Notice should provide a section for an acknowledgment. The agency shall keep the signed page as documentation of the receipt of Notice.
The DHHS covered health care provider shall not refuse to treat a patient because he/she would not sign a written acknowledgment; instead, it should document the good faith effort to obtain the signature. Documentation of a good faith effort shall include the date the Notice and acknowledgment was given/mailed to the individual, how it was delivered (in person, mailed, etc.), and the reason the acknowledgment was not signed (such as, patient refused or did not mail acknowledgment back to the covered health care provider).
Each provider agency shall establish a tracking process to ensure that each client was asked to sign the acknowledgment and that the signed acknowledgment was retained or a good faith effort documented.
The acknowledgment or good faith effort shall be filed in the client's medical record and retained in accordance with the agency's retention and disposition schedule for medical records, which shall be no less than six (6) years.
- Revision of Notice: Whenever a DHHS health care provider's Notice is materially revised from the previous Notice, the revised Notice shall be available to clients or personal representatives upon request on or after the effective date of the revision. If a written acknowledgment was previously obtained or a good faith effort documented, another written acknowledgment is not required when the Notice is revised. In addition, the revised Notice must be promptly posted in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider will be able to read the Notice. If the provider agency has a public Web site, the revised Notice shall be available on the Web site.
Notice of Privacy Practices Required Elements:
- This statement shall be at the top of the Notice in a box: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
- The Notice shall contain a description of the types of uses and disclosures that the HIPAA-covered agency is permitted to make for treatment, payment, and health care operations. At least one (1) pertinent agency example shall also be included.
- A description of all other purposes for which the agency is permitted or required to use or disclose protected health information without the individual's written authorization.
- If a use or disclosure for any purpose is prohibited or significantly limited by another applicable law, the description of such use or disclosure shall reflect the more stringent law.
- For each purpose described, the description shall include sufficient detail to inform the individual of the uses and disclosures that are permitted or required by federal regulations as well as state and federal law.
- A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such an authorization.
- A statement that the covered entity is not permitted to use genetic information for underwriting purposes.
- A statement regarding the covered entity's obligations to maintain the privacy of an individual's PHI and of the individual's right to receive notification, in the event of a breach involving their PHI.
- In the event that the agency is a provider, the individual has the right to restrict disclosure of their PHI to a health plan, if the individual paid the provider, in full, for services rendered.
- If the agency intends to engage in any of the following activities, the activity description shall include a separate statement accordingly:
The Notice shall contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows:
- The agency may contact the individual to provide appointment reminders or information about treatment alternatives or other heath-related benefits and services that may be of interest to the individual; or
- The agency may contact the individual to raise funds for the agency. An individual has the right to opt out of receiving such communications.
The Notice shall contain the agency's duties, as follows:
- The right to request restrictions on certain uses and disclosures of protected health information, including a statement that the agency is not required to agree to a requested restriction;
- The right to receive communications of protected health information confidentially, as applicable;
- The right to inspect and copy protected health information;
- The right to request amendment to protected health information;
- The right to receive an accounting of applicable disclosures of protected health information; and
- The right of an individual, including an individual who has agreed to receive the Notice electronically, to obtain a paper copy of the Notice from the agency upon request.
The Notice shall contain a statement that individuals may complain to the agency and to the Secretary of the United States Department of Health and Human Services if they believe their privacy rights have been violated. A brief description of how the individual may file a complaint with the agency and a statement that the individual will not be retaliated against for filing a complaint shall also be included in the Notice.
- A statement that the agency is required by law to maintain the privacy of protected health information and to provide individuals with Notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information;
- A statement that the agency is required to abide by the terms of the Notice currently in effect; and
- A statement that the agency reserves the right to change the terms of its Notice and to make the new Notice provisions effective for all protected health information that it maintains prior to issuing a revised Notice. The statement shall also describe how it will provide individuals with a revised Notice.
The Notice shall contain the name or title, and telephone number of a person or office to contact for further information.
The Notice shall contain the date on which the Notice is first in effect, which shall not be earlier than the date on which the Notice is printed or published.
Certain uses and disclosures of PHI will require an authorization, such as psychotherapy notes, disclosure of PHI for marketing and disclosures that constitute a sale of PHI.
The Notice may also contain the following optional elements:
If an agency elects to limit the uses or disclosures that it is permitted to make, the agency may describe these limitations in its Notice, provided that the agency may not include in its Notice a limitation affecting its right to make a use or disclosure that is:
- Required by law, or
- If the agency, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person(s).
For questions or clarification on any of the information contained in this policy, please contact the DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.