DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of ContentsNext Page



Section VIII:

Privacy and Security


Privacy Manual


HIPAA Privacy, Notice of Privacy Practices

Current Effective Date:


Revision History:

7/10/03, 8/1/12, 10/1/13

Original Effective Date:




The purpose of this policy is to specify the requirements for the Notice of Privacy Practices and its distribution, and to provide a standard Notice template for use by North Carolina Department of Health and Human Services (DHHS) HIPAA-covered entities in the development of their Notice.

This policy shall apply to DHHS HIPAA-covered entities.


Individuals served by a DHHS HIPAA-covered agency must be informed of their privacy rights and the agency’s responsibility to protect their protected health information. The NC DHHS, as a covered entity, is required to provide a Notice of Privacy Practices in accordance with the HIPAA Privacy Rule, 45 CFR Subtitle A, Subchapter C, Part 164 and the HIPAA Omnibus Final Rule.


DHHS shall develop a general departmental Notice of Privacy Practices. This general Notice shall be designed to inform individuals of the department's legal duties and privacy practices with respect to the protected health information (PHI) it collects from them in general. Given that the scope of DHHS HIPAA-covered entities' use and disclosure may vary significantly, agencies designated as covered health care providers, health plans, or health care clearinghouses shall be required to develop and provide their own individualized Notice of Privacy Practices. DHHS HIPAA-covered entities designated as internal business associates (IBA), however, will be allowed to use the general Notice of Privacy Practices, unless the DHHS Privacy Officer deems otherwise.

Both types of Notice of Privacy Practices shall outline the uses and disclosures of PHI the department/agency may make, and shall notify individuals of their rights and the department's/agency's legal duties with respect to protecting their PHI. DHHS HIPAA-covered entities shall only use and disclose PHI in a manner consistent with their Notice of Privacy Practices.

Upon request, an agency shall make its Notice of Privacy Practices available to any individual(s), whether or not the individual is an agency client. The agency shall provide such Notice in a manner consistent with all requirements specified within this policy.

NOTE: DHHS HIPAA-covered entities that operate an Employee Health Service (i.e., provides treatment services to employees above and beyond testing services required as a condition for employment (e.g., TB Tine Test)) are required to provide employees with an Employee Health Service Notice of Privacy Practices.


  1. Development of Notices: All Notice of Privacy Practices must contain the requirements outlined in 45 CFR 164.520. In order to assist in ensuring that agencies’ customized Notices contain all of the required elements, agencies should rely on the Notice of Privacy Practices Checklist and applicable templates for guidance.

    Notices of Privacy Practices developed by DHHS HIPAA-covered entities shall be written in plain and simple language that a client, employee, or personal representative can easily read and understand.

    Notices shall be made available in languages understood by a substantial number of clients served by each agency. At a minimum, each agency shall ensure its Notice is available in English and Spanish. DHHS agencies can request Braille Notices from the Division of Services for the Blind for clients who request such a format. Notices shall contain the elements described in the Notice of Privacy Practices Required Elements section of this policy.

  2. Notice Revisions: DHHS agencies shall promptly revise their privacy Notice whenever there is a material change to their client's rights or the agency's uses, disclosures, legal duties, or other privacy practices described in the Notice. A revised Notice shall be available upon request on or after the effective date of the revision.

    Except when required by law, an agency shall not implement a material change to any term of the Notice prior to the effective date of the Notice in which such change is reflected.

    Prior versions of an agency's Notice shall be retained for a period of at least six (6) years from the date of the last Notice delivery, or retained according to the agency's retention and disposition schedule, whichever is more stringent.

  3. Provision of the Notice: DHHS HIPAA-covered entities shall provide a written copy of their Notice of Privacy Practices to any individual requesting a copy, regardless of whether or not the individual is an agency client.

    DHHS agencies that operate an Employee Health Service shall provide a written copy of their Notice of Privacy Practices to each employee at their first treatment encounter.

    When providing individuals a Notice of Privacy Practices as required in this policy, an agency may provide their Notice to an individual by electronic mail (hereafter referred to as "e-mail") with a return receipt requested, if the individual agrees to an electronic Notice and such agreement has not been withdrawn. If the agency knows that the e-mail transmission failed, a paper copy of the Notice shall be provided to the individual. When a Notice is provided electronically, it shall meet the applicable delivery time requirements specified in this policy.

    Any agency that maintains a Web site that provides information to the public about the agency's services or benefits shall prominently post its Notice on the Web site and make the Notice available electronically from the Web site. The Notice on the Web site shall reflect the most recent version.

    DHHS HIPAA-covered entities do not have to provide their Notice to "inmates". "Inmates"; include inmates from the NC Department of Correction and clients committed through the criminal justice system to a psychiatric hospital (i.e., clients sent for pre-trial evaluation; clients found not guilty by reason of insanity; clients found incapable to proceed to trial [House Bill 95]).

  4. Approval Process: All Notices and revisions to Notices must be submitted to the DHHS Privacy Officer for final approval prior to public distribution. The DHHS Privacy Officer will obtain Attorney General Office approval for agency Notices and revisions to Notices when necessary. Also, the DHHS Privacy Officer is responsible for forwarding Employee Health Service Notices to the Division of Human Resources for approval.

  5. Additional Privacy Notice Requirements (Health Care Plans):

  6. Additional Privacy Notice Requirements (Health Care Providers That Have a Direct Treatment Relationship with Clients):

  7. Notice of Privacy Practices Required Elements:

For questions or clarification on any of the information contained in this policy, please contact the DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.

Previous PageTop Of PageNext Page


     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback