§164.520(a)(1) Right to notice. Except as provided by paragraph (a)(2) or (3) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information.
§164.520(b)(1) Required elements. The covered entity must provide a notice that is written in plain language and that contains the elements required by this paragraph.
(i) Header. The notice must contain the following statement as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
(ii) Uses and disclosures. The notice must contain: (A) A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by this subpart to make for each of the following purposes: treatment, payment, and health care operations. (B) A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual’s written authorization. (C) If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law as defined in §160.202 of this subchapter. (D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law. (E) A description of the types of uses and disclosures that require an authorization under §164.508(a)(2)– (a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization, and a statement that the individual may revoke an authorization as provided by §164.508(b)(5).
(iii) Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) of this section must include a separate statement informing the individual of such activities, as applicable: (A) In accordance with §164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications; (B) In accordance with § 164.504(f), the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan; or (C) If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes.
(iv) Individual rights. The notice must contain a statement of the individual’s rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows: (A) The right to request restrictions on certain uses and disclosures of protected health information as provided by § 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under § 164.522(a)(1)(vi); (B) The right to receive confidential communications of protected health information as provided by § 164.522(b), as applicable; (C) The right to inspect and copy protected health information as provided by § 164.524; (D) The right to amend protected health information as provided by § 164.526; (E) The right to receive an accounting of disclosures of protected health information as provided by § 164.528; and (F) The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request.
(v) Covered entity’s duties. The notice must contain: (A) A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information; (B) A statement that the covered entity is required to abide by the terms of the notice currently in effect; and (C) For the covered entity to apply a change in a privacy practice that is described in the notice to protected health information that the covered entity created or received prior to issuing a revised notice, in accordance with § 164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice.
(vi) Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint.
(vii) Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by § 164.530(a)(1)(ii).
(viii) Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
Audit Inquiry
Does the covered entity have a notice of privacy practices?
If yes, verify the current notice contains all the required elements.
• Header
164.502(a)(1) – Permitted uses and disclosures
Does the covered entity include in its notice a description of the following permitted uses and disclosures?
• To the individual
• For treatment, payment, or health care operations (with at least one example of a use and disclosure for each purpose)
• For public health and safety issues
• For research purposes
• To comply with the law
• To respond to organ and tissue donation requests
• To work with a medical examiner or funeral director
• To address workers’ compensation, law enforcement and other government requests
• To respond to lawsuits and legal actions.
Pursuant to an agreement under, or as otherwise permitted by § 164.510 – Uses and disclosures requiring an opportunity to agree or object:
(i) For facility direct
(ii) For involvement in the individual’s care and notification purposes.
64.512 – Uses and disclosures for which an authorization or opportunity to agree or object is not required
Does the covered entity include in its notice the following uses and disclosures for which an authorization or opportunity to agree or object is not required:
• As required by law
• For public health activities
• Disclosures about victims of abuse, neglect or domestic violence
• For health oversight activities
• Disclosures for judicial and administrative proceeding
• Disclosures for law enforcement purposes
• About decedents
• For cadaveric organ, eye or tissue donation purposes
• For research purposes
• To avert a serious threat to health or safety
• For specialized government functions.
164.514 (f)(1) – Standard: Uses and disclosures for fundraising.
Required Statements:
• A statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization
• A statement that the individual may revoke an authorization If the covered entity intends to engage in any of the following activities, separate statements for certain uses or disclosures involving fundraising
o A statement that genetic information cannot be used to decide whether coverage can be given or at what price o A statement that information can be disclosed to a plan sponsor for plan administration.
Individual rights: Does the notice of privacy practices contain a statement of the individual’s rights and a description of how the individual may exercise the following rights:
• Obtain a copy of the individual’s health and claims records
• Request that the covered entity correct health and claims records
• Request confidential communications
• Ask the covered entity to limit what it uses or shares
• Obtain a list of those with whom the covered entity has shared information
• Obtain a copy of the privacy notice
• File a complaint with the entity and the Secretary of HHS
CE Duties: Does the covered entity notify individuals of its legal duties with respect to their PHI, which are:
• To maintain the privacy and security of their PHI
• To notify affected individual(s) if a breach occurs that compromised the privacy or security of their information
• To follow the duties and privacy practices described in the notice
• The covered entity will not use or share information other than as described here unless authorized in writing. Authorization may be revoked at any time, in writing.
Does the notice state that disclosures will be made:
• to the Secretary of HHS for HIPAA rules compliance and enforcement purposes
Complaints: The notice must contain a statement that the individual has a right to complain to the CE and to the Secretary if they believe their privacy rights have been violated with a brief description of how to file a complaint with the covered entity and a statement of no retaliation for filing a complaint.
Contact: The notice must contain the name or title and telephone number of a person or office to contact for further information.
Effective date: The notice must contain an effective date.