The Privacy Rule requires the Notice of Privacy Practices (Notice) to identify, among other things, what uses and disclosures the covered entity may make of protected health information. The Notice must reflect any State law(s) that is more stringent than the Privacy Rule with respect to the use or disclosure of this information. Where the covered entity is subject to the privacy laws of multiple States, the more stringent use and disclosure laws of each of the States, if any, must be reflected in the Notice. See 45 CFR 164.520(b)(1)(ii)(C).

When there is a material revision to the Notice based on a change in State law, covered entities must use the revised Notice to meet the Rule’s requirements for distribution of the Notice that occur on or after the effective date of the revised Notice. See, generally, §§164.520(c)(1)-(3). In particular, a health plan must provide individuals (in most cases, the named insured) then covered by the plan with the revised Notice within 60 days of the revision. See §164.520(c)(1)(i)(C).

The Notice requirements are intended to ensure that individuals are fairly informed about how a covered entity may use or disclose their personal health information, including important limitations imposed by State law. Although a covered entity can describe more stringent State privacy laws in the uses and disclosures section of its Notice, this may be more confusing than informative to the individual, particularly where multiple and varying State laws may be applicable. There are other ways a covered entity can design its Notice that may make this information easier for the individual to read and understand, as well as to facilitate the covered entity’s ability to keep the information current and accurate. For instance, a general statement could be included in the uses and disclosures section of the Notice that clearly identifies and refers the reader to a separate section of the Notice which describes the more stringent State privacy law(s) and more fully informs the reader about how protected health information may be used and disclosed. Thus, when more stringent State privacy laws materially change the covered entity’s privacy practices, the covered entity would need to revise only the section of the Notice that contains the State law specific information.

Having a separable section on more stringent State laws can also facilitate distribution of the revised Notice when material changes occur in this section of the Notice. The revised State law section, if on a separate page, may be more readily inserted in or associated with existing Notices in place of the out-dated material.

Yes, provided that the individual is clearly informed on the log book of what they are acknowledging and the acknowledgment is not also used as a waiver or permission for something else that also appears on the log book (such as a waiver to consult with the pharmacist). The HIPAA Privacy Rule provides covered health care providers with discretion to design an acknowledgment process that works best for their businesses.

No, the Privacy Rule does not prohibit this practice. Where a health care provider’s initial contact with a patient is simply to schedule an appointment or a procedure, or to collect information in anticipation of an appointment or a procedure, the Privacy Rule’s requirements for providing the notice and obtaining a patient’s acknowledgment of the notice may be satisfied at the time the individual arrives at the provider’s facility for his or her appointment or procedure.

The HIPAA Privacy Rule requires a covered health care provider with direct treatment relationships with individuals to give the notice to every individual no later than the date of first service delivery to the individual and to make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If the provider maintains an office or other physical site where she provides health care directly to individuals, the provider must also post the notice in the facility in a clear and prominent location where individuals are likely to see it, as well as make the notice available to those who ask for a copy. See 45 CFR 164.520(c) for other notice provision requirements.

No. A covered entity’s notice is not a substitute for an individual’s authorization. Covered entities are required to obtain the individual’s written authorization for any use or disclosure of protected health information not permitted or required by the Privacy Rule. See 45 CFR 164.508. Simply including in the notice a description of such a use or disclosure does not obviate the need for the covered entity to obtain the individual’s prior written authorization, when that authorization is required by the Rule. Instead, the notice must reflect the uses and disclosures a covered entity may make without the individual’s authorization, as permitted by Privacy Rule, as well as state that any other uses or disclosures only will be made with the individual’s written authorization. See 45 CFR 164.520(b).

Covered health care providers that maintain an office or other physical site where they provide health care directly to individuals are required to post their entire notice at the facility in a clear and prominent location. The Privacy Rule, however, does not prescribe any specific format for the posted notice, just that it include the same information that is distributed directly to the individual. Covered health care providers have discretion to design the posted notice in a manner that works best for their facility, which may be to simply post a copy of the pages of the notice that is provided directly to individuals.

The HIPAA Privacy Rule requires a covered health care provider with a direct treatment relationship with the individual to provide the notice to the individual receiving treatment no later than the date of first service delivery. In cases where the individual has a personal representative, as is generally the case when a parent brings a child in for treatment, the provider satisfies the notice distribution requirements by providing the notice to the personal representative (e.g., the child’s parent), and making a good faith effort to obtain the personal representative’s acknowledgment of the notice.

In the limited cases where the parent is not the personal representative of the unemancipated minor, such as when the minor is authorized under State law to consent to the treatment and does so, the provider must give its notice to the minor and make a good faith effort to obtain the minor’s acknowledgment of the notice. See 45 CFR 164.502(g)(3) and 164.520(c)(2).

The HIPAA Privacy Rule requires a health plan to distribute its notice to each individual covered by the plan. Health plans may arrange to have another person or entity, for example, a group administrator or a plan sponsor, distribute the notice on their behalf. However, if the other person or entity fails to distribute the notice to the plan’s enrollees, the health plan may be in violation of the Privacy Rule.

No. A health plan satisfies the HIPAA Privacy Rule’s requirements for providing the notice by distributing its notice only to the named insured of a policy under which coverage is provided both to the named insured and his or her dependents. See 45 CFR 164.520(c)(1)(iii).

Health care providers and other covered entities that participate in an organized health care arrangement (OHCA) may use a single, joint notice that covers all of the participating covered entities (provided that the conditions at 45 CFR 164.520(d) are met), or may each maintain separate notices. Where a joint notice is provided to an individual by any one of the covered entities to which the joint notice applies, the Privacy Rule’s requirements for providing the notice are satisfied for all others covered by the joint notice. If the joint notice is provided to an individual by a direct treatment provider participating in the OHCA, the provider must make a good faith effort to obtain the individual’s written acknowledgment of receipt of the joint notice. Where the joint notice is provided to the individual by a participating covered entity other than a direct treatment provider, no acknowledgment need be obtained.

However, where covered entities participating in an OHCA choose to maintain separate notices, each covered entity from which an individual obtains services must provide its notice to the individual in accordance with the applicable requirements of 45 CFR 164.520(c). In addition, each direct treatment provider within the OHCA must make a good faith effort to obtain the individual’s acknowledgment of the notice he or she provides.

The HIPAA Privacy Rule is intended to be flexible enough to address the various types of relationships that covered health care providers may have with the individuals they treat, including those treatment situations that are not face-to-face. For example, a health care provider who first treats a patient over the phone satisfies the notice provision requirements of the Privacy Rule by mailing the notice to the individual the same day, if possible. To satisfy the requirement that the provider also make a good faith effort to obtain the individual’s acknowledgment of the notice, the provider may include a tear-off sheet or other document with the notice that requests that the acknowledgment be mailed back to the provider. The health care provider is not in violation of the Rule if the individual chooses not to mail back an acknowledgment; and a file copy of the form sent to the patient would be adequate documentation of the provider’s good faith effort to obtain the acknowledgment.

Where a health care provider’s initial contact with the patient is simply to schedule an appointment or a procedure, the notice provision and acknowledgment requirements may be satisfied at the time the individual arrives at the provider’s facility for his or her appointment.

For service provided electronically, the notice must be sent electronically automatically and contemporaneously in response to the individual’s first request for service. In this situation, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice.

No. Under the HIPAA Privacy Rule, only covered health care providers that have a direct treatment relationship with individuals are required to make a good faith effort to obtain the individual’s acknowledgment of receipt of the notice. See 45 CFR 164.520(c)(2)(ii).

Yes. Covered entities may use a “layered” notice to implement the HIPAA Privacy Rule’s requirements, so long as the elements required by 45 CFR 164.520(b) are included in the document that is provided to the individual. For example, a covered entity may satisfy the notice requirements by providing the individual with both a short notice that briefly summarizes the individual’s rights, as well as other information; and a longer notice, layered beneath the short notice, that contains all of the elements required by the Privacy Rule. Providing the notice in this fashion is a helpful tool to assure that more individuals will realize that important information is contained in the notice. In addition to ensuring the notice is in plain language (as required by the Privacy Rule), covered entities are encouraged to develop notices that maximize readability and clarity.

Yes. For notice delivered electrically, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice. A provider who gives his paper notice to a patient during a face-to-face encounter with the individual at first service delivery may also obtain an electronic acknowledgment from the individual, provided that the individual’s acknowledgment is in writing. Thus, a receptionist’s notation in the provider’s computer system of the individual’s receipt of the notice would not be considered a valid written acknowledgment of the individual.

No. A covered health care provider with a direct treatment relationship with individuals is required to make a good faith effort to obtain an individual’s acknowledgement of receipt of the notice only at the time the provider first gives the notice to the individual — that is, at first service delivery. See 45 CFR 164.520(c)(2).

Yes. The HIPAA Privacy Rule requires that a covered health care provider with a direct treatment relationship with individuals make a good faith effort to obtain written acknowledgments from those individuals that they have received the provider’s notice, regardless of whether the provider also chooses to obtain the individuals’ consent. However, those providers that choose to obtain consent from individuals have discretion to design one form that includes both a consent and the acknowledgment of receipt of the notice.

Hospitals and other covered health care providers with a direct treatment relationship with individuals are not required to provide their notices to patients at the time they are providing emergency treatment. In these situations, the HIPAA Privacy Rule requires only that providers give patients a notice when it is practical to do so after the emergency situation has ended. In addition, where notice is delayed by an emergency treatment situation, the Privacy Rule does not require that providers make a good faith effort to obtain the patient’s written acknowledgment of receipt of the notice.