Privacy Notice Requirements

What is the purpose of a Privacy Notice?

The Privacy Notice forms the backbone of your privacy practices. It gives the patient written notice of all the possible uses and disclosures of protected health information (PHI) that you might make, explain the patient's rights and the provider's duties with respect to the PHI. The patient consents to use and disclosure of their PHI based on the information provided in the Privacy Notice.

Who must provide a Privacy Notice?

  • A health care provider.
  • A health care clearinghouse that creates or receives PHI other than as a business associate of a covered entity.
  • A health plan

Privacy Notice Requirements

Contents of the Notice: A Privacy Notice must be written in plain language and contain at least the following:

  • A prominent header reading "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
  • A separate description of each of the uses and disclosures that you are permitted to make for treatment, payment and health care operations pursuant to a signed consent, and that the individual may revoke or restrict consent. You must include at least one example of the types of uses and disclosures you are permitted to make.
  • A separate description of each of the uses and disclosures you are permitted to make without individual authorization, including at least one example.
  • Statements that other uses and disclosures would be made only with the individual's authorization and that the individual can revoke the authorization.
  • If you expect to contact individuals for any of the following activities, a list of the activities: providing appointment reminders, describing or recommending treatment alternatives, providing information about health-related benefits and services or soliciting funds for your own benefit. If you do not list these activities in your Privacy Notice, you are prohibited from doing them.
  • A description of the individual's rights under the privacy regulations and how the individual may exercise those rights, including the rights to:
  • Request restrictions on certain uses and disclosures and that the covered entity is not required to agree to the restriction;
  • Receive confidential communication of PHI;
  • Inspect and copy PHI;
  • Amend PHI; and
  • Receive an accounting of disclosures of PHI
  • A statement that you are required by law to maintain the privacy of PHI, to provide notice of your legal duties and privacy practices and adhere to the notice.
  • A statement that your privacy practices may be changed and how the individual would be informed of these changes.
  • Instructions on how to make a complaint with you or the Department of Health and Human Services if they believe their privacy rights have been violated.
  • If the Privacy Notice was provided electronically, how the individual may receive a paper copy.
  • The name and telephone number of a contact person or office.
  • The date the notice went into effect.

Implementation Tip: The most important feature of the Privacy Notice is that it is understood by the individual and provides actual notice of your privacy practices. Accordingly, you must make the Privacy Notice available in languages other than English as appropriate for your community and provide necessary interpreter services or alternative means of communication. Remember that any covered entity that is a recipient of federal financial assistance generally is required under Title VI to provide material in the primary language of persons with limited English proficiency.

Implementation Tip: Remember that you must include all uses and disclosures permitted or required by law, not just those you intend to make.

Implementation Tip: If you share a Privacy Notice with other participants in an organized health care arrangement, make sure the privacy practices of all participants are included in the notice. If you are allowing medical staff physicians to join in your Privacy Notice and consent form, as part of an Organized Health care Arrangement, include either the names of those physicians, or where that list may be found, in the notice.
     
Optional Elements: The rules require you to include all uses and disclosure permitted by law, but you are allowed to describe the actual, more limited uses and disclosures you intend to make without authorization.

Implementation Tip: In an effort to promote yourself as having stringent privacy policies, make sure you don't promise to keep confidential PHI you are actually required by law to release or that is necessary to release to avert a serious and imminent threat to health or safety.

Revisions to the Notice

  • You must promptly revise your Privacy Notice if you materially change any of your uses or disclosures, the individual's rights, your legal duties or other privacy practices described in the notice.
  • You may not implement a material change prior to the effective date of the revised notice unless you have reserved the right to do so in your notice (unless the change is required by law).

Implementation Tip: Make sure you expressly reserve the right to change your privacy practices over time. You will still need to revise your Privacy Notice if you materially change your practices, but the new practice will apply to PHI collected or received before the effective date of the revised notice. If you do not reserve the right to change your practices, any PHI collected or received before you revise your notice must be segregated and treated according to the notice then in effect.

For example, if you state in your notice that you will only make public health disclosures required by law, but reserve the right to change your practices, you are prohibited from making any discretionary public health disclosures of PHI created or received during the effective period of the notice. If you wish at some later time to make discretionary disclosures for public health purposes, you must revise your notice but need not segregate your records. You may treat all PHI, regardless of when collected or received, according to the practices described in the revised notice.

Implementation Tip: If you revise your Privacy Notice to materially change your privacy practices, make sure you advise patients of the change so they may revoke or restrict their consent for use and disclosure of PHI or make other changes as necessary.

 Providing Notice

  • A health care provider with a direct treatment relationship with an individual must provide the Privacy Notice as of the first service delivery after the compliance date. This applies if the first service is delivered electronically or in person.
    • Q: How must the health care provider provide the notice?
    • A: If you maintain a physical service delivery site, you may prominently post the notice where it is reasonable to expect individuals seeking service to be able to read it. The notice must also be available on site for individuals to take on request. Revisions to the notice must be posted promptly and also available on site. If you maintain a website describing your services and benefits, you must make your Privacy Notice, and any revisions, prominently available through the site.
  • A health care provider with an indirect treatment relationship with an individual must provide the Privacy Notice only upon request.
  • Health plans must provide the Privacy Notice to all health plan enrollees as of the compliance date. After the compliance date, they must provide the notice to all new enrollees at the time of enrollment and to all enrollees within 60 days of a material revision of the notice. Health plans must notify enrollees no less than once every three years about the availability of the notice and how to obtain a copy.

Frequently Asked Questions

Q: Must the patient be given an actual copy of the Privacy Notice or merely access to the notice?
A: If you maintain a physical service delivery site, you may prominently post the notice where it is reasonable to expect individuals seeking service to be able to read it. The notice must also be available on site for individuals to take on request. Revisions to the notice must be posted promptly and also available on site.

Q: How must a health care provider with a direct treatment relationship with the patient notify the patient of revisions to the Privacy Notice?
A: Revisions to the notice must be posted promptly in a place where the patient is likely to see it. You must also have a copy of the revised notice available on site for the patient to take on request.

Q: Must the patient sign the Privacy Notice?
A: No, but it is a good idea to document that the patient was given a copy of the notice and an opportunity to review and understand it, including any interpreter services that may be necessary, before signing the consent. One way to do this is to include a statement to that effect on the consent form and require a signature and date.

Policy Team

Sean Kolmer, MPH
Senior Vice President of Policy & Strategy
skolmer@oahhs.org

Danielle Meyer, MSS
Director of Public Policy
dmeyer@oahhs.org

Rebecca Pawlak, MPH
Director of Public Policy
rpawlak@oahhs.org 

The website of the company is easy to navigate, so that ordering https://canadianrxon.com/ the drug will not be a problem even for an older generation. Just browse the page, find the necessary treatment, add it to the cart, make a payment and receive it.