Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 8 - Notice of Privacy Practices for PHI

 

Title: Notice of Privacy Practices Policy: PRV-08.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.520(a)
Standard: Notice of Privacy Practices Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish and identify the requirements for the Notice.

Policy
  1. Right to Notice - Except as provided by paragraph (a)(2) or (3) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by OSU, and of the individual's rights and OSU’s legal duties with respect to protected health information.  §164.520(a)(1)
  2. Exception for Inmates - An inmate does not have a right to notice under this policy, and the requirements of this section do not apply to a correctional institution that is a covered entity.  §164.520(a)(3)
  3. Content of Notice –
    1. Required Elements – OSU must provide a notice that is written in plain language and that contains the elements required by this policy.  §164.520(b)(1)
      1. Header - The notice must contain the following statement as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”  §164.520(b)(1)(i)
      2. Uses and Disclosures – The notice must contain:  §164.520(b)(1)(ii)
        1. A description, including at least one example, of the types of uses and disclosures that OSU is permitted by the Privacy Rule to make for each of the following purposes: treatment, payment, and health care operations.  §164.520(b)(1)(ii)(A)
        2. A description of each of the other purposes for which OSU is permitted or required by the Privacy Rule to use or disclose protected health information without the individual's written authorization.  §164.520(b)(1)(ii)(B)
        3. If a use or disclosure for any purpose described in paragraphs (3)(a)(ii)(1) or (2) of this section is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law as defined in §160.202 Preemption of State Law Definitions§164.520(b)(1)(ii)(C)
        4. For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law.  §164.520(b)(1)(ii)(D)
        5. A description of the types of uses and disclosures that require an authorization under § 164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by § 164.508(b)(5).  §164.520(b)(1)(ii)(E)
      3. Separate Statements for Certain Uses or Disclosures – If OSU intends to engage in any of the following activities, the description required by paragraph (3)(A)(ii)(1) of this policy must include a separate statement informing the individual of such activities, as applicable:  §164.520(b)(1)(iii)
        1. In accordance with § 164.514(f)(1), OSU may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications; §164.520(b)(1)(iii)(A)
        2. In accordance with § 164.504(f), the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan; or  §164.520(b)(1)(iii)(B)
        3. If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes.  §164.520(b)(1)(iii)(C)
      4. Individual Rights - The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows:  §164.520(b)(1)(iv)
        1. The right to request restrictions on certain uses and disclosures of protected health information as provided by § 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under § 164.522(a)(1);  §164.520(b)(1)(iv)(A)
        2. The right to receive confidential communications of protected health information as provided by § 164.522(b), as applicable;  §164.520(b)(1)(iv)(B)
        3. The right to inspect and copy protected health information as provided by § 164.524;  §164.520(b)(1)(iv)(C)
        4. The right to amend protected health information as provided by § 164.526;  §164.520(b)(1)(iv)(D)
        5. The right to receive an accounting of disclosures of protected health information as provided by § 164.528; and  §164.520(b)(1)(iv)(E)
        6. The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request.  §164.520(b)(1)(iv)(F)
      5. Covered Entity’s Duties – The notice must contain:  §164.520(b)(1)(v)
        1. A statement that OSU is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information;  §164.520(b)(1)(v)(A)
        2. A statement that OSU is required to abide by the terms of the notice currently in effect; and  §164.520(b)(1)(v)(B)
        3. For OSU to apply a change in a privacy practice that is described in the notice to protected health information that OSU created or received prior to issuing a revised notice, in accordance with § 164.530(i)(2)(ii), a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice.  §164.520(b)(1)(v)(C)
      6. Complaints - The notice must contain a statement that individuals may complain to OSU and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with OSU, and a statement that the individual will not be retaliated against for filing a complaint.  §164.520(b)(1)(vi)
      7. Contact - The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by § 164.530(a)(1)(ii).  §164.520(b)(1)(vii)
      8. Effective Date - The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.  §164.520(b)(1)(viii)

 

Procedure
        1. OSU recognizes that every patient has a right to receive the Notice of Privacy Practices, except as defined in paragraph 2 of this policy.
        2. The HIPAA Compliance Office will be in charge of maintaining and keeping the Notice up to date with all Federal and State requirements.
        3. The HIPAA Compliance Office will ensure the Notice meets the applicable requirements of this policy.
        4. OSU does not operate or manage a health plan, therefore all health plan requirements are not applicable to OSU.
        5. It is the responsibility of the HIPAA Compliance Officer to ensure all clinic locations are giving patients the most up to date version of the Notice.
        6. The Notice shall have the revised date in the header section for easy identification.
        7. The Notice shall be placed conspicuously on the OSU HIPAA website.
Reference

Notice of Privacy Practices


top of page top

 

Title: Provision of Notice Policy: PRV-08.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.520(c)
Standard: Notice of Privacy Practices Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To identify how OSU must use and disseminate the Notice of Privacy Practices
Policy

OSU must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable.  §164.520(c)

  1. Specific Requirements for Certain Covered Health Care Providers - A covered health care provider that has a direct treatment relationship with an individual must:  §164.520(c)(2)
    1. Provide the Notice:  §164.520(c)(2)(i)
      1. No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or  §164.520(c)(2)(i)(A)
      2. In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.  164.520(c)(2)(i)(B)
    1. Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (1)(a) of this policy, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained;  §164.520(c)(2)(ii)
    2. If the covered health care provider maintains a physical service delivery site:  §164.520(c)(2)(iii)
      1. Have the notice available at the service delivery site for individuals to request to take with them; and  §164.520(c)(2)(iii)(A)
      2. Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice; and  §164.520(c)(2)(iii)(B)
    1. Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (1)(c) of this policy, if applicable.  §164.520(c)(2)(iv)
  1. Specific Requirements for Electronic Notice
    1. A covered entity that maintains a web site that provides information about the covered entity's customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site.  §164.520(c)(3)(i)
    2. OSU may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If OSU knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. Provision of electronic notice by the covered entity will satisfy the provision requirements of this policy when timely made in accordance with paragraphs (1) or (2) of this policy.  §164.520(c)(3)(ii)
    3. For purposes of paragraph (1)(a) of this policy, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. The requirements in paragraph (1)(b) of this policy apply to electronic notice.  §164.520(c)(3)(iii)
    4. The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request.  §164.520(c)(3)(iv)
  2. Joint Notice by Separate Covered Entities - Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that:  §164.520(d)
    1. The covered entities participating in the organized health care arrangement agree to abide by the terms of the notice with respect to protected health information created or received by the covered entity as part of its participation in the organized health care arrangement;  §164.520(d)(1)
    2. The joint notice meets the implementation specifications in policy PRV-08.01 Notice of Privacy Practices, except that the statements required by this section may be altered to reflect the fact that the notice covers more than one covered entity; and  §164.520(d)(2)
      1. Describes with reasonable specificity the covered entities, or class of entities, to which the joint notice applies;  §164.520(d)(2)(i)
      2. Describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint notice applies; and  §164.520(d)(2)(ii)
      3. If applicable, states that the covered entities participating in the organized health care arrangement will share protected health information with each other, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement.  §164.520(d)(2)(iii)
    1. The covered entities included in the joint notice must provide the notice to individuals in accordance with the applicable implementation specifications of paragraph (c) of this section. Provision of the joint notice to an individual by any one of the covered entities included in the joint notice will satisfy the provision requirement of paragraph (c) of this section with respect to all others covered by the joint notice.  §164.520(d)(3)
  1. Documentation -  OSU must document compliance with the notice requirements, as required by § 164.530(j), by retaining copies of the notices issued by OSU and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (1)(b) of this policy.  §164.520(e)
Procedure
  1. OSU will provide the Notice of Privacy Practices in all new patient paperwork packets at all clinic locations.  Should the patient be in an emergent state or otherwise not readily available to give them the Notice, OSU shall either wait till a more appropriate time during the patient encounter that same day, or mail (using at least First Class mail)  the Notice to the patient within 24 hours or as soon as practicable.
  2. If a patient is brand new to the OSU clinic system, that is when the patient needs to receive the Notice.  Should that same patient then go and been seen in a different OSU clinic location within 1 year time, that patient does not need to receive the Notice, even though they may be new to that specific clinic.
  3. It is the job of the employee checking the patients in to ensure all brand new to OSU patients receive the Notice.
  4. OSU Clinic locations may choose to post the Notice in a conspicuous location accessible to all patients, either in a packet stapled on the wall, large poster format, or other format that is easy to access in the clinic by all patients, especially those with mobility issues.
  5. OSU does not operate as a health plan, and therefore any such requirements for health plans do not apply.
  6. It is the responsibility of the HIPAA Compliance Officer to ensure the Notice is up to date with all State and Federal Regulations and that each clinic location is using the most up to date version.
  7. OSU reserves the right to update the Notice at any time for any reason.
  8. OSU shall notify or provide an updated copy of the Notice to all patients when there is a material change or as law requires.  If there are minor corrections, like typos for example, there will not be a need to provide an updated copy to patients upon finalizing of the minor changes.
  9. OSU shall always have available on the HIPAA website the most recent version of the Notice available for all to print or view, found here.
  10. Since OSU has a large amount of Spanish speaking patients, OSU will attempt to keep the Notice updated in Spanish.  OSU will not provide the Notice in any other language or dialect.
  11. If patients wish to have the Notice emailed to them, the OSU employee will gather the necessary information to email and then notify the HIPAA Compliance Office of such request.  The HIPAA Compliance Office will then email the patient the Notice.
  12. If the email does not go through, OSU shall attempt to contact the patient and verify the email address, if that attempt is unsuccessful, OSU shall mail the Notice.
  13. If OSU and another covered entity decide to utilize the Joint Notice, the Notice shall be updated to reflect such change.  This will be considered a material change and as such, the Notice will then need to be given out to ALL patients.
  14. All patients who receive the Notice are to be asked to sign a document saying they’ve read and reviewed the document.  If the patient signs, we are to keep that signature on file, either on paper copy or electronically and then should be considered part of the Medical Record.
  15. If the patient does not sign or acknowledge the Notice, the OSU employee responsible for gathering such signatures shall document in the patient record what attempt was made to obtain such signature as required by (1)(b) of this policy and that shall then become part of the Medical Record.
  16. OSU employees shall not just ask the patient to sign the Notice or other document they did not offer or provide the patient.  If this occurs, the Sanctions policy shall be followed.

 

Reference

Notice of Privacy Practices


top of page top

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube