The Notice of Privacy Practices (NoPP) document patients sign is likely the one, and only, well understood HIPAA requirement. However, based on my experience working with hundreds of healthcare providers and staff there are a few things you may not know. This article is an quick overview of lesser known requirements to help you be complaint.
You must make a good faith effort to obtain an individual's written acknowledgment that they have received your NoPP no later than the date of first service.
Because your NoPP is a notice, not consent, you are simply obtaining the person's acknowledgement of receipt instead of their authorization. Meaning, the intent of the notice is to inform patients about your legal use of their information, you are not asking them for permission. This also means you may still see patients who refuse to sign the acknowledgement. In the rare event a patient refuses to sign your NoPP acknowledgement form, be certain to document your attempt and the patient's refusal.
If you provide services at a physical office location then you must post your entire notice in a clear and prominent location within the facility. The format and design is your choice, as long as the information is the same as what you distribute to individuals.
If your business has a website you must include your NoPP somewhere on the site. There doesn't appear to be the same "prominent location" language with regards to websites; therefore, you needn't include the notice on your homepage so long as the notice is accessible somewhere.
Good news. If you revise your NoPP you don't need to mail or otherwise notify patients of the change. You must, however, make the up-to-date notice available upon request, post it prominently in your office, and add it to your website.
No face-to-face first visit
Health and Human Services (HHS) provides thorough guidance on the subject. Here is what they say:
A health care provider who first treats a patient over the phone satisfies the notice provision requirements of the Privacy Rule by mailing the notice to the individual the same day, if possible. To satisfy the requirement that the provider also make a good faith effort to obtain the individual’s acknowledgment of the notice, the provider may include a tear-off sheet or other document with the notice that requests that the acknowledgment be mailed back to the provider. The health care provider is not in violation of the Rule if the individual chooses not to mail back an acknowledgment; and a file copy of the form sent to the patient would be adequate documentation of the provider’s good faith effort to obtain the acknowledgment.
To improve the patient experience in your office you can offer a "layered" notice, which means giving the patient a short summary sitting on top of the longer NoPP itself—layered. Think of this as putting a bullet point style brochure on top of the scarier and more complex notice. Offering a summary of complex material can be a wonderful gesture.
Let's conclude this article with what the NoPP is NOT. Your NoPP is not a substitute for an individual's authorization. This means if you want to use or disclose patient information not automatically permitted by the Privacy Rule (e.g., email appointment reminders, testimonials, and online scheduling are not permitted) then you must still get separate written authorization from the patient.