1. Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices

2. Objectives Who needs Notice of Privacy Practices (NPP) How to create your NPP Be able to use it Internally Externally Compliments your existing compliance program Tools

3. Who needs a NPP §164.500 Applicability. Covered entities Clearinghouses? When there is PHI some one needs a NPP

4. Notice vs. Consent Consent Requires agreement Notice Agreement not necessary

5. 45 CFR §164.520 §164.520 Notice of privacy practices for protected health information. Patient’s right CE’s duty Exceptions (not covered here) Group health plans Inmates

6. 45 CFR §164.520 (b) Written in “plain language” Think about your patients First visit or soon after Required elements Header - “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.” Required by law to provide notice Will notify of substantive changes – changes apply to all PHI Who they can contact regarding complaints Contact information Effective date

7. Uses and disclosures without a written authorization Treatment, Payment, and Operations (TPO) exceptions Maine – except in an emergency mental health notes disclosed outside “the office, practice or organizational affiliate” require patient authorization – not required to be in the NPP Exceptions (HIE, treatment, and payment)

8. Uses and disclosures without a written authorization (cont.) Other permissible uses without consent (cont.) Law Public health and welfare (protection and reporting) – examples: victims of crime, FDA, communicable diseases, etc. Crime (limited) Court order or subpoena Other Care related Treatment options Benefits Non- CE involved in care (with certain restrictions)

9. Uses and disclosures without a written authorization (cont.) Other Research Healthcare oversight (e.g. Joint Commission) To organizations attorney (to defend) Immunizations (specific organizations, federal law requires consent) General information (directory under HIPAA) HIE (other information sharing) Decease patient (medical examiner or corner) Organ and tissue donation Threats to health or safety Work Comp. Correctional institutions Required by military (legally allowed) National security (protect the President) If engaged in the following Fundraising (need to know about opt. out) Health Plan only Use of PHI for underwriting Exclude GINA for underwriting purposes

10. Patient Rights List the rights and how to exercise the right Rights Request restrictions (Must agree in limited circumstances) Receive confidential communications must comply with reasonable requests Copies and inspect designated record set Accounting of disclosures (non routine disclosures) Paper copy of the notice To complain To complete an authorization Notification of a Breach

11. Recommendations Lead with what the patient wants to hear This is to protect your privacy Allows us to provide the best care Include contact information multiple places Want patients to call you with questions Make sure you are available to answer questions promptly

12. Use NPP Internally ROI Clinical staff Externally

13. Used across departments NPP should be used with compliance programs, etc. Reference NPP One NPP Don’t duplication forms or P&Ps

14. Tools http://www.ecfr.gov/cgi-bin/text- idx?SID=2fd6a3d8787d454df3fdabfb170bde47&node=se45. 1.164_1520&rgn=div8 (45 CFR § 164.520) http://www.ecfr.gov/cgi-bin/text- idx?SID=2fd6a3d8787d454df3fdabfb170bde47&node=se45. 1.164_1520&rgn=div8 http://www.mainelegislature.org/legis/statutes/22/title22 sec1711-C.html (22 MRSA § 1711-C) http://www.mainelegislature.org/legis/statutes/22/title22 sec1711-C.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/co veredentities/notice.html (hhs.gov notice of privacy practices) http://www.hhs.gov/ocr/privacy/hipaa/understanding/co veredentities/notice.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/co nsumers/noticepp.html (FAQs) http://www.hhs.gov/ocr/privacy/hipaa/understanding/co nsumers/noticepp.html