Printer Friendly

HIPAA compliance requires facilities to have privacy policy: with HIPAA's compliance date for the privacy standard on April 14, 2003, each facility must have a detailed privacy policy. A preparation guide. (Feature Article).

The Health Insurance Portability and Accountability Act (HIPAA) requires that all covered entities (most nursing facilities meet the definition of covered entity) provide a notice to patients (or residents) detailing the ways in which the covered entity will use or disclose the patient's protected healthcare information (PHI). PHI is defined as individually identifiable health information that relates to the past, present, or future physical or mental health of, or the provision of healthcare to, a patient or resident.

With the arrival of HIPAA's compliance date for the privacy standard on April IA, 2003, each facility must have a detailed privacy policy in place. This article describes the elements of the privacy policy and discusses how facilities should prepare such policies so a final product is available for use on the compliance date.

Beginning April 14, a notice of the facility's policy with respect to PHI is required to be presented to the resident on or before the first time services are delivered to that resident. For a nursing facility, that generally would be at the time of admission. The receipt of the privacy notice must be acknowledged in writing, but the facility does not have to explain the notice or otherwise elaborate on its contents. Facilities also must post a copy of the privacy notice in a prominent location where it is reasonable to expect that the residents will see it. Copies of the notice also must be provided to anyone who requests one; the notice must be posted and available on the facility's Web site, if the facility has one.

If there is a material change to any part of the privacy policy, the notice must be revised, the new version posted, and information provided to residents that the new notice is available upon request. Facilities must provide the revised notice to the residents, but do not need to have residents who received an earlier version of the privacy policy acknowledge the receipt of the revised notice.

For record-keeping purposes, the facility must put a copy of the current notice in every resident's file and maintain a copy of each version of the notice in the facility's business files.

To assist in preparing the privacy policy, the regulations provide an outline to follow. Following is a list of the elements required by the HIPAA privacy regulations, along with commentary on each element.


This requirement is easily followed, but note that the statement must be in all caps and worded exactly as set forth above.

* A facility's privacy policy must include information relating to the uses and disclosures of the individual's PHI, including a description and one example for each of the types of uses and disclosures that the facility is permitted to make for the purposes of treatment, payment, and healthcare operations; a description of each of the other purposes that the facility is permitted or required to perform without consent, such as public health, governmental health oversight, judicial and administrative proceedings, law enforcement, and work-related illness or injury; and enough detail to clarify the uses and disclosures that are permitted or required by the Privacy Rule or other applicable laws.

This section may be lengthy because it will list the multiple ways that PHI is used and disseminated. You may want to consider for inclusion in the privacy policy: treatment purposes including creation of the healthcare records at the facility and for referrals to other healthcare providers, payment purposes, or healthcare operations such as quality improvement, business associates, facility directory, notifications to family members, marketing, fundraising, public health requirements, law enforcement requirements, and reports required by health oversight agencies, including your survey and certification office.

* Information that other disclosures and uses will be made only with the resident's written authorization and that he or she may revoke this authorization.

This information can be placed anywhere in the document and can state that revocation is possible, and the request for revocation must be in writing.

* Statement that describes the resident's rights concerning his or her PHI and how those rights maybe exercised, such as (i) to request restrictions concerning certain uses and disclosures of PHI, (ii) to receive confidential communications of PHI, (iii) to inspect and copy PHI, (iv) to amend PHI, (v) to receive an accounting of disclosures of PHI, and (vi) to obtain a paper copy of the privacy notice on request even if the individual has agreed to receive the notice electronically.

Again, this provision will result in a lengthy disclosure. Under section i, the facility wants to make clear that while the resident can request that PHI not be disclosed, the facility is under no obligation to grant the request. Medicare and Medicaid facilities can state that there are times when the request cannot be honored-including emergencies, if the resident is being transferred to another healthcare facility, or the disclosure is required by law. Under section iii, remember to indicate that if the resident wants copies of his/her medical record, HIPAA allows the facility to charge a reasonable copying fee. Section iv indicates that amending PHI is allowed, and requests for amendment should be made in writing with information to support the requested change. The accounting provisions listed under section v should be conditioned, and the policy should state that an accounting can only go back six years, and that no accounting will be given for disclosures for reason of treatment, payment, or healthcare operations; for disclosures made to the resident, the resident's legal representative, or any other individual involved in the resident's care; for disclosures to law enforcement officials; or for disclosures for national security purposes.

* The facility is required by law to maintain the privacy of the resident's PHI with a list of the duties and practices of the facility with respect to PHI; and further, the facility is required to abide by the terms of the notice currently in effect. The notice should state that the facility reserves the right to change the terms of its notice and to make new notice provisions effective for all PHI that it maintains. The facility must also describe how it will provide residents with a revised notice.

Facilities can choose to use a "layered notice," where this information is included on a summary page (or first layer) along with a summary of the resident's rights, then have a "second layer" that contains all of the elements required by the Privacy Rule.

Creating a privacy policy is not an easy task. It requires facilities to review and list the ways the facility uses and discloses PHI. By April IA, all facilities must have this notice of privacy policies prepared and available for new residents, as well as prominently posted in the facility. It is important that facilities begin to work on this notice as soon as possible so that internal and external review of the policy can be conducted before the policy is required. If you would like more specific information, visit the U.S. Department of Health and Human Services' Web site at html.

Sandra K. Battaglia, Esq., is of counsel with Balick & Balick, Wilmington, Delaware. She practices primarily in the area of health law where she regularly counsels Long-term care organizations and other healthcare providers in regulatory compliance matters, including HIPAA, corporate compliance, and state and federal regulations. To comment on this article, please send e-mail to
COPYRIGHT 2003 Medquest Communications, LLC
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Health Insurance Portability and Accountability Act compliance calls for facilities to have privacy policy
Author:Battaglia, Sandra K.
Publication:Nursing Homes
Geographic Code:1USA
Date:Mar 1, 2003
Previous Article:Designing a better bathroom: making bathrooms and toilet rooms safer and more comfortable. (Feature Article).
Next Article:Westminster-Canterbury on Chesapeake Bay. (Design Center).

Related Articles
Get Ready for HIPAA.
Web Site Offers Guidance On Complying With HIPAA.
HIPAA Privacy Rules Challenge Long-Term Care Providers. (Computer Quarterly Update).
Racing toward the deadline. (Cover Story).
Understanding HIPAA compliance. (Legal).
HIPAA Compliance, Part 2: monitoring your 'Business Associates'; now that you know who your "business associates" are, how do you make sure that they...
New online courses bring learning to your desktop.
What every business needs to know about HIPAA: most healthcare organizations must comply with HIPAA's Privacy Rule by April 14, 2003--but do all...
Book review: the ABCs of HIPAA compliance.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters