Notice of Privacy Practices
A Notice of Privacy Practices (NPP) is a Health Insurance Portability and Accountability Act of 1996 (HIPAA)-mandated statement that describes how a healthcare company will use and disclose protected health information. It also informs patients of their legal rights regarding their personal health information (PHI).
These statements benefit both the patient and the healthcare provider because they inform patients of their rights and provide guardrails for practitioners and employees on how they may legally use and disclose medical information.
Table of Contents
What is a Notice of Privacy Practices?
According to the U.S. Department of Health and Human Services, NPP or HIPAA notices include four key components:
- A description of how the provider plans to use and disclose protected health information and that patient permission is required before any information can be shared.
- The organization’s duty to protect health information privacy.
- Patient privacy rights and avenues they can explore if they believe their privacy rights were violated.
- How to contact an organization for more information about how health information is used and disclosed and how to make a complaint.
When enrolling in a plan or scheduling your first appointment, your patients should be asked to sign a form that states that they received the HIPAA notice. Every time they schedule a medical consultation with a healthcare provider, they should feel confident that their private health information is protected by the provider and everyone who has access to it in the company.
A covered entity includes any of the following:
- Providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies, as long as they transmit information electronically.
- Health plans such as health insurance companies, HMOs, company health plans, and government programs that pay for healthcare.
- Health Care Clearinghouses that receive nonstandard health information from another entity.
What It Tells Patients
In general, a privacy notice should include the following information:
- What types of personal information are collected?
- How is personal data stored?
- How is collected personal information data used?
- What are the patient’s data protection rights?
- How can patients contact the organization for more information or to file a complaint?
- How are changes to the privacy notice communicated to users?
How NPPs Protect Patient Data
Personal data is any information that is related to an identified or identifiable person. Health data is sensitive personal data that require additional protection. When you schedule an appointment with an online doctor to receive an online diagnosis or an online prescription, your personal information is protected.
According to the Office of Data Protection Authority, individuals have ten rights under the 2017 Data Protection Law. These include:
- Right to know who the organization is and what they will do with patient data.
- Right to know what data the organization has collected about the patient and why they have collected it.
- Right to object to data collection and processing for direct marketing purposes, on the grounds of public interest, or for historical or scientific purposes.
- Right to have incorrect data rectified.
- Right to have data erased.
- Right to restrict data processing.
- Right not to have data decision-making made based on automatic processing.
- Right to data portability.
Organizations must demonstrate their compliance with the 2017 Data Protection Law by demonstrating that they:
- Have a valid, legal reason for collecting the data.
- Only use the data for its stated purpose.
- Only collect the minimum necessary data.
- Keep the data accurate and up to date.
- Keep data only as long as it is necessary.
- Maintain data integrity and confidentiality.
- Show evidence of their accountability.
Benefits of Having an NPP
Although NPPs are intended to protect patients’ personal health information, having an NPP also provides advantages to the organization. It allows them to clearly define what data is being collected and how it is used in the organization.
In addition to being required by law, an NPP can establish trust between patients and healthcare organizations by providing clear guidelines on how their data will be used.
Having an NPP can also enhance the reputation of a healthcare entity by demonstrating its commitment to protecting patient data. Patients may hesitate to see an online doctor because of confidentiality and data protection concerns. Having a visible and well-written NPP can help patients feel more comfortable with their decision to seek care online.
Questions to Ask Before Creating An NPP
An NPP must comply with HIPAA and other regulations while being transparent, accessible, and understandable for patients and other users. Privacy notices must be accurate, transparent, and accountable.
Questions to consider when creating an NPP might include the following:
- What kind of personal data and health information do you need to collect?
- How do you plan to use this personal data?
- How do you plan to store your patient’s data?
- How will you provide options for patients to manage cookies?
- How will you communicate changes to your privacy notice to patients?
- How can patients contact you with questions, concerns, or complaints?
How to Create an Effective NPP Statement
When creating your NPP statement, ensure that it is a clear and user-friendly explanation of how your organization will handle a patient’s personal health information and contains the covered entity’s responsibilities and the individual’s rights. Your HIPAA-complaint NPP should include the following:
- This statement as a header: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”
- A description of how patient health information can be used for treatment, payment, and healthcare operations.
- A description of the types of personal health information used and which require patient authorization.
- A description of the circumstances under which the organization may disclose personal health information without patient authorization.
- The name, title, and phone number of a person or office to contact for further information or questions about the notice.
- The date on which the notice is first in effect.
- A statement that an individual may revoke an authorization.
- Patient rights information.
- Information about covered entity duties.
While we strive to always provide accurate, current, and safe advice in all of our articles and guides, it’s important to stress that they are no substitute for medical advice from a doctor or healthcare provider. You should always consult a practicing professional who can diagnose your specific case. The content we’ve included in this guide is merely meant to be informational and does not constitute medical advice.