Free up to 1MM monthly messages. No credit card required.
A Notice of Privacy Practices (NPP) is a document that explains to patients, employees, and clients how relevant health information will be collected, processed, stored, and used. It also explicitly outlines individuals' privacy rights over their Protected Health Information (PHI). Unlike many other aspects of HIPAA, the NPP is a highly visible representation of the Act's intentions and purpose, as it is a physical document that effectively must pass through the hands of, and be signed by, all consumers of a covered entity's services.
NPPs are connected to HIPAA's Privacy Rule. This rule gives patients important rights in regards to their PHI and identifies proper use and disclosure of PHI for patient care and other purposes. The NPP was created "to focus individuals on privacy issues and concerns, and to prompt them to have discussions with both their health plans, and their health care providers, and exercise their rights". The original drafters of HIPAA were concerned that the average healthcare consumer did not know their rights as a patient. HIPAA legislature helps ensure that patients enter into a business relationship with their provider with all the information they need to be an informed patient. Thus, HIPAA requires that each provider proactively delivers an NPP to each consumer. A standard NPP consists of an easily understandable notice that covers how a HIPAA-covered entity may use and disclose PHI as well as an overview of an individual's rights, a covered entity's legal duties when storing or using PHI, and any additional privacy policies.
An NPP helps educate a new patient on how their provider will manage and protect their data. It also outlines a patient's rights to track and potentially remove that data. A HIPAA-approved NPP must include a few key elements to be considered compliant. Covered entities are required to provide notice, in plain language, that describes:
A covered entity must also include an effective date on their NPP. If it makes any updates to its privacy practices, the company must edit that date and redistribute its NPP. These requirements are why it sometimes seems as though every trip to the doctor includes reading and signing dozens of pages of information. Providers often make small changes to their NPP to reflect tweaks in regulations or changes in their IT environment, so they must provide the current notice to everyone who has not yet read and signed it.
Correctly writing your company's NPP can be technical and tricky, which is why the Department of Health and Human Services maintains templated versions on their website that can be used with minimal editing by most providers.
To help patients be advocates of their data, the NPP must outline the rights that HIPAA provides, including the following:
In short, healthcare providers have a duty and an obligation to be transparent both about the practices they are committing to in order to protect PHI. They also have a responsibility to share that information with the patient themselves. Companies do not, however, always have to respond to all requests for information. For instance, any patient may request a correction to their medical history, but a provider has the right to decline to do so, although it must provide a written answer within 30 days.
So far, we've talked about what needs to be in an NPP and discussed the requirement for covered entities to produce and distribute one. Since HIPAA is government regulation, there are some complicated rules on when and how companies must provide an NPP:
As a technology provider that has been certified HIPAA-compliant since 2015, PubNub has a rich history of helping providers to operate with the confidence that their operations are in compliance. Hundreds of healthcare and health tech applications have been built and deployed using PubNub APIs and the PubNub Data Stream Network, all with HIPAA compliance implicitly provided.
Ensuring that technology applications match the commitments and obligations outlined in the NPP is vital to avoid technical violations of the HIPAA Privacy Rule. We encourage you to learn more about the solutions that organizations have already built and to refer to our E-Book Building a HIPAA-Compliant App.
A roundtable discussion led by PubNub’s COO, Casey Clegg, exploring the topics of what it means to be human in a virtual world.
Dr. Joe Kvedar, Chair of the Board for the American Telemedicine Association, joins our COO, Casey Clegg, to discuss why...
Today, we are glad to announce that we are currently in the process of implementing ISO-27001 security standards.