Understanding the Notice of Privacy Practices (NPP) in HIPAA
What is Notice of Privacy Practices (NPP) in HIPAA?
In the context of HIPAA, a Notice of Privacy Practices (NPP) is a document that explains to patients, employees, and clients how relevant health information will be collected, processed, stored, and used. It also explicitly outlines individuals' privacy rights over their Protected Health Information (PHI). Unlike many other aspects of HIPAA, the NPP in healthcare is a highly visible representation of the Act's intentions and purpose, as it is a physical document that effectively must pass through the hands of, and be signed by, all consumers of a covered entity's services.
The Notice of Privacy Practices (NPPs) are connected to HIPAA's Privacy Rule. This rule gives patients important rights in regards to their PHI and identifies proper use and disclosure of PHI for patient care and other purposes. The original drafters of HIPAA were concerned that the average healthcare consumer did not know their rights as a patient, so the NPP was created "to focus individuals on privacy issues and concerns, and to prompt them to have discussions with both their health plans, and their health care providers, and exercise their rights". The HIPAA legislature helps ensure that patients enter into a business relationship with their provider with all the information they need to be an informed patient, therefore HIPAA requires that each provider proactively deliver an NPP to each consumer. A standard NPP consists of an easily understandable notice that covers how a HIPAA-covered entity may use and disclose PHI as well as an overview of an individual's rights, a covered entity's legal duties when storing or using PHI, and any additional privacy policies.
What is in a HIPAA NPP (Notice of Privacy Practices)?
The Notice of Privacy Practices helps educate a new patient on how their provider will manage and protect their data. It also outlines a patient's rights to track and potentially remove that data. A HIPAA-approved NPP must include a few key elements to be considered compliant. Covered entities are required to provide notice, in plain language, that describes:
How the covered entity may use and disclose protected health information about an individual. There are different ways of expressing these rules. The core element is ensuring that the reader understands that the provider does not have carte blanche on how they can use their information. If companies mismanage PHI, it can lead to significant penalties).
The individual patient's rights with respect to the information and how the individual may exercise these rights. It must also include how the individual may complain to the covered entity. Some of these rights are more obvious than others. For example, all patients are entitled to a paper copy of the PHI held by the provider. On the other hand, some are more obscure. For example, patients are allowed to request a list of all other entities with whom their PHI has been shared.
The covered entity's legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information. These duties include things like the obligation to protect PHI from unauthorized use, as well as the responsibility to inform you promptly if your information has been breached.
Whom individuals can contact for further information about the covered entity's privacy policies. This contact is an essential piece of information. Among different providers, the prior sections are likely nearly identical, but the contact information is always unique
A covered entity must also include an effective date on their NPP. If it makes any updates to its privacy practices, the company must edit that date and redistribute its NPP. These requirements are why it sometimes seems as though every trip to the doctor includes reading and signing dozens of pages of information. Providers often make small changes to their Notice of Privacy Practices to reflect tweaks in regulations or changes in their IT environment, so they must provide the current notice to everyone who has not yet read and signed it.
Correctly writing your company's Notice of Privacy Practices can be technical and tricky, which is why the Department of Health and Human Services maintains templated versions on their website that can be used with minimal editing by most providers.
What rights does a HIPAA NPP outline?
To help patients be advocates of their data, the NPP must outline the rights that HIPAA provides, including the following:
The right to request restrictions on certain uses and disclosures of PHI.
The right to receive confidential communications of PHI, as permitted by law.
The right to inspect and copy PHI.
The right to amend PHI, as permitted by law.
The right to receive an accounting of disclosures of PHI.
The right of an individual to obtain a paper copy of the notice, upon request.
The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes their privacy rights have been violated.
In short, healthcare providers have a duty and an obligation to be transparent both about the practices they are committing to in order to protect PHI. They also have a responsibility to share that information with the patient themselves. Companies do not, however, always have to respond to all requests for information. For instance, any patient may request a correction to their medical history, but a provider has the right to decline to do so, although it must provide a written answer within 30 days.
When should the NPP be provided to a patient
So far, we've talked about what needs to be in an NPP and discussed the requirement for covered entities to produce and distribute one. Since HIPAA is government regulation, there are some complicated rules on when and how companies must provide an NPP:
The notice of privacy practices should be provided under the following circumstances:
Covered entities must provide a copy of their NPP to anyone who asks for it.
They must also visibly post the NPP in their physical location(s) so that anyone who enters the space has clear and unobstructed access.
If an entity's website provides information about customer services and benefits, an NPP must also be posted on the website. This requirement mirrors the advertising requirements for prescription drugs, in which you hear the extensive lists of possible side effects only when the advertiser also lists the benefits of the medicine.
There are additional provider-specific requirements for distributing an NPP. For instance, a provider (like a doctor or hospital) must provide it on the patient's first visit, Emergency Rooms must deliver it at the first possible opportunity, and health plans must provide the NPP on sign-up as well as every three years afterward.
How PubNub can help with HIPAA and NPPs?
As a technology provider that has been certified HIPAA-compliant since 2015, PubNub has a rich history of helping providers to operate with the confidence that their operations are in compliance. Hundreds of healthcare and health tech applications have been built and deployed using PubNub APIs and network, all with HIPAA compliance implicitly provided.
Ensuring that technology applications match the commitments and obligations outlined in the NPP is vital to avoid technical violations of the HIPAA Privacy Rule. We encourage you to learn more about the solutions that organizations have already built and to refer to our E-Book Building a HIPAA-Compliant App.