The Health Insurance Portability and Accountability Act (HIPAA) include provisions that address the security and privacy of a patient’s health information. Our hospital complies with the following procedures to ensure adherence to the HIPAA requirements.


The “Privacy Rule” is part of a set of standards under HIPAA’s “Administrative Simplification” provisions. The final rule requires health care providers (and other covered entitles) to provide patients with a notice of patient’s privacy rights and the privacy practices of the provider. Each patient will be provided with a Notice of Privacy Practices.

Notice of Privacy Practices

The Notice of Privacy Practices must clearly describe

  • All uses and disclosure of protected health information that the facility is permitted or required to make under the HIPAA privacy rule
  • The patient’s rights regarding their protected health information
  • The facility’s legal obligations with respect to protected health information

Areas of Responsibility

Health care providers must provide Notice of Privacy Practices to their patients on the first date of service delivery. For hospitals, this would include providing the Notice as part of the Admission and Registration process. For physician clinics, this would include providing the Notice to each patient upon their first visit to the clinic.

Each facility must also post its Notice in a clear and prominent location where individuals seeking service are able to read it. In addition, if the facility maintains a web site, the Notice must also be available through that web site.

Patients must acknowledge in writing that they have received the Notice of Privacy Practices. Health care providers are required to make “good faith” efforts to obtain this acknowledgement. During emergency treatment situations, however, this requirement may be delayed until reasonably practical after the emergency situation has ended or been established.

Since state laws regarding the release of patient health information may vary from federal regulation, the facility HIM Director should work with the facility and/or legal counsel to ensure that if the requirements are inconsistent, then the more stringent of either state or federal statutes or regulations will apply. When state law is more stringent than a Federal standard requirement or implementation specification of HIPAA, state law will prevail and the facility’s Notice and all applicable policies and procedures should be revised to reflect such. Any requested changes to the Notice of Privacy Practices form must be related to individual state law requirements and must be reviewed and approved by the forms committee.

Patient records containing AIDS/HIV status, mental health diagnosis or treatment, or alcohol or drug diagnoses or treatment may require specific authorizations in some states. The HIM department should work with the facility and/or legal counsel to ensure state regulations are included in the policy for consistent interpretation, if necessary or appropriate.


  1. The Notice of Privacy Practices must be provided as part of the Admission process for inpatient admissions to the hospital, or on the first date of service delivery for outpatient visits.
  2. Frequency of Providing Notice: the Notice must be provided as part of every Inpatient admission. For recurring outpatient services such as outpatient physical therapy, the Notice must be provided at each registration.
  3. For hospital inpatient admissions, the patient is given the Consent to Treatment form.
  4. A paragraph regarding the Notice has been added to the Conditions to Treatment form. By signing the consent form, the patient acknowledges that they received a copy of the Notice of Privacy document.
  5. If a patient refuses to sign, indicating that he/she has received a copy of the Notice, the facility must document its efforts to obtain the acknowledgement and the reason(s) why the acknowledgement was not obtained. This documentation should be made directly on the Consent to treat form besides the Notice of Privacy Practices.
  6. The facility must adhere to the terms of the Notice. Should any changes be made, the Notice must promptly be revised and made available to patients upon request.
  7. Questions regarding the Notice of Privacy Practices should be directed to the facility’s health Information Management Director.
  8. Information on filing privacy complaints should be directed to the Facility Privacy Officer.
  9. More stringent state and/or federal regulations will supersede any and all instructions in this policy. More stringent state regulations must be inserted behind this policy and document and will apply as appropriate to this policy/procedure.


Protected health information (PHI) refers to individually identifiable health information that is transmitted or maintained in any form which is protected under the federal regulations. Examples include the patient’s name and other demographic information, medical records, x-ray films etc.

Direct Treatment Relationship

Refers to a relationship between an individual and a health care provider in which:

  • the health care provider delivers health care directly to the individual; and
  • the health care provider provides services or products, or reports the diagnosis or results associated with the healthcare, directly to the individual.