Health care providers must provide Notice of Privacy Practices to their patients on the first date of service delivery. For hospitals, this would include providing the Notice as part of the Admission and Registration process. For physician clinics, this would include providing the Notice to each patient upon their first visit to the clinic.
Each facility must also post its Notice in a clear and prominent location where individuals seeking service are able to read it. In addition, if the facility maintains a web site, the Notice must also be available through that web site.
Patients must acknowledge in writing that they have received the Notice of Privacy Practices. Health care providers are required to make “good faith” efforts to obtain this acknowledgement. During emergency treatment situations, however, this requirement may be delayed until reasonably practical after the emergency situation has ended or been established.
Since state laws regarding the release of patient health information may vary from federal regulation, the facility HIM Director should work with the facility and/or legal counsel to ensure that if the requirements are inconsistent, then the more stringent of either state or federal statutes or regulations will apply. When state law is more stringent than a Federal standard requirement or implementation specification of HIPAA, state law will prevail and the facility’s Notice and all applicable policies and procedures should be revised to reflect such. Any requested changes to the Notice of Privacy Practices form must be related to individual state law requirements and must be reviewed and approved by the forms committee.
Patient records containing AIDS/HIV status, mental health diagnosis or treatment, or alcohol or drug diagnoses or treatment may require specific authorizations in some states. The HIM department should work with the facility and/or legal counsel to ensure state regulations are included in the policy for consistent interpretation, if necessary or appropriate.