HIPAA Rights and Notice of Privacy Practices

The HIPAA Privacy Rule gives patients a series of legally enforceable rights with respect to their protected health information (PHI). One of the most important of these HIPAA rights is the right to receive a notice of privacy practices. This example of HIPAA rights is discussed below.

What Are HIPAA Rights: The Right to Receive a Notice of Privacy Practices

Under the Privacy Rule, patients have the right to receive a notice of privacy practices (NPP). HIPAA rights were created to give patients certain rights, to exercise greater control over how their protected health information can be used and disclosed. The notice of privacy practices contains a summary of these HIPAA rights, including the HIPAA rights to an accounting of disclosures, amendment of PHI, right of access to PHI, and right to request restrictions on uses or disclosures of PHI. To ensure a patient clearly understands what rights they have, and how to exercise them, the notice of privacy practices must describe HIPAA rights in plain language.

To honor patient HIPAA rights, the notice of privacy practices must separately describe each purpose for which a provider is permitted to use or disclose protected health information without written patient authorization. This description must contain sufficient detail to clearly place patients on notice of the fact of these uses and disclosures. The notice must also state that uses and disclosures may be made to carry out treatment, payment, and healthcare operations. 

The notice must include at least one example each of what constitutes use or disclosure for treatment, payment, and healthcare operations. The requirement to provide examples was imposed to ensure patients are informed of all legally required or permissible uses and disclosures the provider may make, even if the provider does not actually anticipate actually making such uses and disclosures. 

Confusion exists over whether a patient must sign the notice of privacy practices. Doctors, hospitals, or other healthcare providers must, under the Privacy Rule, ask you to state in writing that you received the notice. This signature is a written acknowledgment of receipt of notice. However, HIPAA does not actually require you to sign the “acknowledgement of receipt of the notice.”

Confusion exists as to the effect, if any, of a signature. Under HIPAA, signing does not mean that you have agreed to any special uses or disclosures (sharing) of your health records. Signing does not mean you “agree” that a provider has the right to use or disclose certain PHI without written authorization. The right of a provider to use or disclose certain PHI without written authorization exists in the law. A patient cannot change the law. A patient may disagree that a provider should have this right, but a patient cannot demand that a provider “remove” this right from the notice of privacy practices. 

What Happens If a Patient Refuses to Sign a NPP?

Is a patient who refuses to sign the acknowledgment of receipt entitled to treatment? Yes. A provider cannot use the refusal to sign to deny treatment. The provider must, however, keep a record of the fact that you did not sign. If a patient does not sign, what information may a provider disclose? The same amount and type of information that HIPAA permits any other provider to disclose.

A patient who is dissatisfied with the fact that HIPAA permits use or disclosure for payment, treatment, or healthcare operations regardless of what the patient demands, may avail himself or herself of another provision of the Privacy Rule, the “Right to Request Restrictions” provision. Under this provision, a provider must permit individuals to request that uses and disclosures of protected health information to carry out treatment, payment, and healthcare operations be restricted. While a provider is not required to agree to a request, the provider must adhere to those restrictions to which it has agreed. 

If a provider has agreed to a restriction, the provider may nonetheless use or disclose protected health information in violation of that restriction, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment. When emergency treatment is needed, the provider may use the restricted protected health information, or may disclose such information to a healthcare provider, to provide such treatment to the individual. If a provider has disclosed restricted PHI to another provider for emergency treatment purposes, the provider must request that the other provider not further use or disclose the information.

When the “right to request restrictions” rule was proposed, some insurers and other providers argued that a provider that has agreed to a restriction, make note of the existence of that restriction in the patient’s file. HIPAA does not require that a provider make this notation. The Department of Health and Human Services (HHS) advises providers to inform others of the existence of a restriction, in accordance with professional practice and ethics, when appropriate to do so.