If an individual agrees to receive the notice electronically, the covered entity may then provide the notice via email. As long as the agreement has not been withdrawn, the covered entity may provide revised notices through email as well. If a covered entity knows that an email transmission of the notice has failed, the covered entity must provide a paper notice. Entities providing electronic notice must do so no later than the date of the first in-person or telehealth service delivery. Patients who receive the electronic notice may also obtain a paper copy upon request.
45 CFR 164.520 and What Must the Notice of Privacy Practices Contain?
45 CFR 164.520 outlines the notice content requirements. The notice must contain:
- A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted to make for treatment, payment, and healthcare operations.
- A description of each of the other purposes for which the covered entity is permitted or required under the Privacy Rule to use or disclose protected health information without the individual’s written authorization. These other purposes are outlined in 45 CFR 164.512, and include public health, health oversight, and law enforcement purposes.
- A statement of the individual’s privacy rights, including the right to complain to HHS and to the covered entity if a patient believes his or her privacy rights have been violated.
- A description of how to contact the covered entity for more information and to make a complaint.
45 CFR 164.520 and Additional Requirements
A covered entity must write its notice in plain language. The plain language requirement is satisfied as long as the covered entity makes a reasonable effort to organize material to serve the needs of the reader. This can be achieved, for example, by writing short sentences in the active voice, using “you” and other pronouns where appropriate, and using common, everyday words in sentences.
45 CFR 164.520 does not have any formatting requirements (i.e., page size, font size, or typeface). However, the notice must be capable of being understood by its recipients. The purpose of the notice is to inform individuals of their rights, and individuals who cannot understand those rights will be unable to exercise them.
HHS encourages covered entities to be sensitive to the needs of individuals who are vision-impaired or hearing-impaired. For example, a member of the covered entity’s workforce can read the notice to visually-impaired individuals. The covered entity can provide hearing-impaired individuals with a video presentation that is played in the waiting area.