Under the HIPAA Privacy Rule, covered entity healthcare providers have an obligation to inform patients of what their medical privacy rights are. Covered entities must furnish a Notice of Privacy Practices to patients. Under most circumstances, the provider must make a good faith effort to provide the notice.

What is a Notice of Privacy Practices?

The HIPAA Privacy Rule requires covered entities (health plans and healthcare providers) to develop and distribute Notices of Privacy Practices (NPPs). The Notice of Privacy Practices must be given to patients. The notice must describe how the covered entity (CE) may and may not use protected health information (PHI), and what the patient’s rights and obligations with respect to the PHI are.

PHI is individually identifiable health information held or transmitted by a covered entity, in any form or medium, whether electronic, on paper, or oral. Protected health information that is created, stored, transmitted, or received in any electronic format or media is referred to as electronic protected health information (ePHI). The Notice of Privacy Practices must also describe how the covered entity may and may not use ePHI, and what the patient’s rights and obligations with respect to the ePHI are.

When Must Covered Entities Provide a Notice of Privacy Practice?

Covered entity providers that have a direct treatment relationship with an individual must provide the Notice of Privacy Practices to that individual no later than the first date on which the provider furnished medical services to the individual. When the first service delivery to an individual is provided over the Internet, through email, or otherwise electronically, the provider must send an electronic Notice of Privacy Practices automatically and contemporaneously in response to the individual’s first request for service. 

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

What Good Faith Effort Must Providers Then Make?

Once a healthcare provider has furnished the Notice of Privacy Practices, the provider must then, under 45 CFR § 164.520 c(2)(ii), make a good faith effort to obtain a written acknowledgment of receipt of the notice provided to the patient. If the provider does not obtain the written acknowledgment, the provider must document its good faith effort to obtain the acknowledgment. The provider must also document the reason why the acknowledgment was not obtained.

If the notice is delivered electronically, the provider must make a good faith effort to obtain a return receipt or other transmission from the individual in response to receiving the notice.

Providers must retain copies of the Notices of Privacy Practices that they issue. Providers must also retain copies of written acknowledgments. When written acknowledge cannot be obtained, providers must keep documentation of the good faith efforts made to obtain the written acknowledgment. 

What Does “Good Faith Effort” Actually Mean?

Under the law, a “good faith effort” is an honest, sincere, and reasonable attempt to do something. To make a “good faith effort” in obtaining a written acknowledgment is to make a bona fide attempt to determine the patient’s residence and obtain the acknowledgment, that is reasonable under the circumstances. This means that you cannot undertake a pro forma, cursory attempt to obtain the written acknowledgment. Making the good faith effort consists of taking reasonable steps to find the patient’s location, to obtain a written acknowledgment. 

Searching a telephone directory and a patient database for a patient’s contact information is considered reasonable, as these are common methods of accessing patient residential information. Spending an inordinate amount of time and money, however, is not necessary to satisfy the “good faith effort” requirement. Courts would most likely regard a provider’s hiring of a private detective who charges hundreds of dollars an hour, to locate the patient’s residence, as going beyond what “good faith” requires. Likewise, if a provider has the patient’s residential information and has requested the acknowledgment, but the patient has refused, in writing, to provide the acknowledgment, the law does not require that the provider make repeated additional efforts to extract the acknowledgment.

Is there an Exception to the Good Faith Rule?

When there is an emergency treatment situation, the Notice of Privacy Practices must be provided as soon as reasonably practicable after the treatment situation. This common-sense rule reflects the fact that during an emergency, when a patient is incapacitated, unconscious, or under anesthesia, the patient lacks the ability to understand that he or she is being given a document – let alone the ability to understand what the document is. In emergency treatment situations, the requirement to make a good faith effort to obtain written acknowledgment of receipt (or, if the acknowledgment is not obtained, to document the good faith efforts to obtain the acknowledgment and the reason why it was not obtained) does not apply.