Develop a Privacy Notice

In the last section we outlined the steps necessary for employers to adopt "Privacy Policies and Procedures." These include who has access to Protected Health Information (PHI), how it will be used within your organization and when the information may be disclosed. Next we will discuss developing a "Privacy Notice" which has to be distributed to employees upon enrollment and within 60 days of a material revision to the notice.

Privacy notices must include the following elements:

* Header - The notice must contain the following statement as a header or otherwise be prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."

* A description, including at least one example, of the types of uses and disclosures that the group health plan is permitted to make for each of the following purposes: treatment, payment and health care operations.

* A description of each of the other purposes for which the group health plan is permitted or required to use or disclose PHI without the individual's written consent or authorization.

* If use or disclosure permitted or required under the HIPAA privacy rule is prohibited or limited by applicable law, the description of such use or disclosure must reflect the more stringent law.

* A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization.

* A statement that the group health plan, or health insurance issuer or HMO may disclose PHI to the sponsor of the plan, if applicable.

* A statement of the individual's rights with respect to PHI and a brief description of how the individual may exercise these rights, including:

  • The right to request restriction on certain uses and disclosures of PHI, including a statement that the group health plan is not required to agree to a requested restriction
  • The right to inspect and copy PHI
  • The right to amend PHI
  • The right to receive an accounting of disclosures of PHI
  • The right of an individual, including an individual who has agreed to receive the notice electronically, to obtain a paper copy of the notice upon request

* A statement that the group health plan is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI.

* A statement that the group health plan is required to abide by the terms of the notice currently in effect.

* A statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. The statement must also describe how it will provide individuals with a revised notice.

* A statement that individuals may complain to the group health plan and the Secretary of Health and Human Services if they believe their privacy rights have been violated, including a brief description of how the individual may file a complaint with the group health plan, and a statement that the individual will not be retaliated against for filing a complaint.

* The name, or title and telephone number of a person or office to contact for further information.

* The date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.