Key Documents Related to Patient Information

By Aurae Beidler

HIPAA Help

Key Documents

Three primary documents inform patients and give them some control over their protected health information or PHI

• Notice of Privacy Practices (NPP)

• Authorization

• Consent

Key Documents:Notice of Privacy Practices

• Required by HIPAA

• Explains:

– how a healthcare provider will use a patient’s PHI

– an individual’s rights under HIPAA

– the provider’s legal duties regarding PHI

Key Documents:Notice of Privacy Practices

• Must be:– offered to the patient on first encounter with the provider

– provided if there are major changes to the NPP

– provided on request by the patient

– available at the site of treatment

– posted prominently where it can be read clearly

– posted visibly on provider’s website

• Written acknowledgement from the patient must be obtained– If the patient refuses the notice this must be documented

Key Documents:Consent

• Not required by HIPAA• Sometimes called “Conditions of Treatment”• A consent may ask a patient for permission to use or

disclose PHI for treatment, payment, and healthcare operations (TPO)

• May include a statement on financial responsibility• No expiration date, but can be revoked

• Bottom line: A consent cannot substitute for an authorization. In order to release protected health information beyond TPO, we need to receive the patient’s written permission using an authorization form.

Consent Example

Key Documents:Authorization

• Required by HIPAA

• An authorization is used to release protected health information in many situations where it is required.

• Key elements that must be included in the authorization form:– Name of individual whose PHI is being disclosed

– Who may make the disclosure

– To whom the PHI is to be disclosed

– Type of information to be disclosed

– Signature of individual or legal representative

– Date authorization was signed

– Expiration date or event

– Statement of right to revoke

– Redisclosure statement

Elements of an Authorization

• Name of individual • Who may make the

disclosure

• Disclosure to

• Type of information

• Redisclosure statement• Expiration date or event• Statement of right to

revoke• Signature of individual and • Date signed

Key Documents:Authorization

• An authorization is defective if:

– the expiration date has passed.

– any of the information is known to be false.

– any of the required elements are missing.

• This means that protected health information cannot be released without a complete and valid authorization.

Summary

• Patients may sign a consent for treatment but this is not an authorization to release records.

• HIPAA forms including the Notice of Privacy Practices and Authorization have very specific requirements.

• Ensure that your authorization form contains all of the required elements.

• Before releasing protected health information that requires an authorization make sure the expiration date has not passed.

Learning activity

Find your organization’s Notice of Privacy Practices and complete the checklist:

Our NPP is posted so patients can easily see it.

Our NPP is available in the languages our patients speak and read.

Our NPP was updated after January 2013*

Our NPP is given to new patients.

Established patients are given the opportunity to receive a revised NPP.

Patients sign an acknowledgement that they have received our NPP.

* Your NPP may have been updated between 2009-2013. It needs to include all the requirements from the Omnibus Rule. See further information in other tutorials.

References

• Rinehart-Thompson, LA. (2013). Introduction to health information privacy and security; AHIMA Press.