Standards for HIPAA Privacy Practices Notice

The content of the NPP is mandated by the Privacy Rule and must contain at least the following elements: 

1. Notice of Privacy Practices must include elements addressing disclosure or use of PHI:  
   1. To the individual
   2. For treatment, payment, or health care operations (with at least one example of a use and disclosure for each purpose)
   3. For public health and safety issues
   4. For research purposes
   5. To comply with the law
   6. To respond to organ and tissue donation requests
   7. To work with a medical examiner or funeral director
   8. To address workers’ compensation, law enforcement and other government requests
   9. To respond to lawsuits and legal actions.
2. Required Language
   1. TXST must provide a notice that is written in plain language and that contains the elements required by this paragraph. TXST is also responsible for providing the NPP into a language that is readable by the individual to include the current top 15 languages.
3. Header
   1. The notice must contain the following statement as a header or otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
4. Uses and disclosures. The notice must contain: 
   1. A description, including at least one example of the types of uses and disclosures that TXST is permitted by HIPAA to make for each of the following purposes: treatment, payment, and health care operations.  
   2. A description of each of the other purposes for which TXST is permitted or required by HIPAA to use or disclose PHI without the individual's written authorization.  
   3. If a use or disclosure for any purpose described in HIPAA is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law as defined in §160.202.
   4. For each purpose described in HIPAA, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law.  
   5. A description of the types of uses and disclosures that require an authorization, a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization, and a statement that the individual may revoke an authorization.
   6. A statement adequate to put the individual on notice of the potential for information disclosed pursuant to this subpart to be subject to redisclosure by the recipient and no longer protected by this subpart.
5. Separate statements for certain uses or disclosures. If TXST intends to engage in any of the following activities, the description required by HIPAA must include a separate statement informing the individual of such activities, as applicable:  
   1. TXST may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications.
6. Individual rights. The notice must contain a statement of the individual's rights with respect to PHI and a brief description of how the individual may exercise these rights, as follows:
   1. The right to request restrictions on certain uses and disclosures of PHI including a statement that TXST is not required to agree to a requested restriction, except in case of a disclosure restricted under HIPAA;
   2. The right to receive confidential communications of PHI;  
   3. The right to inspect and copy PHI;  
   4. The right to amend PHI;  
   5. The right to receive an accounting of disclosures of PHI; and  
   6. The right of an individual, including an individual who has agreed to receive the notice electronically, to obtain a paper copy of the notice from TXST upon request.
7. TXST’s duties. The notice must contain: 
   1. A statement that TXST is required by law to maintain the privacy of PHI, to provide individuals with notice of its legal duties and privacy practices with respect to PHI, and to notify affected individuals following a breach of unsecured PHI;
   2. A statement TXST is required to abide by the terms of the notice currently in effect; and
   3. For TXST to apply a change in a privacy practice that is described in the notice to PHI that the covered entity created or received prior to issuing a revised notice, a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. The statement must also describe how it will provide individuals with a revised notice. 
8. Complaints. The notice must contain a statement that individuals may complain to TXST and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with TXST, and a statement that the individual will not be retaliated against for filing a complaint. 
9. Contact. The notice must contain the name, or title, and telephone number of a person or office to contact for further information. 
10. Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published. 

Specific requirements for electronic NPP and notice:  

1. TXST must prominently post its notice on the web site and make the notice available electronically through the web site.
2. TXST may provide the notice required by this section to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn.  
3. If TXST knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual.  
4. If the first service delivery to an individual is delivered electronically, TXST must provide electronic notice automatically and contemporaneously in response to the individual's first request for service.  
5. The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from TXST upon request.