By Adrienne Dresevic, Esq. and Clinton Mikel, Esq., of The Health Law Partners, P.C.
One often overlooked, but critical, patient right under HIPAA involves the patient’s right to receive a Notice of Privacy Practices (NPP). Issues associated with NPP postings have become a focus area for the HHS Office for Civil Rights (OCR), both explicitly and in OCR’s behind the scenes auditing practice. Since there are differing requirements for administering NPPs based on direct or indirect treatment relationships, imaging providers and radiologists need to be aware of the idiosyncrasies applicable to their particular practice settings.
What are NPPs, and why are they important?
HIPAA requires that each new patient of a directly treating provider be provided with a NPP. The goal of the NPP is to inform patients: (i) how the healthcare organization will/may use and disclose a patient’s PHI; (ii) the patient’s rights and responsibilities with respect to his/her PHI; and (iii) the covered entity’s duties with respect to a patient’s PHI.
On January 17, 2013, the HIPAA Omnibus Final Rule modified what statements covered entities must include in their NPPs. Since NPPs are required to be posted on covered entities’ websites (if they maintain one, more on this below), failure to update the NPP to meet the HIPAA Omnibus requirement has become a visible marker of HIPAA non-compliance for OCR auditors.
In other words, if there has been a patient complaint to OCR regarding your HIPAA compliance, or OCR is evaluating your practice for HIPAA compliance (after, for instance, a privacy breach notification), the first step OCR auditors take is finding your website and seeing if your NPP has been updated (or is even posted, as HIPAA requires). In a real and practical way OCR auditors will evaluate how they will treat your case by a highly visible metric of whether you have paid attention to HIPAA compliance.
Providing the Notice and Template Notices
With respect to NPPs, HIPAA requires the following of covered entities:
- Make its NPP available to any person who requests it.
- Prominently post and make available the NPP on any website that provides information about the covered entity’s customer services or benefits.
- “Direct Treatment Providers” have an additional requirement to provide the NPP to the individual on the patient’s first date of service delivery and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, there must be documentation to show the efforts made to obtain the written acknowledgement. HIPAA also provides for electronic delivery of NPPs under certain parameters.
The OCR has posted several sample versions of NPPs at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/. It is fine to utilize the OCR’s sample versions, which were created to be easy for patients to understand. Note, however, that the OCR’s sample NPPs are slightly more restrictive than required by HIPAA.
Direct Treatment Provider vs. Indirect Treatment Provider
The HIPAA privacy regulations require a direct treatment provider (eg, a physician or facility who actually physically treats the patient) to give each new patient a NPP that can be taken home, at the moment in time of first service delivery. A good faith effort must be made by the provider to obtain the patient’s written acknowledgement of receipt of the NPP, and that the patient understood the information provided. This is a one-time obligation, when the patient is first seen by the provider.
A healthcare provider is considered to have a direct treatment relationship with the patient if it provides services, products, diagnoses, or results directly to the patient. For example, an imaging facility that sees patients will have a direct treatment relationship and the obligation to give new patients an NPP (and obtain written acknowledgment of the same).
On the other hand, an indirect treatment provider, such as a radiologist who is remotely interpreting images, is not required to distribute a NPP to its new patients. However, the indirect treatment provider still must maintain a prominent copy of its NPP on its website (if any), and provide a copy of its updated NPP to a patient upon request.
An indirect treatment relationship is present when (i) the healthcare provider delivers healthcare to the individual based on the orders of another healthcare provider; and (ii) the healthcare provider typically provides services or products, or reports the diagnosis or results associated with the healthcare (eg, radiology interpretations) directly to another healthcare provider, who provides the services or products or reports to the individual.
Most of the activities of diagnostic radiologists will be considered indirect treatment relationships. However, the line between direct and indirect treatment relationships can be blurred in some situations, such as interventional radiologists and radiologists in an oncology department. In many such instances, the covered entity facility will have included the radiologist as an affiliated healthcare provider in their NPP, but this does not absolve a separate radiology group of having its own NPP, available upon request and posted on its website.
OCR has recently put an extreme focus on patient rights under HIPAA. Failure to update your NPPs is a visible red-flag for OCR’s assessors that you are not taking patient HIPAA rights, or HIPAA itself, seriously. Updating your NPP to comply with the HIPAA Omnibus Rule is an easy fix that will pay dividends if HIPAA issues arise in the future. You should also be aware of your responsibilities with respect to patient rights related to NPPs (available upon request, website posting, and distribute to new patients if you have a direct treatment relationship), and make sure your imaging providers and radiologists know whether they have a direct or indirect relationship with patients – the distinction is critical for determining whether new patients are required to receive/acknowledge a physical copy of their NPP.
Adrienne Dresevic, Esq. is a Founding Shareholder of The Health Law Partners, P.C., a nationally recognized healthcare law firm with offices in Michigan and New York.Practicing in all areas of healthcare law, she devotes a substantial portion of her practiceto providing clients with counsel and analysis regarding compliance, Stark Law, Anti-Kickback Statute, and compliance related issues. Ms. Dresevic serves on the American Bar Association Health Law Section’s Council, which serves as the voice of the national health law bar within the ABA. Ms. Dresevic also serves as the ABA Health Law Section’s Co-Chair of the Physicians Legal Issues Conference Committee, Vice Chair of the Programs Committee (Executive Leadership), and Vice Chair of the Sponsorship Committee. She is licensed to practice law in Michigan and New York, and can be contacted at firstname.lastname@example.org.
Clinton Mikel, Esq. graduated from the University of Michigan Law School. Practicing healthcare law, he concentrates in Stark, fraud/abuse, telehealth/telemedicine, compliance, and the corporate and financial aspects of healthcare practice.
The authors are members of The Health Law Partners, P.C. and may be reached at (248) 996-8510 or (212) 734-0128, or at www.thehlp.com.
For more regulatory news, visit www.ahraonline.org/news.