Where is the Best Location to Post a Notice of Privacy Practices?
The best location to post a Notice of Privacy Practices is a physical location where it can be seen and read by individuals โ without causing an access issue โ or a virtual location such as an easy-to-access web page that offers a downloadable option. It may also be necessary that a copy of the Notice of Privacy Practices is made available in leaflet or booklet form for individuals to exercise their right to request a copy.
All HIPAA covered entities are required to provide a notice of the uses and disclosures of Protected Health Information (PHI) that may be made by the covered entity. The Notice of Privacy Practices must also explain the covered entityโs legal duties with respect to PHI, an individualโs rights, how they can exercise their rights, and who they can complain to if they feel their rights have been denied or violated.
Different rules apply to how a Notice of Privacy Practice should be provided to an individual depending on the nature of the covered entityโs activities, whether the covered entity has a โphysical service delivery siteโ, and whether the covered entity maintains a website that provides information about the covered entity’s customer services or benefits. Different rules can also apply to the content of a Notice of Privacy Practices.
Posting a Notice in a Physical Service Delivery Site
Covered entities with โphysical service delivery sitesโ include hospitals, dentists, and pharmacies, and any other location with public-facing operations. In these cases, it is a requirement of HIPAA (45 CFR ยง164.520(c)(2)(iii)) that Notices are posted โin a clear and prominent location where it is reasonable to expect individuals seeking service from the covered entity to be able to read the noticeโ.
It is also a requirement of the same standard that Notices are available at the service delivery site for individuals to request to take with them. Complying with this second requirement mitigates the risk of individuals gathering around a Notice to read it in full and potentially blocking an essential access route. It will likely also be more convenient for individuals to read the Notice in full โ and understand it – at their leisure.
The Best Location to Post a Notice of Privacy Practices Online
With regards to the best location to post a Notice of Privacy Practices online, HIPAA 45 CFR ยง164.520(c)(3) has specific requirements for electronic Notices. These are that if a covered entity maintains a website that provides information about customer services or benefits, the covered entity must post a Notice of Privacy Practices on the web site and make the Notice available electronically through the web site.
Although the Notice of privacy Practices standard continues to discuss the provision of a Notice electronically via email, it can be beneficial (to both the covered entity and the individual) to provide an option whereby an individual can download the Notice via PDF. This avoids the necessity for an individual to provide an email address, and for the covered entity to implement secure methods of collecting and storing email addresses.
It is Important to Understand the Rules Regarding Privacy Notices
The failure to provide a Notice of Privacy Practices at the appropriate time (which varies depending on the nature of the covered entityโs activities) is a violation of HIPAA. In terms of what penalty a covered entity might receive for failing to provide a Notice in a timely manner or the content of the Notice failing to comply with the HIPAA standards, this is not a โcriticalโ violation likely to result in harm to an individual.
However, in terms of โease of sanctionโ violations of the rules regarding Privacy Notices are low-hanging fruit for HHSโ Office for Civil Rights. Unless a covered entity has obtained an acknowledgement of receipt (proof of sending an email is not sufficient evidence), the covered entity could be fined a substantial amount due to willful neglect. Ignorance of the rules regarding Privacy Notices is no defense in such cases.
Covered entities and โ where appropriate business associates โ who are not certain they are complying with the rules regarding Privacy Notices are advised to seek professional HIPAA compliance advice.