Does your doctor keep your Protected Health Information (PHI) Safe & Secure?
Today, I visited my local dentist office for a new patient consultation and to interview them before choosing them as my Covered Entity (CE). After examining the waiting room and completing the necessary paperwork, I was called into the treatment room.
During my appointment I met several different staff members, including their office manager responsible for HIPAA and then the provider was introduced. The rest of the visit went as most dental exams do, need I say more! After asking the office manager different questions about their Notice of Patient Practices (NPP), I decided the practice did not understand (or were choosing not to practice) HIPAA Privacy & Security responsibilities.
I’d like to tell you I only had to do this once before I found a CE I trusted my care and my HIPAA Privacy & Security information to but sad NO. I interviewed 4 different practices and only 1 of them would I trust and recommend with my information and care. I share this with you to help you learn what to look for when you visit your next provider of care.
CE’s are required to provide their patient’s with a NPP in plain language that describes:
- Did your CE provide you with their NPP?
- Does the NPP include a description of how the practice uses or discloses (share) your PHI?
- The CE’s legal duties with respect to the information, including a statement that the CE is required by law to maintain the privacy and security of PHI.
- A CE must let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
- A CE must follow the duties and privacy practices described in the NPP and give you a copy of it.
- A CE must not use or share your information other than as described in the NPP unless you instruct them they can in writing. If you allow it, you may change your mind at any time, in writing.
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the CE.
- Whom individuals can contact for further information about the CE’s privacy policies.
- A CE must make its notice available to anyone who asks for it. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically.
- A CE must prominently post and make available its notice on any website it maintains that provides information about its customer services or benefits.
- The NPP must include an effective date.
For more information see 45 CFR 164.520(b) for the all NPP requirements: https://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-520.pdf Also see: Frequently Asked Questions about the Privacy Rule