OCR HIPAA Privacy

December 3, 2002 Revised April 3, 2003

NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

[45 CFR 164.520]

Background

The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.

How the Rule Works

General Rule. The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices.

The Privacy Rule does not require the following covered entities to develop a notice: C

Health care clearinghouses, if the only protected health information they create or receive is as a business associate of another covered entity. See 45 CFR 164.500(b)(1).

C

A correctional institution that is a covered entity (e.g., that has a covered health care provider component).

C

A group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information.