DHHS POLICY AND PROCEDURE MANUAL
Privacy and Security
Client Rights Policies, Notice of Privacy Practices
Current Effective Date:
Original Effective Date:
The purpose of this policy is to specify the requirements for the Notice of Privacy Practices and its distribution, and to provide a standard notice template for use by North Carolina Department of Health and Human Services (NC DHHS) agencies in the development of their agency's Notice.
This policy shall apply to all DHHS Health Insurance Portability and Accountability Act (HIPAA) covered health care components.
Individuals served by a DHHS HIPAA covered agency must be informed of their privacy rights and the agency's responsibilities with respect to protected health information. Each DHHS HIPAA covered agency is required to provide the Notice of Privacy Practices in accordance with the HIPAA Privacy Regulations, 45 CFR Subtitle A, Subchapter C, Part 164.
DHHS HIPAA covered agencies shall provide a Notice of Privacy Practices to individuals applying for or receiving agency services, with the exception of inmates. Additionally, an agency shall make its Notice of Privacy Practices available to any individual(s) upon request, whether or not the individual is an agency client. The agency shall provide such notice in a manner consistent with all requirements specified within this policy.
The Notice of Privacy Practices shall outline the uses and disclosures of protected health information that may be made, and notify individuals of their rights and the agency's legal duties with respect to protected health information. DHHS agencies that must comply with this policy shall use or disclose health information in a manner consistent with their Notice of Privacy Practices.
DHHS HIPAA covered agencies that operate an Employee Health Service, that provides treatment services to employees above and beyond testing services required as a condition for employment (e.g., TB Tine Test), are required to provide employees with an Employee Health Service Notice of Privacy Practices.
Privacy Notice Requirements Applicable to all DHHS HIPAA Covered Agencies
- Development of Notices: All DHHS agencies classified as HIPAA health care components shall use one of the following Notice of Privacy Practices templates, as appropriate, to assist in ensuring that each agency's customized Notice contains all the required elements.
DHHS Notice of Privacy Practices Template -
This Notice contains the general notice requirements specified by HIPAA.
State law preemptions are not included in this template. This template
is recommended for development of Employee Health Service Notice
of Privacy Practices, ensuring privacy practices are reasonable
and appropriate for employees of the facility.
Notice of Privacy Practices Template
- This Notice template contains requirements specific to mental
health, developmental disabilities, and substance abuse programs.
- Medicaid Notice of Privacy Practices (dma-2188 and dma-2188s for the Spanish version) - This Notice contains Medicaid requirements and is available in both English and Spanish.
Notices of Privacy Practices developed by DHHS agencies shall be written in plain and simple language that a client, employee, or personal representative can easily read and understand. Notices shall be made available in languages understood by a substantial number of clients served by each agency. At a minimum, each agency shall ensure the Notice is available in English and Spanish. DHHS agencies can request Braille Notices from the Division of Services for the Blind for clients who request such format. Notices shall contain the elements described in the Notice of Privacy Practices Elements section of this policy.
- Notice Revisions: DHHS agencies shall promptly revise their privacy notice whenever there is a material change to the uses or disclosures, the client's rights, the agency's legal duties, or other privacy practices described in the Notice. A revised notice shall be available upon request on or after the effective date of the revision.
Except when required by law, an agency shall not implement a material change to any term of the Notice prior to the effective date of the Notice in which such change is reflected.
Prior versions of an agency's notice shall be retained for a period of at least six (6) years from the date of the last notice delivery, or retained according to the agency's retention and disposition schedule, whichever is more stringent.
- Provision of Notice: DHHS HIPAA covered agencies shall provide a written copy of their Notice of Privacy Practices to any individual requesting a copy, regardless of whether or not the individual is an agency client.
DHHS agencies that operate an Employee Health Service shall provide a written copy of their Notice of Privacy Practices to each employee at their first treatment encounter after April 14, 2003.
When providing individuals a Notice of Privacy Practices as required in this policy, an agency may provide their notice to an individual by electronic mail (hereafter referred to as "e-mail") with a return receipt requested, if the individual agrees to an electronic notice and such agreement has not been withdrawn. If the agency knows that the e-mail transmission failed, a paper copy of the notice shall be provided to the individual. When a notice is provided electronically, it shall meet the applicable delivery time requirements specified in this policy.
Any agency that maintains a web site that provides information to the public about the agency's services or benefits shall prominently post its notice on the web site and make the notice available electronically from the web site. The notice on the web site shall reflect the most recent version.
DHHS HIPAA covered agencies do not have to provide their notice to "inmates". "Inmates" include inmates from the NC Department of Correction and clients committed through the criminal justice system to a psychiatric hospital (i.e., clients sent for pre-trial evaluation; clients found not guilty by reason of insanity; clients found incapable to proceed to trial [House Bill 95]).
- Approval Process: All notices and revisions to notices must be submitted to the DHHS Privacy Officer for final approval prior to public distribution. The DHHS Privacy Officer will obtain Attorney General Office approval for agency Notices and revisions to Notices when necessary. Also, the DHHS Privacy Officer is responsible for forwarding Employee Health Service Notices to the Division of Human Resources for approval.
Additional Privacy Notice Requirements Applicable Only to Health Care Plans
- Provision of Notice: The Division of Medical Assistance (DMA) shall ensure that health plans under the authority of DHHS provide the Notice of Privacy Practices on a timely basis to the health plan's named insured, hereafter referred to as the "casehead". Health plans shall initially provide the notice to all caseheads no later than April 14, 2003. After Notices have been distributed initially, new health plan enrollees shall receive a notice no later than the time of enrollment. New enrollee notices may be distributed at the time an application is filed, prior to determination of eligibility.
- Notice Revisions: Whenever a DHHS health plan notice is materially revised from the previous notice, the revised notice must be provided to the caseheads then covered by the health plan within 60 days of the revision. When a notice contains translated language other than English, changes in the Notice to correct or improve the translation is not considered a material change.
- Other Notification: At least once every three (3) years, the health plan shall notify the caseheads then covered by the plan of the availability of the notice and how to obtain a copy. At a minimum, this notification shall be presented in both English and Spanish. This notification may be combined with other communications sent routinely to caseheads (e.g., Medicaid cards).
Additional Privacy Notice Requirements Applicable Only to Health Care Providers That Have a Direct Treatment Relationship with Clients
- Posting of Notice: DHHS agencies that are health care providers who have a direct treatment relationship (e.g., face to face) with their clients, and who have a physical site where health care is provided directly to individuals, shall post the Notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the agency will be able to read the Notice. DHHS agencies that operate an Employee Health Service shall post their Notice in the area where employees come for treatment.
- Provision of Notice: Except in an emergency situation, these agencies shall provide the notice to clients or their personal representative no later than the date of the first treatment service delivery, including service delivered electronically or via telephone. In an emergency treatment situation, the Notice shall be provided as soon as reasonably practicable.
If a health care provider's first treatment delivery to an individual is delivered electronically, the agency shall automatically forward an electronic notice to the individual. The individual who receives the electronic notice retains the right to receive a paper copy upon request. If the first treatment encounter with the individual is by telephone, the notice must be mailed within one working day of the telephone encounter. Scheduling an appointment is not considered a treatment encounter.
DHHS agencies that provide residential services and must comply with the HIPAA Privacy regulations shall ensure that all clients in residence at the agency as of April 14, 2003, are provided a notice no later than April 14, 2003. Provision of the Notice can be met by having the client or personal representative read and return the notice; however, the agency must provide the client or personal representative with a copy of the notice upon request.
DHHS facilities that are required to comply with federal regulation 42 CFR Part 2, relative to substance abuse, must provide their Notice of Privacy Practices to their substance abuse clients at the time of each admission. Otherwise, DHHS health care provider agencies that have a direct treatment relationship with clients need to provide the notice initially and when revisions are made as noted below in the Revision of Notice section.
- Acknowledgement of Receipt of Notice: DHHS provider agencies with a direct treatment relationship shall make a good faith effort to obtain a written acknowledgment of receipt of the notice from the client or personal representative, except in an emergency situation. If the first treatment encounter with the client is by telephone, mailing the Notice to the client and asking the client to return the signed acknowledgment in person or by mail shall be considered a good faith effort. When a notice is delivered electronically, an electronic return receipt is considered valid written acknowledgment of the notice.
Should a client or personal representative be unable to sign his/her name on the acknowledgment, an "x" or other mark/symbol is acceptable in place of a signature, as long as it is witnessed and documented, attesting to the validity of the signature.
The top sheet of the notice template provides a section for an acknowledgment. The agency shall keep the signed page as documentation of Notice receipt.
The agency shall not refuse to treat a patient because he/she would not sign a written acknowledgment; instead, the agency should document the good faith effort to obtain the signature. Documentation of a good faith effort shall include the date the Notice and acknowledgment was given/mailed to the individual, how it was delivered (in person, mailed, etc.), and the reason the acknowledgment was not signed (such as, patient refused or did not mail acknowledgment back to agency).
Each provider agency shall establish a tracking process to ensure that each client was asked to sign the acknowledgment and that the signed acknowledgment was retained or a good faith effort documented.
The acknowledgment or good faith effort shall be filed in the client's medical record and retained in accordance with the agency's retention and disposition schedule for medical records, which shall be no less than six (6) years.
- Revision of Notice: Whenever a DHHS health care provider's notice is materially revised from the previous notice, the revised notice shall be available to clients or personal representatives upon request on or after the effective date of the revision. If a written acknowledgment was previously obtained or a good faith effort documented, another written acknowledgment is not required when the notice is revised. In addition, the revised notice must be promptly posted in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider will be able to read then notice. If the provider agency has a public web site, the revised notice shall be available on the web site.
Notice of Privacy Practices Elements
- This statement shall be in the header of the notice, or otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
- The notice shall contain a description of the types of uses and disclosures that the agency is permitted to make for treatment, payment, and health care operations. At least one (1) pertinent agency example shall also be included.
- A description of all other purposes for which the agency is permitted or required to use or disclose protected health information without the individual's written authorization.
- If a use or disclosure for any purpose is prohibited or significantly limited by another applicable law, the description of such use or disclosure shall reflect the more stringent law.
- For each purpose described, the description shall include sufficient detail to inform the individual of the uses and disclosures that are permitted or required by federal regulations as well as state and federal law.
- A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such an authorization.
- If the agency intends to engage in any of the following activities, the activity description shall include a separate statement accordingly:
The notice shall contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights, as follows:
- The agency may contact the individual to provide appointment reminders or information about treatment alternatives or other heath-related benefits and services that may be of interest to the individual; or
- The agency may contact the individual to raise funds for the agency.
The notice shall contain the agency's duties, as follows:
- The right to request restrictions on certain uses and disclosures of protected health information, including a statement that the agency is not required to agree to a requested restriction;
- The right to receive communications of protected health information confidentially, as applicable;
- The right to inspect and copy protected health information;
- The right to request amendment to protected health information;
- The right to receive an accounting of applicable disclosures of protected health information; and
- The right of an individual, including an individual who has agreed to receive the Notice electronically, to obtain a paper copy of the Notice from the agency upon request.
The notice shall contain a statement that individuals may complain to the agency and to the Secretary of the United States Department of Health and Human Services if they believe their privacy rights have been violated. A brief description of how the individual may file a complaint with the agency and a statement that the individual will not be retaliated against for filing a complaint shall also be included in the notice. This statement shall conform to the DHHS Privacy Complaints policy.
- A statement that the agency is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information;
- A statement that the agency is required to abide by the terms of the Notice currently in effect; and
- A statement that the agency reserves the right to change the terms of its Notice and to make the new Notice provisions effective for all protected health information that it maintains prior to issuing a revised Notice. The statement shall also describe how it will provide individuals with a revised Notice.
The notice shall contain the name, or title, and telephone number of a person or office to contact for further information.
The notice shall contain the date on which the notice is first in effect, which shall not be earlier than the date on which the notice is printed or published.
The Notice may also contain the following optional elements:
If an agency elects to limit the uses or disclosures that it is permitted to make, the agency may describe these limitations in its Notice, provided that the agency may not include in its Notice a limitation affecting its right to make a use or disclosure that is:
- Required by law, or
- If the agency, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person(s).
DHHS Directive Number III-11; 45 CFR 164.520
For relevant forms:
DHHS Notice of Privacy Practices
of Privacy Practices (form DHHS-0032)
Medicaid Notices of Privacy Practices (English)
Medicaid Notices of Privacy Practices (Spanish)
For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.