Overview:
§164.520(c)(2)
Specific requirements for certain covered health care providers. A covered health care provider that has a direct treatment relationship with an individual must:
(i) Provide the notice:
(A) No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or
(B) In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
(ii) Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained;
(iii) If the covered health care provider maintains a physical service delivery site:
(A) Have the notice available at the service delivery site for individuals to request to take with them; and
(B) Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice.
(iv) Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(iii) of this section, if applicable.
Action Items:
1) Obtain and review the policies and procedures in place regarding the provision of the notice of privacy practices.
2) Obtain and review a sample of acknowledgement of receipt of the notice and of documentation showing a good faith effort was made when an acknowledgment could not be obtained.
3) Has the covered health care provider provided the notice of privacy practices to individuals as required? From sample of a population of individuals who were new patients/new individuals, obtain and review documentation to determine if the initial date of service corresponded with the date of the notice of privacy practices was received. If the dates do not correspond, determine if the initial service was an emergency situation or if there was another means or explanation. Review documentation related to provision of notice to individuals who presented for emergency treatment.
Related Documents:
1) Policies and procedures in place regarding the provision of the notice of privacy practices.
2) Sample of acknowledgement of receipt of the notice and of documentation showing a good faith effort was made when an acknowledgment could not be obtained.
3) Documentation to determine if the initial date of service corresponded with the date of the notice of privacy practices was received.
Additional Guidance:
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
Article ID: 555
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-provisions-of-notice-certain-covered-health-care-providers-164-520-c-2-555.html