Privacy Practices Guide¶

Overview¶

Privacy practices are fundamental to healthcare compliance and patient trust. This guide covers implementing privacy protections in your DPC practice, from policies to daily operations.

[!CAUTION] Consult Compliance Professionals: Privacy requirements under HIPAA and state laws are complex and carry significant penalties for violations. While this guide provides practical orientation, consider consulting a healthcare compliance specialist for your initial policy development and Notice of Privacy Practices. State-specific requirements may also apply.

Prerequisites¶

• Understanding of HIPAA basics (see HIPAA Compliance Basics)
• Business entity established
• Basic understanding of your practice workflows

Starting Lean: Privacy by Stage¶

Stage 1: Just Starting (0-25 Patients)¶

Essential privacy measures: - Notice of Privacy Practices (NPP) - Basic access controls (passwords, locks) - Secure communication method - HIPAA-compliant storage

Reality: Simple practices need simple privacy measures. Don't overcomplicate.

Stage 2: Growing (25-75 Patients)¶

Add: - Formal privacy policies - Staff training (if applicable) - Audit procedures - Incident response plan

Stage 3: Established (75+ Patients)¶

Systematize: - Regular privacy audits - Documented training programs - Vendor management - Ongoing compliance monitoring

Notice of Privacy Practices (NPP)¶

What It Is¶

A document explaining how you use and protect patient health information. Required by HIPAA.

Required Content¶

Your NPP must explain: - How you use and disclose PHI - Patient rights regarding their information - Your duties to protect PHI - How to file complaints - Effective date

Patient Rights to Include¶

1. Right to access - Review and obtain copies of their records
2. Right to amend - Request corrections to their records
3. Right to accounting - Know who you've disclosed PHI to
4. Right to restrict - Request limits on uses/disclosures
5. Right to confidential communications - Request alternative contact methods
6. Right to a paper copy - Receive paper NPP on request

Distribution Requirements¶

When to provide: - At first service (new patients) - When requested - After material changes

How to provide: - Give paper copy at enrollment - Post in office (optional but recommended) - Post on website - Obtain acknowledgment signature

Sample NPP Acknowledgment¶

I acknowledge that I have received a copy of [Practice Name]'s Notice of Privacy Practices, which describes how my health information may be used and disclosed and how I can access this information.

Signature: ___________________ Date: ___________

If patient refuses to sign: [ ] Patient refused to sign acknowledgment Staff initials: _____ Date: _____

Privacy Policies¶

Core Policies Needed¶

1. Minimum Necessary Standard - Access only the PHI needed for the task - Don't browse records unnecessarily - Limit disclosures to what's required

2. Access Control Policy - Who can access what information - Password requirements - Physical access to records

3. Disclosure Policy - When PHI can be disclosed without authorization - When authorization is required - How to document disclosures

4. Patient Rights Policy - How to handle access requests - Amendment request procedures - Complaint procedures

5. Breach Response Policy - How to identify breaches - Notification procedures - Documentation requirements

Physical Privacy Protections¶

Office Space¶

Reception/waiting area: - Sign-in sheets that don't reveal reason for visit - Conversations not overheard by waiting patients - Computer screens not visible to patients

Exam rooms: - Doors close fully - Conversations not overheard - Charts not visible through windows

Work areas: - Screens positioned away from patient view - Papers face-down when not in use - Secure storage for records

Paper Records¶

If using paper records: - Locked file cabinets - Access limited to authorized personnel - Secure disposal (shredding) - No records left unattended

Mail and Fax¶

Mail: - Secure mailbox - Prompt retrieval - Consider PO Box for practice

Fax (if used): - Cover sheets with confidentiality notice - Confirm fax numbers before sending - Machine in secure location - Prompt retrieval of received faxes

Electronic Privacy Protections¶

Computer Security¶

Basic requirements: - Strong, unique passwords - Automatic screen lock (2-5 minutes) - Encrypted storage - Automatic logoff - Antivirus/antimalware - Regular updates

Email¶

For patient communication: - Encrypted email service, OR - Patient consent to unencrypted (with understanding of risks) - No PHI in subject lines - Verify recipient before sending

Mobile Devices¶

If using phones/tablets: - Password/biometric lock - Remote wipe capability - Encrypted storage - Avoid storing PHI on personal devices - HIPAA-compliant apps only

Cloud Storage¶

Requirements: - BAA with provider - Encryption in transit and at rest - Access controls - Audit logging

Patient Communication Privacy¶

Phone Calls¶

Best practices: - Verify patient identity before discussing PHI - Be aware of surroundings when calling - Leave minimal information in voicemails - Document patient's communication preferences

Sample voicemail:

"This is [Your Name] from [Practice Name] calling for [Patient Name]. Please call us back at [number] at your convenience."

(Don't leave specific health information in voicemails unless patient has consented.)

Text Messages¶

If texting patients: - Get consent for text communication - Understand risks of texting PHI - Use minimal PHI (appointment reminders OK) - Consider HIPAA-compliant texting platforms

Patient Portal¶

Privacy features: - Secure login required - Encrypted transmission - Audit trails - Timeout settings

Handling Patient Requests¶

Access Requests¶

When patients want their records:

1. Accept request (written preferred)
2. Verify identity
3. Provide within 30 days (one 30-day extension allowed)
4. Provide in requested format if feasible
5. May charge reasonable cost-based fee
6. Document request and response

What to provide: - Medical records - Billing records - Any PHI you maintain

Exceptions (can deny): - Psychotherapy notes - Information compiled for legal proceedings - Certain research information - Information that may endanger someone

Amendment Requests¶

When patients want corrections:

1. Accept written request
2. Respond within 60 days
3. If granting: make amendment, inform patient, notify others who received incorrect info
4. If denying: provide written denial with reason, inform of appeal rights

Can deny if: - Information is accurate - You didn't create the record - Information not part of designated record set

Restriction Requests¶

Patients can request restrictions on uses/disclosures.

• You're not required to agree (with one exception)
• Must agree if patient pays out of pocket in full and requests you not disclose to their health plan
• If you agree to any restriction, you must honor it
• Document all requests and your response

Disclosures Without Authorization¶

When Authorization NOT Required¶

Treatment, Payment, Healthcare Operations (TPO): - Sharing with consultants/specialists for treatment - Billing (if applicable) - Quality improvement activities

Required by law: - Public health reporting - Abuse/neglect reporting - Court orders

Other permitted purposes: - Health and safety threats - Organ donation - Workers' compensation - Law enforcement (limited circumstances)

When Authorization IS Required¶

• Marketing
• Sale of PHI
• Most research
• Psychotherapy notes
• Anything not otherwise permitted

Workforce Training¶

Solo Practice¶

Even if you're the only "workforce member," document your own training: - Initial HIPAA training (self-study counts) - Annual review - Updates when policies change

With Staff¶

Training requirements: - All workforce members trained - Training within reasonable time of hire - Periodic refreshers - Document all training

Training topics: - Privacy basics - Your practice policies - Patient rights - Breach identification and reporting - Sanctions for violations

Documentation Requirements¶

What to Document¶

• Notice of Privacy Practices (and acknowledgments)
• Privacy policies
• Training records
• Patient requests and your responses
• Disclosures (accounting of disclosures)
• Complaints and resolutions
• Incidents and responses

Retention¶

• Retain documentation for 6 years from creation or when last in effect
• Longer if state law requires
• Secure storage and disposal

Common Privacy Scenarios¶

Scenario 1: Family Member Asks for Information¶

Situation: Spouse calls asking about patient's test results.

Response: - Check if patient has authorized sharing with spouse - If authorized: verify spouse's identity, share appropriate information - If not authorized: "I'm not able to discuss patient information without authorization. Please have [patient] call us or provide written authorization."

Scenario 2: Employer Requests Records¶

Situation: Employer calls asking if employee was seen.

Response: - Don't confirm or deny patient relationship without authorization - "We cannot release patient information without authorization. Please have your employee contact us if they wish to release information."

Scenario 3: Law Enforcement Request¶

Situation: Police officer asks about a patient.

Response: - Don't automatically disclose - Ask for written request or court order - Consult attorney if unsure - Limited exceptions for emergencies

Scenario 4: Patient Wants Records Sent to Attorney¶

Situation: Patient asks you to send records to their lawyer.

Response: - Get written authorization - Verify authorization is valid - Send only what's authorized - Charge reasonable fee if applicable

Checklist: Privacy Practices¶

Documents¶

• Notice of Privacy Practices created
• NPP acknowledgment form ready
• Privacy policies documented
• Authorization form available
• Access request form available

Physical Safeguards¶

• Secure storage for records
• Computer screens positioned appropriately
• Conversations can be private
• Secure disposal method in place

Electronic Safeguards¶

• Password protection on all systems
• Encryption for electronic PHI
• Automatic screen lock enabled
• BAAs with electronic service providers

Ongoing¶

• Training documented
• Patient requests tracked
• Disclosures logged
• Regular policy review scheduled

Resources¶

• HIPAA Compliance Basics - Foundation
• BAA Requirements - Vendor agreements
• Incident Response Plan - Breach response
• HHS Office for Civil Rights - Official guidance

Next Steps¶

After establishing privacy practices: - BAA Requirements - Vendor management - Incident Response Plan - Preparing for problems