Healthcare

Understanding the Notice of Privacy Practices (NPP) in HIPAA

Darryn Campbell on Feb 6, 2024
Understanding the Notice of Privacy Practices (NPP) in HIPAA

What is Notice of Privacy Practices (NPP) in HIPAA?

In the context of HIPAA, a Notice of Privacy Practices (NPP) is a document that explains to patients, employees, and clients how relevant health information will be collected, processed, stored, and used. It also explicitly outlines individuals' privacy rights over their Protected Health Information (PHI). Unlike many other aspects of HIPAA, the NPP in healthcare is a highly visible representation of the Act's intentions and purpose, as it is a physical document that effectively must pass through the hands of, and be signed by, all consumers of a covered entity's services. In practice under HIPAA, healthcare providers and organizations (covered entities) must give patients and research participants a notice. This notice explains: 1. How Your Health Information Can Be Used and Shared: It tells you the ways in which your health information may be used by the healthcare provider and who it may be shared with. 2. Your Legal Rights: It informs you about your rights concerning your health information, like your right to see it, get a copy, and request corrections or deletion.

This notice ensures you are aware of what happens with your health data and what rights you have to protect your privacy.

NPP US Legal Law

The Notice of Privacy Practices (NPPs) are connected to HIPAA's Privacy Rule. This rule gives patients rights regarding their Protected Health Information (PHI) and defines how it can be used and disclosed. HIPAA ensures patients know their privacy rights by requiring providers to give them a Notice of Privacy Practices (NPP). The NPP explains how PHI can be used, patients' rights, and the provider's legal duties regarding PHI.

NPP document standards

The average Notice of Privacy Practices (NPP) document is typically between 3 to 5 pages long. However, the length can vary depending on the complexity of the information included and the specific requirements of the healthcare provider or organization.

What is in a HIPAA NPP (Notice of Privacy Practices)?

A HIPAA-approved NPP must include a few key elements to be considered compliant. Covered entities are required to provide notice, in plain language, that describes:

  • How the covered entity may use and disclose an individual's protected health information. These rules can be expressed in various ways, but the key point is that providers do not have unrestricted use of this information. Mismanagement of PHI can result in significant penalties.

  • The patient's rights regarding their information and how to exercise these rights, including how to file complaints. Some rights are obvious, like obtaining a paper copy of their PHI, while others are less known, such as requesting a list of entities with whom their PHI has been shared.

  • The covered entity's legal duties include maintaining PHI privacy, protecting it from unauthorized use, and promptly informing you of any breaches.

  • Contact information for further details about the entity's privacy policies. This is essential, as contact details are unique to each provider, while other privacy policy sections are similar.

A covered entity must include an effective date on their NPP. If privacy practices are updated, the date must be revised and the NPP redistributed. Frequent updates can lead to multiple signings during visits, as providers adjust the notice to reflect regulatory or IT changes.

Correctly writing your company's Notice of Privacy Practices can be technical and tricky, which is why the Department of Health and Human Services maintains templated versions on their website that can be used with minimal editing by most providers.

What rights does a HIPAA NPP outline?

To help patients be advocates of their data, the NPP must outline the rights that HIPAA provides, including the following:

  • The right to request restrictions on certain uses and disclosures of PHI.

  • The right to receive confidential communications of PHI, as permitted by law.

  • The right to inspect and copy PHI.

  • The right to amend PHI, as permitted by law.

  • The right to receive an accounting of disclosures of PHI.

  • The right of an individual to obtain a paper copy of the notice, upon request.

  • The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes their privacy rights have been violated.

Healthcare providers must be transparent about how they protect PHI and share this information with patients. They don’t have to fulfill all information requests, like correcting medical history; however, they must provide a written response within 30 days.

When should the NPP be provided to a patient

So far, we've talked about what needs to be in an NPP and discussed the requirement for covered entities to produce and distribute one. Since HIPAA is government regulation, there are some complicated rules on when and how companies must provide an NPP:

The notice of privacy practices should be provided under the following circumstances:

  • Covered entities must provide a copy of their NPP to anyone who asks for it.

  • They must also visibly post the NPP in their physical location(s) so that anyone who enters the space has clear and unobstructed access.

  • If an entity's website provides information about customer services and benefits, an NPP must also be posted on the website. This requirement mirrors the advertising requirements for prescription drugs, in which you hear the extensive lists of possible side effects only when the advertiser also lists the benefits of the medicine.

  • There are additional provider-specific requirements for distributing an NPP. For instance, a provider (like a doctor or hospital) must provide it on the patient's first visit, Emergency Rooms must deliver it at the first possible opportunity, and health plans must provide the NPP on sign-up as well as every three years afterward.

How PubNub can help with HIPAA and NPPs?

As a technology provider that has been certified HIPAA-compliant since 2015, PubNub has a rich history of helping providers to operate with the confidence that their operations are in compliance. Hundreds of healthcare and health tech applications have been built and deployed using PubNub APIs and network, all with HIPAA compliance implicitly provided.

Ensuring that technology applications match the commitments and obligations outlined in the NPP is vital to avoid technical violations of the HIPAA Privacy Rule. We encourage you to learn more about the solutions that organizations have already built and to refer to our E-Book Building a HIPAA-Compliant App.