2. Key Documents
Three primary documents inform patients and
give them some control over their protected
health information or PHI
• Notice of Privacy Practices (NPP)
• Authorization
• Consent
3. Key Documents:
Notice of Privacy Practices
• Required by HIPAA
• Explains:
– how a healthcare provider will use a patient’s PHI
– an individual’s rights under HIPAA
– the provider’s legal duties regarding PHI
4. Key Documents:
Notice of Privacy Practices
• Must be:
– offered to the patient on first encounter with the provider
– provided if there are major changes to the NPP
– provided on request by the patient
– available at the site of treatment
– posted prominently where it can be read clearly
– posted visibly on provider’s website
• Written acknowledgement from the patient must be
obtained
– If the patient refuses the notice this must be documented
5. Key Documents:
Consent
• Not required by HIPAA
• Sometimes called “Conditions of Treatment”
• A consent may ask a patient for permission to use or
disclose PHI for treatment, payment, and healthcare
operations (TPO)
• May include a statement on financial responsibility
• No expiration date, but can be revoked
• Bottom line: A consent cannot substitute for an
authorization. In order to release protected health
information beyond TPO, we need to receive the
patient’s written permission using an authorization form.
7. Key Documents:
Authorization
• Required by HIPAA
• An authorization is used to release protected health information in
many situations where it is required.
• Key elements that must be included in the authorization form:
– Name of individual whose PHI is being disclosed
– Who may make the disclosure
– To whom the PHI is to be disclosed
– Type of information to be disclosed
– Signature of individual or legal representative
– Date authorization was signed
– Expiration date or event
– Statement of right to revoke
– Redisclosure statement
8. Elements of an Authorization
• Name of individual
• Who may make the
disclosure
• Disclosure to
• Type of information
• Redisclosure statement
• Expiration date or event
• Statement of right to
revoke
• Signature of individual and
• Date signed
9. Key Documents:
Authorization
• An authorization is defective if:
– the expiration date has passed.
– any of the information is known to be false.
– any of the required elements are missing.
• This means that protected health information
cannot be released without a complete and
valid authorization.
10. Summary
• Patients may sign a consent for treatment but this
is not an authorization to release records.
• HIPAA forms including the Notice of Privacy
Practices and Authorization have very specific
requirements.
• Ensure that your authorization form contains all
of the required elements.
• Before releasing protected health information
that requires an authorization make sure the
expiration date has not passed.
11. Learning activity
Find your organization’s Notice of Privacy Practices and complete
the checklist:
Our NPP is posted so patients can easily see it.
Our NPP is available in the languages our patients
speak and read.
Our NPP was updated after January 2013*
Our NPP is given to new patients.
Established patients are given the opportunity to
receive a revised NPP.
Patients sign an acknowledgement that they have
received our NPP.
* Your NPP may have been updated between 2009-2013. It needs to include all the requirements from the
Omnibus Rule. See further information in other tutorials.
12. References
• Rinehart-Thompson, LA. (2013). Introduction to health information privacy and
security; AHIMA Press.
• Image credit – free for use from http://www.dellustrations.com/