Notice of Privacy Practices

Policy Statement

A. Notice of Privacy Practices

1. IU HIPAA covered healthcare components that provide health care or are part of the IU health plans shall maintain a Notice of Privacy Practices (Notice) that explains how protected health information may be used and disclosed, as well as an individual’s rights and the provider’s legal duties under HIPAA and HITECH.
   
   Designated covered healthcare components are responsible for complying with this policy and for developing operating procedures that implement it.
   
   
2. The Notice shall be written in plain language and shall contain the elements required by the HIPAA Privacy Rule.
   
   
3. Covered healthcare components may not use or disclose protected health information in a manner inconsistent with their Notice.

B. Distribution/Publication of the Notice

1. The Notice will be provided to individuals with whom the covered healthcare component has a direct treatment relationship:
   1. No later than the date of the first service delivery, including service delivered electronically to such individual;
   2. Upon request; and
   3. On or after the effective date of a revision of the Notice.
      
      
2. Following an emergency treatment situation, the covered healthcare component will provide the individual with the Notice as soon as reasonably practicable.
   
   
3. In the case of patients who are minors, Notice should be given to the minor’s parent or legal guardian.
   
   
4. The Notice must be posted in a prominent location where it is reasonable to expect that patients will see and have an opportunity to read the Notice.
   
   
5. If the Notice is revised, the covered healthcare component must post the revised Notice and make the Notice available upon request. Former Notices must be retained for six (6) years.
   
   
6. The covered healthcare component shall prominently post the Notice on any web sites it maintains that provide information about its customer services or benefits, and it shall make the Notice available electronically through its web site.

C. Acknowledgement of the Notice of Privacy Practices

1. Except in an emergency treatment situation, reasonable effort shall be made by the covered healthcare component to obtain a written acknowledgement from the patient or the patient’s legally authorized representative that he or she has received the Notice.
   
   
2. Documentation of reasonable attempts to provide the current Notice shall be maintained in the medical record. Refusals to sign the acknowledgement or refusals to accept the Notice shall also be documented.

Reason for the Policy

The Health Insurance Portability and Accountability Act (HIPAA) requires that health plans and covered health care providers develop and distribute a Notice of Privacy Practices (Notice) which describes the provider’s uses and disclosures of protected health information, an individual’s rights with regard to his/her own protected health information, the provider’s duties with regard to the individual’s protected health information, the complaint process, a contact number, and the effective date of the Notice.

This policy describes IU’s Notice of Privacy Practices, the method for distributing the Notice and documenting its distribution.

Definitions

See Glossary of HIPAA Related Terms for complete list of terms. 

History

07/01/2015   Effective Date
08/01/2016   Updated retention requirements for NPPs, added link to Glossary
06/xx/2017   Published on University policy site
12/13/2021   Updated policy contacts

Related Information

HIPAA Privacy Rule
45 CFR 164.520