By Mike McEvoy, Ph.D., REMT-P, RN, CCRN, and Paul Gillan, J.D., EMT
The Notice of Privacy Practices (NPP) is the most visible face of HIPAA. It is, fundamentally, a “privacy contract” between the EMS service and the patient. Your NPP informs your patients of their rights and your responsibilities to them under HIPAA. Here are a few practical tips to consider when drafting and distributing NPPs:
- Have one. Since April 14, 2003 (the HIPAA compliance deadline), patients in the health care system have been bombarded with NPPs from all directions, ranging from family physicians to health insurance plans and every health care provider in between. Patients will soon get used to seeing NPPs and start expecting them. Not having an NPP will be very noticeable and could be a red flag that leads to an investigation of your service’s privacy practices.
- Cover the basic requirements. The regulations specify NPP requirements but contain a lot of cross-references to other sections that can be confusing to run down, especially if you are in a hurry. There are tons of templates and checklists available, but remember that if you bought one in a book you’ve got no recourse if the template is wrong (or if you read it wrong).1 If you had to pick one HIPAA policy document that should be reviewed by a lawyer, the NPP would be the one. State laws protecting patient privacy may set a higher standard than HIPAA; if they do, your NPP needs to say so. If you are the brave sort, find the requirements for NPPs at 45 CFR 164.520.2
- Make it readable. Most lawyers drafting NPPs don’t give a second thought to readability. A recent study reviewed 31 NPPs and found that a college-level reading ability was needed to understand the average NPP.3 Most people cannot understand writing above the high school level. The regulation requires NPPs to be written in “plain English.” From this perspective, an unreadable NPP is as good as no NPP. Make sure yours is written to a 10th-grade level or lower. You or your lawyer should be familiar with a “Flesch-Kincaid Grade Level” test and try it on your NPP before you start giving it out. (This article, for example, tests out at a 10th-grade level.)
- Make it available. Post your NPP everywhere, including your EMS service’s administrative offices, any secondary posts or garages, and your service’s Web site (that’s required). Ample copies should be available in the clipboard case and around the station(s). Mail or fax it to anyone who asks. EMS staff (including medics and EMTs) should be very familiar with the content of the NPP and capable of fielding basic questions from patients and their representatives.
- Give it away. As a “covered entity” with a “direct treatment relationship,” your EMS service is required to provide the NPP to patients on the provision of service. An exception applies in “emergency treatment situations.” (Note that not all ambulance service is emergency treatment.) In emergency treatment situations, your EMS service must provide the notice “as soon as reasonably practicable.” In addition to supplying the NPP, health care providers in normal situations must also make a “good faith” effort to obtain acknowledgement that the patient received the notice. If this acknowledgement can’t be obtained, providers are required to document their attempts and the reasons. Like the requirement for providing an NPP at the time of treatment, providers in emergency situations are not required to obtain acknowledgement from patients that the notice was received.
- Keep it current. The NPP should be reviewed administratively at least once a year. If your service’s practices have changed, they need to be reflected in a revised NPP. For the first couple of years of HIPAA, it’s a good idea to review your NPP every three to six months. The general understanding of HIPAA’s implications is evolving rapidly, and developments in how the law is viewed by regulators may translate into significant changes in how the NPP is worded or how it is distributed.
For advertisement-free information about NPPs, read the Office of Civil Rights guidance at http://www.hhs.gov/ocr/hipaa/guidelines/notice.pdf. For an in depth treatment of NPPs, read the American Health Information Management Association’s practice brief at http://library.ahima.org/xpedio/groups/public/documents/ahima/pub_bok1_016467.html.
1. This problem is endemic. Searching for a model ambulance notice of privacy practices might land you at http://www.911billing.net/ModelPrivacyNotice.htm. The model itself is not bad, but it states that “the final HIPPA privacy rules prohibit the notice and consent from being combined into a single document,” which is incorrect. The final rule does not require a “consent” and the prohibition against combining documents applies to “authorizations,” which refers to an entirely different area of the HIPAA privacy requirements.
2. The final rule is available free via links at http://www.hhs.gov/ocr/hipaa/finalreg.html. Note that the December 2000 “final rule” was modified significantly in August of 2002. Deep link to the combined regulation text at http://www.hhs.gov/ocr/combinedregtext.pdf.
3. Hochhauser, Mark, Ph.D., “Readability of HIPAA Privacy Notices,” available on the Web at benefitslink.com http://benefitslink.com/articles/hipaareadability.pdf and privacyexchange.org or http://www.privacyexchange.org/iss/estudies/estudies.html.
Mike McEvoy, Ph.D., RN, CCRN, REMT-P, is the EMS coordinator for Saratoga County, New York. A former forensic psychologist, he now works in the Cardiac Surgical ICU at Albany Medical Center and teaches at Albany Medical College in New York. He is a paramedic for Clifton Park-Halfmoon Ambulance Corps and medical advisor for the West Crescent (NY) Fire Department. He presently serves as a member of the New York State EMS Council and the State Emergency Medical Advisory Council and is the EMS director on the Board of the New York State Association of Fire Chiefs.
Paul Gillan, J.D., EMT-B, is a senior associate attorney with the Albany, New York, law firm of Iseman, Cunningham, Riester & Hyde, LLP. An EMT since 1996, he devotes a substantial portion of his practice to representing fire and EMS services, regional EMS councils, and individual EMTs. For more information, please visit http://www.icrh.com.