Possible HIPAA Changes May Change How and If Patients Get Notices About Their Rights (RFI Part 4)
This post will address Part 4 the Office for Civil Rights’ (OCR) request for information (RFI) on possible changes to the Health Information Portability and Accountability Act (HIPAA). Part 4 addresses questions on Notice of Privacy Practices (NPPs).
I originally tweeted my analyses here, but have put the tweets together in this post (with edits) for easier reading.
My introduction to the RFI as well as an analysis of the first part (on sharing information between providers) can be found here.
My analysis of the second part (on loosening privacy standards for substance use and mental health information) can be found here.
Discussion on the third part (changes to accounting of disclosures) can be found here.
In this fourth section, the OCR says it wants feedback on possibly:
Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices, to reduce burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual’s awareness of his or her rights.
Notice of Privacy Practices (NPPs) are part of the paperwork you sign off on when you go to every doctor appointment and what few people read. They are supposed to let patients know (among other things):
How a provider may use and disclose protected health information;
Patient rights to the information and how to exercise these rights;
The provider’s duties to protect the privacy and security of health info; and
Whom patients can contact for further information about privacy policies including how to make a privacy complaint to the provider.
The OCR (HIPAA enforcers) have developed model model NPPs that providers can use. I find the models to be a little lacking and tend to make more comprehensive NPPs for providers I’ve worked with in setting up their HIPAA compliance. Making them more comprehensive comes with the drawback that patients may not read the entire thing, but I feel it’s important to be clear.
Patients should know their rights. They should also be informed about how information can be used without consent (examples include law enforcement, treatment, payment, public health crises, and more) and those they can object to (marketing, mental health info, etc). Being detailed may seem overwhelming but in the end, patients should have this information up front. It establishes trust by making clear that patients’ protected health information (PHI) is taken seriously.
NPPs are even more important because few patients know their rights or even where to start looking for them. Time and again, patients on social media tell me they don’t know how to get their records or who enforces the law. Because patients don’t know their rights and knowing they have such difficulty in obtaining their records as a result, I wrote a huge, comprehensive post on Common HIPAA Issues and how to address them.
The folks who set out the Privacy Rule recognized that NPPs are important and thus requires providers get a signed acknowledgment that patients receive them. They also say that NPPs need to be posted in an office and online and have to give them to any patient that requests one.
Unfortunately, there are a few issues with NPPs and a few things that the OCR wants change about NPP rules that may not benefit patients. As I mentioned in the first post on the RFI, the OCR calls many HIPAA rules “regulatory burdens.” Clearly, with the questions posed here, they see NPPs as a burden for providers.
The biggest burden the OCR sees is the need for providers to document a “good faith effort” that they tried to get a patient to sign they received or were given a chance to see a provider’s NPP. They ask:
43) What is the burden, in economic terms, for covered health care providers that have a direct treatment relationship with an individual to make a good faith effort to obtain an individual’s written acknowledgment of receipt of the provider’s NPP? OCR requests estimates of labor hours and any other costs incurred, where available.
This question suggests that providers are spending too much time on documenting their efforts. I’ll genuinely be interested to see how providers calculate how much time is spent on these efforts. I bet that they overestimate. I don’t know any office that lets patients be seen without signing it (regardless of the fact this is a violation of HIPAA as discussed below).
Not documenting receipt of NPPs or efforts to get an acknowledgment seems risky for providers. While it’s crucial that patients get them, a provider that doesn’t document they provided a copy could easily be accused of withholding information on patient rights. Thus, it would make little sense to open providers to liability by saying they shouldn’t have to get patient acknowledgment of NPP receipt or document efforts that they tried to offer it to a patient.
Further, this is a point of contact where patients can get information and have an opportunity to ask questions. If no one has to put effort into making sure a patient received it (I mean if you don’t document it, did it ever happen?), then this opportunity is lost.
What barriers are there to getting a written acknowledgment? The OCR wants to know:
44) For what percentage of individuals with whom a direct treatment provider has a relationship is such a covered health care provider unable to obtain an individual’s written acknowledgment? What are the barriers to obtaining it?
I’m guessing the greatest barriers to get written acknowledgment are in emergency situations where someone is not cognizant enough to sign a consent. The second barrier is likely staff error in not making sure a form was signed at check in. Again, I know few providers who would treat without this signed.
What does it mean to patients when they sign that they received an NPP? The OCR asks:
45) How often do individuals and covered entities mistake the signature or acknowledgment line that accompanies NPPs as contracts, waivers of rights, or required as a condition of receiving services? What conflicts have arisen because of these or other misunderstandings?
This is an interesting question because I do see these as a form of contract. Provider and patient are entering a contract where the provider says they will follow the law and uphold the patient right to privacy and security. The OCR probably does not want NPPs to be seen as a contract though, because a contract may imply that a patient has a right to sue a provider over their NPP. (there is not private right to action (i.e. no ability to sue) under HIPAA rules.)
The question is also interesting because if a patient is seeing this as a waiver of rights, we have a huge problem. NPPs are supposed to be the opposite of a waiver. They’re supposed to let patients know their rights and that patient rights can’t be circumscribed.
As, I said above, I know few providers who would treat someone who won’t sign an NPP. While this is a violation of HIPAA, it still happens a lot. Providers cannot force a patient to sign that they received an NPP or refuse to see a patient who chooses not to sign. But as HIPAA training and compliance is lacking in most offices, most providers will not simply accept a patient saying “no” to signing any forms a provider presents. This is again why patients knowing their rights is important isn’t sufficient to ensure those rights are respected.
It may be an unpopular opinion, but I do think that patients should have to sign these documents. They are not a waiver of rights. They are an assurance that patients can know their rights. It protects both patients and providers.
That said, patients have to sign a lot of things at check in and what they are asked to sign varies.
46) What other state and federal laws, guidelines or standards require covered health care providers to obtain the patient’s acknowledgement or signature on a document at their first visit? How many of those documents require patient signatures? What is the nature of those other documents that require signatures?
When we think about what paperwork patients have to fill out, we know everyone has to sign notices for payment. They often have to sign forms about current health status health history, family history, etc. If you have government plans (like Medicare) there may be other questions to answer. And some practices have other practice notices (i.e., you have to give 24 hour cancellation notice, etc.).
A new addition I’ve seen is signing off on sharing health information under Health Information Exchanges (HIEs). Incidentally, I’ve listened to staff in some offices try to explain this to patients and all are woefully misinformed, ultimately confusing patients further. These notices are likely to become more common. Here’s an example from a radiology imaging center:
New patient paperwork is long and tedious. When they tell you to show up 15 minutes early for your appointment to fill paperwork out, it’s still almost never enough time (luckily many doctors run late). Still, I think NPPs should remain part of the paperwork packet. Heck, most don’t even give you a full copy of the NPP. Most only ask you to acknowledge you got it or had an opportunity to look at it and can request it, so it’s not adding much to that packet.
Continuing in that vein, the OCR asks:
47) How often are NPPs bundled with other documents at patient “intake” and with how many other pages of documents? How often are NPPs printed with non-NPP materials, either on the same page, or as a continuation of one integrated document, or as being physically attached to other documents? What is the nature of these non-NPP materials? How often, if at all, are covered health care providers required to have the patient sign updated versions of these forms (e.g., annually, each visit, no subsequent updates required)? Are electronic signatures permitted for these forms? If so, does this make the process less burdensome?
NPPs are almost always bundled. As I said, there’s a lot to sign and they hand it to you all at once at check in. The number of pages you get widely varies because each office can implement its own policies and develop its own materials.
It really bothers me when NPP signatures are integrated into the same page as the NPP because it generally means you tear off that page and then lose an entire page of the document. More so because that last page usually contains the information on who to contact about your rights or if you want to make a complaint. Ultimately, providers generally hand back some set of forms and who knows what you really end up with… And a lot of people don’t keep what they do get back.
When I work with providers, I make sure that they know to attach a separate page to the NPP and take only that page, leaving the rest with the patient. I ask that the NPP is kept separate from other practice guidelines and clearly noted as an NPP. Providers ask me why and if it’s really necessary to be so long and separate. I explain that this information is incredibly important and shouldn’t be confounded with other practice information. They can have their own practice documents too but NPPs are different. (This also takes away from the idea that it’s a contract or a waiver of rights.)
At times having a separate document seems less efficient, which is why I think few providers do it this way. But in the end, I emphasize the importance that this isn’t about convenience and providers’ wants. This is about establishing trust and giving patients the opportunity to know their rights.
I also try to emphasize the importance of letting patients know if any of these documents change. I’ve seen some organizations ask for yearly acknowledgments, which I think is a good practice in general. A lot of information is updated yearly – billing and insurance information, address, etc. Why not give patients the opportunity to think about their privacy rights at that time?
Where some providers update yearly, I know other providers that haven’t updated their privacy practices since HIPAA first came out. I’ve seen so many NPPs dated 2004 (HIPAA was passed in 1996, but rule making came about 2003). Even huge organizations that have tons of money to oversee compliance often haven’t addressed HIPAA changes or updated their paperwork. In 2013, the HITECH Act was passed which updated the Privacy, Security, and Breach Notification Rules, yet still few providers have done their due diligence in updating their own paperwork (ultimately showing how little they think of patient rights). I am genuinely astounded at how bad and outdated some NPPs are.
While the OCR is supposed to do onsite audits of HIPAA compliance, they tend to spend more time looking at risk assessments for Security Rule violations than NPPs and other organizational and Privacy Rule requirements. Things like NPPs go overlooked. Even when mistakes are found in NPPs & other office policy/procedure manuals, nothing really happens to providers. I recently got a decision on a case that’s been with the OCR for 2 years. All the OCR did was tell the hospital to change their policy manual to read that they must give patients their records within 30 days of a request (the manual had read 60 days).
But the OCR isn’t really worried about content in these questions (they are some questions about content below). Mostly, they’re worried it’s too much of a burden for providers to get acknowledgment that NPPs are received.
As a patient though, the NPP is the least burdensome. The burdensome part of care are the paper forms that ask me to write out my health information (past surgeries, Rxs, diagnoses, etc.) over and over again at every new office. Those are a headache to us all. Until we have interoperability (where electronic health records connect with each other everywhere) that allows the patient to share what information as we wish with each provider without having to fill out forms every time and without staff having to reenter our answers on those forms into computers every time, NPPs will be the least of our worries with paperwork.
As for electronic signatures, I don’t like them. Often the screen is just the signing screen and you can’t see what you’re signing for. Staff simply says, “sign in the box.” I’m sure for the offices that can afford the signature technology, it’s easier for them. But I think it is worse for patients.
The next question from the OCR concerns what training is needed on NPPs:
48) If NPP training is part of your general annual training, how much of this training cost do you estimate your organization spends to train covered entity staff on their obligations to seek and maintain documents related to the NPP acknowledgment requirements?
It’s interesting that the OCR says “annual training” here because under HIPAA, training need only happen once every 2 years (some states say more often). Regardless though, HIPAA training, to be blunt, sucks everywhere.
I suspect that there’s very little time spent training on NPPs training new hires what paperwork they need to collect. Most HIPAA training focuses on the Privacy Rule sections on keeping information private and secure and some very basic security tips. Training for HIPAA is not standardized. There are no model trainings and a lot of companies use “HIPAA compliant training” as a marketing ploy. Companies that say “HIPAA Certified” are lying because there is not certification but the idea of a certification is often attractive to providers who don’t know better. Even worse, a lot of training is now online. This means providers and staff don’t have an opportunity to ask questions or for information to be tailored to their practice’s needs.
Lack of training standards mean that the level of understanding HIPAA varies widely from provider to provider and often crucial parts of HIPAA are not taught or mis-information is given.
I talk about training a lot because poor training is the single biggest barrier to ensuring patient rights (and thereby involvement in their own care). NPP training may not need to be a focus, but staff that doesn’t know a patient can refuse to sign an NPP is detrimental to care. Why is it detrimental? Because it can mean a doctor refuses care. Or if a patient who knows their rights asserts their rights, conflict with staff and providers arises that doesn’t stay outside the exam room. Plus, as I’ve said time and again, HIPAA is about trust and not knowing these aspects of HIPAA can erode that trust from the start.
However, instead of seeing that HIPAA is about trust and improving care, providers see it as a burden as the OCR questions clearly imply:
49) What is the burden, in economic terms, for covered health care providers to maintain documentation of the acknowledgment or the good faith effort to obtain written acknowledgement and the reason why the acknowledgment was not obtained? What alternative methods might providers find useful to document that they provided the NPP? For example, to what extent would the use of a standard patient intake checklist reduce the burden?
Yet more questions about how hard it is for providers to maintain records. This is absurd to me. First, it should be part of the patient record and kept just as long. I said the same thing about Accounting of Disclosures (AoDs) in the third RFI analysis. AoDs are another means to document HIPAA compliance. Both NPPs and AoDs should be kept together with all other care documents.
Second, no provider should want to get rid of documentation that could prove they followed the law. I tell provider-clients I have to keep this notice as long as patient records just to limit their liability in case a patient says they never got an NPP. I hardly see it as a burden to keep a piece of paper (that you can scan in for ease) that helps both patients and providers and keep it for a standard amount of time. It seems more of a burden to have different lengths of time for document retention. As it stands now patient records, NPPs, and accounting of disclosures all have different retention periods, which can get confusing.
The OCR recommends a checklist but I see that as more of a burden. A checklist is an extra piece of paper. Some offices already have something like this – a checklist that says “patient signed NPP, signed payment forms, signed whatever else,” because, as we noted above, there is a pot of paperwork to keep track of, but they still get separate signatures for each.
And if NPPs are supposed to be about patients, I simply can’t see a checklist helping patients. It does not prove that they got the opportunity to see or ask for an NPP. Plus, items on a checklist can easily be checked off by mistake.
How can signatures be useful, the OCR wants to know:
50) What use, if any, do covered health care providers make of the signed NPP forms, or documentation of good faith efforts at securing written acknowledgments, that the Privacy Rule requires providers to maintain?
Signed NPP forms are great for providers as a cya measure – to prove they followed the law. Signing the acknowledgment ensures patients have a chance to see the NPP and know their rights. Documenting efforts to get a signature ensures providers gave them that chance.
Granted, patients can still say that they didn’t get a chance to see an NPP if the acknowledgment form is mixed in with other forms and or they aren’t given a full NPP. And patients can still say that even though they got an NPP, the NPP was lacking. So they aren’t a blanket safety measure.
It must also be noted that merely signing a form does not equal what is essentially informed consent. In other words, just because someone signs they got the papers doesn’t mean they’re signing that they understand the NPP. We can talk about this below in a bit more detail.
Should we get rid of the supposed burden of NPPs?
51) What benefits or adverse consequences may result if OCR removes the requirement for a covered health care provider that has a direct treatment relationship with an individual to make a good faith effort to obtain an individual’s written acknowledgment of the receipt of the provider’s NPP? Please specify whether identified benefits or adverse consequences would accrue to individuals or covered providers.
I’m sure providers would LOVE to get rid of the acknowledgment all together, and even more so documenting good faith efforts to get an acknowledgment. Clearly it’s seen as a burden. But I don’t think it’s in anyone’s favor as I’ve said throughout.
Might it save time? Ostensibly yes, but I doubt much time is being spent on documenting good faith efforts and getting acknowledgments to justify getting rid of either. And any time spent is outweighed by the protection it affords providers if a patient accuses them of not offering an NPP.
For patients, getting rid of the documentation of good faith efforts means essentially that providers can say they made an effort without having to prove it – and it’s been my experience when proof isn’t needed, people don’t always follow the law & the law is harder to enforce.
The content of the NPP is what matters the most, though. The signature of receipt or documenting good faith efforts to get one are important, but they’re important because the content of the NPP is important.
As I said in the beginning of the thread, and as discussed in the next OCR question, the OCR already makes content pretty easy on providers to have NPPs by offering model NPPs. I also noted that the content requirements are pretty lax and I generally ask my providers to be more thorough.
If I were to change any single thing about the NPPs, it would be that the information about who to contact about patient rights should be presented up front, in clear and distinct language, possibly bolded and/or in a bigger font. That single piece of information (what to do if you want to know your rights or how to enforce them or make a complaint) should be the center of the document because it is the thing that will most help patients and the thing most patients don’t know.
On Twitter multiple patients have told me they had no idea the OCR existed or enforced HIPAA and they had no idea you can file complaints. (You can file complaints here.) I do encourage patients to go to the OCR rather than the office itself. For 2 reasons,
The rule violation is likely the result of the office not knowing the law already. And
The risk of retaliation (though prohibited by 45 CFR 160.316) for complaining is too high.
NPPs generally direct you to contact the Privacy Officer of a provider’s office. This is nice but they don’t tell you that while you can let them know, the Privacy Officer does not have to talk to you directly.
For a personal example: A doctor of mine was not complying with my records request. I told the person listed on their NPP form as the person to contact, who was the Privacy Officer. The doctor did not like that I made this complaint and told the Privacy Officer not to talk to me. When I filed a complaint with regards to these records issues, the OCR confirmed the office didn’t have to let me talk to the Privacy Officer. In other words, there is an absurdity of directing people where to make complaints and find information when that person is not required to talk to you (and ultimately there is retaliation for asking).
The end result of all of this was that I was left with a doctor who was very angry with me and would not comply with HIPAA and no ability to talk to the person who ostensibly was supposed to know the Privacy Rule when I could have gone directly to the OCR and skipped the shitshow that ensued.
All of that to say that the thing that generally comes last in an NPP (who to contact), should come first and there should be requirements that allow patients to actually talk with the person listed as well as stronger enforcement of non-retaliation and non-discrimination rules (which are under 45 CFR 160.316). There should also be prominent links to the OCR website for complaints and to the HHS website where patients can learn of their rights. This information should be bolded and in prominent (bigger) font than the rest of the document.
However, putting complaint information first is not sufficient. In the very least the model language of the NPPs set out by the OCR should also be provided in full. It must be comprehensive and clear. And providers should make sure patients get a chance to really see it, not just posting it on their website or wall.
What is in these model NPPs, the OCR wants to talk about them:
53) With the assistance of consumer-oriented focus groups, OCR has developed several model NPPs, available at https://www.hhs.gov/hipaa/for professionals/privacy/guidance/modelnotices-privacy-practices/index.html, that clearly identify, in a consumer-friendly manner, an individual’s HIPAA rights and a covered entity’s ability to use and disclose PHI.
a) While covered entities are required to provide individuals an NPP, use of OCR’s model NPPs is optional. Do covered entities use these model NPPs? Why or why not?
I have deep suspicions when anything is written saying that “consumer-oriented focus groups” developed anything. Who are in these focus groups? Were they representative? Were they directed by advocacy groups with certain viewpoints? What directions were they given?
Leaving aside the fact that patients aren’t consumers (we don’t have that much choice if any at all, the power dynamics are vastly skewed, etc). The idea that they are “consumer-friendly” is debatable. Clearly these model NPPs developed by the OCR with input from “consumer-oriented focus groups” are not “consumer-friendly” if patients are still not aware of their rights under HIPAA.
I don’t think I’ve ever seen a provider use these model NPPs. Why don’t providers use them? Probably in part because they don’t know they exist. Likely for many, their lawyers are developing better NPPs (hopefully). Or if not, they’re getting shitty ones from consulting companies that promise the NPP is good enough.
Then there are the providers (including huge hospital systems I’ve seen) that are too lazy to care that (or, if I’m being kind, don’t know) new rules came out in 2013 and they were supposed to update them – thus they keep their circa 2003 versions. Perhaps if, as I keep suggesting, the OCR had standards for training, providers would know more about NPPs, their importance, and that the OCR has model forms. But until training standards exist, what providers know and care to pay attention to varies widely.
If providers aren’t making it a priority to keep updated on HIPAA and updating their notices and policies accordingly, how are patients supposed to be expected to know their rights?
b) OCR has received anecdotal evidence that individuals are not fully aware of their HIPAA rights. What are some ways that individuals can be better informed about their HIPAA rights and how to exercise those rights? For instance, should OCR create a safe harbor for covered entities that use the model NPPs by deeming entities that use model NPPs compliant with the NPP content requirements? Would a safe harbor create any unintended adverse consequences?
“Anecdotal evidence” here is a bit laughable. There’s clear evidence that the OCR has not paid attention to showing patients don’t know their rights. If the OCR really did work with “consumer-oriented focus groups” that were representative of patients, they would have even more evidence.
I’m not sure how a safe harbor benefits patients… Safe harbors generally do the opposite. A safe harbor means that providers don’t have to do anything more than the bare minimum of providing something to patients without ensuring that patients understand it or whether the document is comprehensive. A safe harbor lets providers off the hook from giving truly meaningful information about privacy practices and rights. it doesn’t educate patients or increase awareness of rights.
How do we ensure patients know their rights? The suggestion I offered above – to make it clear where to find information on their rights and how to complain – would be a big start. Having the OCR actually work with patients (and not just “focus groups”) who can identify barriers and spread the word about rights would be another.
Other ways to let patients know their rights:
Engage in social media.
Provide more information through the channels where patients already are, not just through doctors. The ONC (Office for the National Coordinator of Health IT) has a better twitter account than the OCR.
Actually enforcing Privacy Rule violations to the same level as Security Rule violations and issuing press releases to that effect can increase awareness.
That last part is huge. The only HIPAA headlines being published are the ones about huge fines for phishing attacks/malware/etc. As I said in the analysis of the first part of the RFI, what point is there in knowing your rights if they aren’t enforced? If all patients see are providers getting cited for security rule violations, and all the OCR does for privacy rule violations is give “informal” “technical assistance,” how are patients supposed to know or believe that their rights are being protected?
Beyond awareness, what information needs to be in the NPPs:
c) Should more specific information be required to be included in NPPs than what is already required? If so, what specific information? For example, would a requirement of more detailed information on the right of patients to access their medical records (and related limitations of what can be charged for copies) be useful?
Should other info be required above what is already required? Probably. For me, it’s less about the information included and more about the specificity of the information.
For instance, many NPPs may say something like: “We can use your information for purposes of law enforcement, public over sight, national security, organ and tissue donation, medical examiners, etc.” They generally list these items without giving examples.
To the OCR’s credit, the model NPPs are set up in a way to give examples and are fairly concise. But are they enough? Since they developed these models, have they done any research on the effectiveness of these forms?
And even when rights are explained, the same OCR model NPPs are woefully short on provider responsibilities to keep information safe and secure. They also miss some patient rights like the right to amend your records.
Further, while the OCR does provide a Spanish version of the model NPPs, what about other languages? What about Chinese (Mandarin or Cantonese), Korean, Vietnamese, French, Arabic, Farsi, Russian, etc.? These are common languages in the US and to ensure equity, materials need to be available in accessible, culturally sensitive ways. The OCR should have model NPPs in as many languages as possible but in the very least they should require providers to have their own in English and Spanish versions and offer to have translation if needed for any patient who requests.
What else could be added to the NPPs? Certainly more information on access to records, including rights to accounting of disclosures, who can get a copy of your records on request (i.e. if you want to send family), cost, getting records and communicating electronically, and any of the issues I enumerate in my post on Common HIPAA Issues.
As I mentioned above, patients need to be able to acknowledge that they know about their rights in a meaningful way – akin to informed consent laws. If a patient is acknowledging receipt but still doesn’t know their rights (all of them), then the receipt is less meaningful.
In time, we recognized the cruelty and made a vow to do better by patients – to give them the right to be informed about their care. Unfortunately, our version of “informed” was (and generally still is) lacking to say the least. “Informed” meant that patients signed off on legalese that they didn’t understand to get treatment. This created great disparities, especially for different cultures.
More recently, healthcare has moved to using informed consents that are shorter and easier to understand. But whether they are truly informing patients in a meaningful manner is still up for debate.
HIPAA rights and understanding them are not quite to the same level as giving consent for treatment. Again, patients don’t even have to sign acknowledgment of NPPs. But I think they should be held to a similar standard as informed consent.
Are patients informed of their rights in a way that gives them a role in their healthcare? Is this information meaningful so they can make decisions about their healthcare and sharing of their information?
Is acknowledgment of receipt of NPPs enough? And are we just re-creating the same issues we have with informed consent for other treatment purposes – creating disparities because the NPPs aren’t understood, aren’t culturally accessible?
How can we improve NPPs, I’ve given examples above (some of these are repeats of things I’ve already said):
Let patients know where to find their rights and where to complain (again, put them up front)
Be detailed in what rights patients have (the current NPPs are likely not detailed enough)
Improve provider (and staff) training
Have NPPs in different languages
Reach out on Social media
Work with patients (not just focus groups) to review materials
Consider researching effectiveness of the forms developed
Enforce the NPP rules & all rights under the Privacy Rule
Follow up on discrimination for patients that complain
Keep NPP acknowledgment as part of the patient record
Consider how notification of privacy rights and understanding those rights are akin to informed consent in treatment. NPPs are important but it’s clear patients don’t understand them or that NPPs should help them resolve HIPAA issues. The OCR & providers can do better.
NPPs aren’t a burden. Getting acknowledgment that patients received them or that providers tried to get that acknowledgment isn’t a burden. It’s in the best interest of everyone. Now we just need to help patients understand them.
This ends analysis of the fourth section of the RFI. I’ll be working on posting a recap along with the final questions soon.