0 (0s):
Hi, it's Dr. Weitz. Thanks so much for joining me for this episode of The Private Medical Practice Academy. A seemingly simple form that most patients toss in the garbage can actually get you in a whole lot of trouble and cost you an enormous amount of money. Anyone who's ever gone to a doctor has been given this form to read and sign. What am I talking about? The Notice of Privacy Practices. We all know that HIPAA guarantees a variety of patient rights, including a patient's right to know how you're going to use their PHI (their Protected Health Information). As part of that, one of the things that HIPAA requires you to do is to describe your office's privacy practices in writing in an easy-to-read document called A Notice of Privacy Practices.

0 (49s):
According to the HIPAA guidelines, you have to ask your patients to sign, to acknowledge their receipt and understanding of the notice of privacy practices. The guideline states that you must do your best to get your patients to sign an acknowledgment that indicates that they have (a) received a copy of your notice of privacy practices (b) been made aware of a notice copy posted in your waiting room or been informed that a copy is available on your practice's website. Because you only have to do your best, your patients are not actually required to sign your notice of privacy practices, but getting their signature can be really helpful to prove that you're in compliance with HIPAA rules.

0 (1m 37s):
Ultimately you're required to have some way for your patients to acknowledge that a copy of your privacy policy was made available for them to review and what authorizations they've agreed to. If you are audited by the office of civil rights for HIPAA compliance, they're going to request a copy of your notice of privacy practices to determine whether it has the required content. They're also going to review your process for making sure that your patients have access to this privacy notice. This is probably the easiest HIPAA requirement for you to be compliant with so there's actually no excuse for you not to be. The first step towards being HIPAA compliant is knowing what should and shouldn't be in the privacy notice.

0 (2m 24s):
Here are several items that are essential for you to include: Rights. Your privacy notice must spell out clearly your patients' rights. For example, patients have a right to their medical records. Patients have a right to correct errors in their medical records and to file a complaint if they feel that their privacy rights have been violated. Next, patients have a choice. Patient privacy choices must be clearly stated. For example, patients can choose whether they want to share information with family and friends about their condition or not. You're required to tell your patients how you're going to use their information.

0 (3m 4s):
Another example, you may need to use your patient's private information to treat them, to build them, and to comply with healthcare laws. And although these are all legitimate ways to use a patient's confidential information, you must include these reasons within your privacy notice. Next, you have to have a place for the patient to date and sign the form. Although the patients aren't required to sign and date your privacy notice, there must be a place for them to do so on the document. Their signature indicates their acknowledgment of your notice of privacy practices. It's not an agreement. A signed and dated statement gives you unambiguous proof of each patient's instructions regarding their private information.

0 (3m 52s):
Next, your patients have the right to change the instructions on how you're authorized to utilize their information. You should have them complete another notice of privacy practices with their new preferences to indicate such a change. Also, if a previous notice exists, for example, it's an established patient who wants to change things. You need to be sure to avoid the old notice. Otherwise, confusion can occur, and this is going to lead to misuse of their information, there'll be a patient complaint and ultimately can result in hefty penalties because of a HIPAA violation. I've included a HIPAA compliance sample, noticing privacy practices form from the health and human services website in the show notes.

0 (4m 38s):
But I want to tell you that even if you have the perfect form, you can still get in trouble if you don't use the document correctly. So let's talk about how to use the document. Timing. Every new patient packet must contain a complete copy of your privacy notice. You must allow patients to review your privacy notice again at least every three years. Next, availability. You need to post a copy of your notice of privacy practices, where your patients could easily see it, a frame on the wall by your front desk or at your front desk. Check-in counters are good options. Also, keep several copies behind your front desk in case the patient requests one.

0 (5m 19s):
You also want to post the notice on your website. Let's come back to talking about signatures. You should make a good faith effort to document acknowledgment of your privacy. Notice by getting your patients to sign and date it. Their signature really does indicate that they received understood and acknowledged the policy. To that end, you will need to ensure that all of your staff are involved in the process and have the necessary knowledge to answer the patient's questions and adequately document your patient's acknowledgment of your privacy practices policy. Let's say that somebody refuses to sign the policy. Good faith means that you've explained the form to the patient and have asked them to sign it and acknowledge it.

0 (6m 2s):
Now I've had patients refuse to sign the form for any number of reasons. Sometimes they don't like the form. Sometimes they don't want to be bothered. Sometimes they want to mark it up with 4,000 things. Ultimately, you will have people who refuse to sign the form. The key here is that you have to document why they're refusing to sign the form. Your exact efforts to get them to sign the form and date the document have to be recorded. So, list all of the reasons the patient gave for not wanting to sign. Address in the documentation, any questions that the patient asked related to the form.

0 (6m 44s):
And finally, have your staff sign and date the document as a formal record of the patient's refusal to sign the acknowledgment. Now, I want to talk about language. If your practice treats patients that primarily speak languages, other than English, you are required to make your notice available in as many language options as is appropriate. Even patients with a good command of English may feel more comfortable having their medical rights and choices available in the language spoken in their homes. The same is true for patients who are hearing or visually impaired. You don't need to do this for every possibility: just those that are most commonly seen in your practice. Now let's talk about who can sign the privacy notice. This is another place where you can get in trouble.

0 (7m 25s):
Basically, if you have the wrong person, sign the notice of privacy practices acknowledgment form, then you've just documented a violation for yourself and it makes it very easy for an investigator to find it. So here's a list of who can actually give authorization and acknowledge receipt of your privacy notice. (1) Adults, all patients who are competent adults (2) Minors, the legal parent or parents may sign for non-emancipated children (3) Emancipated Minors. The definition of an emancipated minor, however, differs from state to state.

0 (8m 6s):
Some still require parental involvement in healthcare decisions while others give full privacy rights to the child. You need to know your state's requirements to avoid getting into trouble. (4) Next of Kin. The designated representative or next of kin of a seriously ill or comatose patient can sign for that patient as long as you have all of the appropriate documentation of their status. (5) The Legal Guardian. The designated legal guardian of an incompetent patient can also sign. But again, you're going to need to make sure that you have documented their status and keep this on file.

0 (8m 50s):
And then (6), the executor or administrator of an estate. The legal executor or administrator of an estate of a deceased person may sign but again, you need to get written proof of their authority

1 (8m 56s):
and keep this in the file. Look, admittedly, the notice of privacy practices forum often seems like it's just more paperwork, but not being compliant can result in costly violation penalties and these can have tremendous financial consequences for your practice. And as I said earlier, it's probably the easiest of the HIPAA guidelines to actually follow. Don't make the mistake of thinking that your notice of privacy practices is simply more paperwork. It's impossible for you to head off every possible breach of your patient's personal health information. However, focusing on tightening your management control at the front desk can significantly reduce your exposure and improve your HIPAA compliance and this is one of the easiest ways to do it.

1 (9m 46s):
Thanks for joining me. Please be sure to sign up for my newsletter below, I'll be sending you tips on how to start a practice, grow a practice, and then add multiple services so that you can maximize your revenue.