Compliance Glossary

Covered entities must provide a Notice of Privacy Practices (Privacy Notice) to every individual whose PHI is processed by them. Healthcare providers send this notice to new enrollees during initiation and at least once every three years to the existing ones. Self-insured health plans create their own Privacy Notices, while fully insured plans rely on their insurance issuers for this.

How to provide the notice?

• Any person who requests the Privacy Notice should receive it
• The notice must be prominently displayed on the entity’s website if it provides customer service or benefit information there
• Health plans must give the notice to current members by April 14, 2003 (or April 14, 2004, for smaller plans) and to new enrollees during enrollment
• If the notice changes significantly, it should be reissued within 60 days
• Covered Direct Treatment Providers must give the notice to patients at the first service encounter, and efforts should be made to get a written acknowledgment
• For online or electronic service delivery, an electronic notice should be sent upon the patient’s request
• In emergencies, the notice should be provided as soon as possible, and acknowledgment is not required
• The latest notice reflecting any changes should be available for patients to take and be prominently displayed at the provider’s facility
• If a patient agrees, the notice can be sent via email