If you have spent any time on the Internet, you have been asked what you would like a website to do with its cookies. A cookie is information saved by your web browser. Cookies are like flags that allow a website to recognize and remember your device if you return to that site in the future. Some cookies can also keep track of your device over time.
The Notice of Privacy Practices (NPP), that is required by HIPAA, serves a separate but similar purpose. An NPP applies only to the patients of a practice. It outlines a patient’s privacy rights and how the practice uses, discloses, and secures the patient’s protected health information (PHI). The NPP must contain certain information and be written in plain language. This means that it should be understood by those with basic reading skills. A patient must be provided a copy of the NPP prior to their first treatment, except in an emergency. A copy of the NPP must be provided to anyone who asks for it, and it must be posted in a prominent location inside the practice, like the waiting room.
If your practice has a website, the current NPP must be posted in a noticeable location there, too. In its 2016-2017 HIPAA Audits Industry Report, the Office for Civil Rights (OCR) provided a few examples of what a prominent location on a website might be:
- Through a drop-down menu on the home page.
In general, a patient should not need to click more than twice from a practice’s home page to find the NPP. The OCR’s report made it clear that the NPP and general privacy documents should not be combined.
TMC clients can download a customizable sample NPP and related forms like the patient acknowledgement of receipt of NPP in the Client Portal.