Website Privacy Policies and HIPAA’s Notice of Privacy Practices

If you have spent any time on the Internet, you have been asked what you would like a website to do with its cookies. A cookie is information saved by your web browser. Cookies are like flags that allow a website to recognize and remember your device if you return to that site in the future. Some cookies can also keep track of your device over time.

Website owners are required to tell visitors what kind of cookies they use, as well as how they use and disclose the visitor’s information collected by their website. There are additional legal requirements for websites that ask visitors to enter personal or financial information, and requirements on how to treat information of minors under 13 years old. Websites typically have a privacy policy that outlines requirements like these which is usually available through a link at the bottom of the website. This kind of privacy policy applies to everyone who visits the website regardless of whether the visitor ever becomes a customer.

The Notice of Privacy Practices (NPP), that is required by HIPAA, serves a separate but similar purpose. An NPP applies only to the patients of a practice. It outlines a patient’s privacy rights and how the practice uses, discloses, and secures the patient’s protected health information (PHI). The NPP must contain certain information and be written in plain language. This means that it should be understood by those with basic reading skills. A patient must be provided a copy of the NPP prior to their first treatment, except in an emergency. A copy of the NPP must be provided to anyone who asks for it, and it must be posted in a prominent location inside the practice, like the waiting room.

If your practice has a website, the current NPP must be posted in a noticeable location there, too. In its 2016-2017 HIPAA Audits Industry Report, the Office for Civil Rights (OCR) provided a few examples of what a prominent location on a website might be:

  • Through a drop-down menu on the home page.
  • On the top or bottom of the home page as a designated link (e.g., a direct link from the home page named “HIPAA Notice of Privacy Practices” or something similar, to avoid confusion with the website’s general privacy policy.

In general, a patient should not need to click more than twice from a practice’s home page to find the NPP. The OCR’s report made it clear that the NPP and general privacy documents should not be combined.

TMC clients can download a customizable sample NPP and related forms like the patient acknowledgement of receipt of NPP in the Client Portal.