| TIP: HIPAA Notice of Privacy Practices Profile

HIPAA Notice of Privacy Practices Profile, v1.0

Profile of HIPAA requirements for the privacy notice to users of the organization's privacy practices (per 45 CFR Section 164.500-599) regarding PHI.

Identifier

https://artifacts.trustmarkinitiative.org/lib/tips/hipaa-notice-of-privacy-practices-profile/1.0/

Publication Date

2017-02-17

Issuing Organization

Trustmark Initiative (https://trustmarkinitiative.org/) View Contact

No Responder

help@trustmarkinitiative.org

404-407-8956

75 5th Street NW, Suite 900, Atlanta, GA 30308

Keywords

There are no keywords.

Legal Notice

This document and the information contained herein is provided on an "AS IS" basis, and the Georgia Tech Research Institute disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the Georgia Tech Research Institute disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Tree View
Details View

Trust Expression:

TD_PrivacyNoticeRequiredContentPlainLanguage and TD_PrivacyNoticeRequiredContentHeader and TD_PrivacyNoticeRequiredContentMainPurposes and TD_PrivacyNoticeRequiredContentOtherPurposes and TD_PrivacyNoticeRequiredContentMoreStringentLaw and TD_PrivacyNoticeRequiredContentSufficientDetail and TD_PrivacyNoticeRequiredContentUsesRequiringAuthorization and TD_PrivacyNoticeRequiredContentUsesNotDescribed and TD_PrivacyNoticeRequiredContentRevokeAuthorization and TD_PrivacyNoticeRequiredContentFundraisingCommunications and TD_PrivacyNoticeRequiredContentDiscloseToSponsor and TD_PrivacyNoticeRequiredContentNoGeneticInformation and TD_PrivacyNoticeRequiredContentIndividualRights and TD_PrivacyNoticeRequiredContentCoveredEntityDutyToMaintainPrivacy and TD_PrivacyNoticeRequiredContentCoveredEntityDutyToProvideNotice and TD_PrivacyNoticeRequiredContentCoveredEntityDutyToNotifyIndividuals and TD_PrivacyNoticeRequiredContentCoveredEntityDutyToAbidebyTerms and TD_PrivacyNoticeRequiredContentCoveredEntityDutyToRightToChangeNotice and TD_PrivacyNoticeRequiredContentCoveredEntityDutyToProvideRevisedNotice and TD_PrivacyNoticeRequiredContentFileaComplaint and TD_PrivacyNoticeRequiredContentContactInformation and TD_PrivacyNoticeRequiredContentEffectiveDate and TD_PrivacyNoticeRequiredContentNoLimitationRequiredbyLaw and TD_PrivacyNoticeRequiredContentNoLimitationtoAvertSeriousThreat and TD_PrivacyNoticeRevisionstotheNotice

References (25)

TD Privacy Notice Required Content - Plain Language, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must be written in plain language.
ID	TD_PrivacyNoticeRequiredContentPlainLanguage
Provider Reference

TD Privacy Notice Required Content - Header, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a prescribed header.
ID	TD_PrivacyNoticeRequiredContentHeader
Provider Reference

TD Privacy Notice Required Content - Main Purposes, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a description of the types of permitted uses and disclosures for the purposes of treatment, payment, and health care operations.
ID	TD_PrivacyNoticeRequiredContentMainPurposes
Provider Reference

TD Privacy Notice Required Content - Other Purposes, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a description of each of the other purposes for which the organization is permitted or required to use or disclose protected health information.
ID	TD_PrivacyNoticeRequiredContentOtherPurposes
Provider Reference

TD Privacy Notice Required Content - More Stringent Law, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain provisions, if a stated use or disclosure for any purpose is prohibited or materially limited by other applicable law, to reflect the more stringent law.
ID	TD_PrivacyNoticeRequiredContentMoreStringentLaw
Provider Reference

TD Privacy Notice Required Content - Sufficient Detail, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a description that includes sufficient detail to place the individual on notice of the uses and disclosures for the stated purposes.
ID	TD_PrivacyNoticeRequiredContentSufficientDetail
Provider Reference

TD Privacy Notice Required Content - Uses Requiring Authorization, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a description of the types of uses and disclosures that require an authorization under Section 164.508(a)(2)-(a)(4), i.e., psychotherapy notes, marketing, and sale of PHI.
ID	TD_PrivacyNoticeRequiredContentUsesRequiringAuthorization
Provider Reference

TD Privacy Notice Required Content - Uses Not Described, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization.
ID	TD_PrivacyNoticeRequiredContentUsesNotDescribed
Provider Reference

TD Privacy Notice Required Content - Revoke Authorization, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that the individual may revoke an authorization.
ID	TD_PrivacyNoticeRequiredContentRevokeAuthorization
Provider Reference

TD Privacy Notice Required Content - Fundraising Communications, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain provisions to notify an individual and be able to opt out of receiving fundraising communications.
ID	TD_PrivacyNoticeRequiredContentFundraisingCommunications
Provider Reference

TD Privacy Notice Required Content - Disclose To Sponsor, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must inform the individual that the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan.
ID	TD_PrivacyNoticeRequiredContentDiscloseToSponsor
Provider Reference

TD Privacy Notice Required Content - No Genetic Information, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice, excluding an issuer of a long-term care policy, must contain a statement that PHI that is genetic information cannot be used for underwriting purposes for a health plan.
ID	TD_PrivacyNoticeRequiredContentNoGeneticInformation
Provider Reference

TD Privacy Notice Required Content - Individual Rights, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement of the individual's rights with respect to PHI and a brief description of how the individual may exercise these rights.
ID	TD_PrivacyNoticeRequiredContentIndividualRights
Provider Reference

TD Privacy Notice Required Content - Covered Entity Duty To Maintain Privacy, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that the organization is required by law to maintain the privacy of PHI.
ID	TD_PrivacyNoticeRequiredContentCoveredEntityDutyToMaintainPrivacy
Provider Reference

TD Privacy Notice Required Content - Covered Entity Duty To Provide Notice, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that the organization is required by law to provide individuals with notice of its legal duties and privacy practices with respect to PHI.
ID	TD_PrivacyNoticeRequiredContentCoveredEntityDutyToProvideNotice
Provider Reference

TD Privacy Notice Required Content - Covered Entity Duty To Notify Individuals, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that the organization is required by law to notify affected individuals following a breach of unsecured PHI.
ID	TD_PrivacyNoticeRequiredContentCoveredEntityDutyToNotifyIndividuals
Provider Reference

TD Privacy Notice Required Content - Covered Entity Duty To Abide by Terms, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that the organization is required to abide by the terms of the notice currently in effect.
ID	TD_PrivacyNoticeRequiredContentCoveredEntityDutyToAbidebyTerms
Provider Reference

TD Privacy Notice Required Content - Covered Entity Duty To Right To Change Notice, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains.
ID	TD_PrivacyNoticeRequiredContentCoveredEntityDutyToRightToChangeNotice
Provider Reference

TD Privacy Notice Required Content - Covered Entity Duty To Provide Revised Notice, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that describes how it will provide individuals with a revised privacy notice.
ID	TD_PrivacyNoticeRequiredContentCoveredEntityDutyToProvideRevisedNotice
Provider Reference

TD Privacy Notice Required Content - File a Complaint, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain a statement that individuals may complain to the organization and to the Secretary if they believe their privacy rights have been violated.
ID	TD_PrivacyNoticeRequiredContentFileaComplaint
Provider Reference

TD Privacy Notice Required Content - Contact Information, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain the name, or title, and telephone number of a person or office to contact for further information or complaints.
ID	TD_PrivacyNoticeRequiredContentContactInformation
Provider Reference

TD Privacy Notice Required Content - Effective Date, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The privacy notice must contain the date on which the notice is first in effect.
ID	TD_PrivacyNoticeRequiredContentEffectiveDate
Provider Reference

TD Privacy Notice Required Content - No Limitation Required by Law, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. If the organization limits uses or disclosures more than provided by the privacy notice requirements, the organization may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law.
ID	TD_PrivacyNoticeRequiredContentNoLimitationRequiredbyLaw
Provider Reference

TD Privacy Notice Required Content - No Limitation to Avert Serious Threat, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. If the organization limits uses or disclosures more than provided by the privacy notice requirements, the organization may not include in its notice a limitation affecting its right to make a use or disclosure to avert a serious threat to health or safety.
ID	TD_PrivacyNoticeRequiredContentNoLimitationtoAvertSeriousThreat
Provider Reference

TD Privacy Notice - Revisions to the Notice, v1.0
Description	Specifies requirements for part of the contents of the privacy notice for individuals. The organization must promptly revise and distribute its notice whenever there is a material change to the privacy notice.
ID	TD_PrivacyNoticeRevisionstotheNotice
Provider Reference

Terms (10)

Term Name	Abbreviations	Definition
Business Associate	BA	Covered entities engage "business associates" to work on their behalf. A business associate is a person (not part of the workforce of the covered entity) or organization that creates, receives, maintains, or transmits protected health information on behalf of the covered entity. Covered entities must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule. A covered entity may be a business associate of another covered entity.
Correctional Institution	CI	Correctional institution means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.
Covered Entity	CE	The Administrative Simplification provisions of HIPAA apply to three types of entities, which are known as "covered entities": 1) health care providers if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard, 2) health plans, and 3) health care clearinghouses. A covered entity may be a business associate of another covered entity.
Disclosure		Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
Electronic Protected Health Information	e-PHI	Electronic protected health information means protected health information (PHI) that is transmitted by electronic means or maintained in electronic media.
Health Insurance Portability and Accountability Act of 1996	HIPAA	The HIPAA law includes Administrative Simplification provisions that require adoption of national standards for electronic health care transactions and code sets, unique health identifiers, and security. Additionally, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
Plan Administration Functions	PAF	Plan administration functions means administration functions performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor.
Protected Health Information	PHI	Protected health information (PHI) means "individually identifiable health information" that is transmitted by electronic means or maintained in electronic media or transmitted or maintained in any other form or medium, except it excludes individually identifiable health information: In education records covered by the Family Educational Rights and Privacy Act; In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); In employment records held by a covered entity in its role as employer; Regarding a person who has been deceased for more than 50 years. HIPAA rules protect most PHI held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. PHI is information, including demographic information, which relates to the individual's past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. For example, PHI includes name, address, birth date, Social Security Number, a medical record, laboratory report, or hospital bill. However, reporting or aggregating data that cannot be used to individually identify a person would not be considered PHI.
Summary Health Information		Information, that may be individually identifiable health information, and that summarizes the claims history, claims expenses, or type of claims experienced by individuals.
U.S. Department of Health and Human Services	HHS	The U.S. Department of Health and Human Services' (HHS) mission is to enhance and protect the health and well-being of all Americans by providing for effective health and human services and fostering advances in medicine, public health, and social services.

Also available as XML or JSON