HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


Archive for Notice of Privacy Practices

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work in a medical records office and consider myself familiar with HIPAA rules and regulations. I recently tried to schedule an appointment for my fiancé at his dentist’s office, which I have done in the past. However, I was told on this occasion that I am not permitted to schedule the appointment because my fiancé did not authorize me to do so on HIPAA disclosure documents. I thought this was strange, so I requested that the office manager call me and I also requested a copy of the dental office’s notice of privacy practices (NPP). The practice refused to give me its NPP, and I have been waiting for more than a week for a return call. Does HIPAA dictate who can schedule a patient’s appointment? If so, should an NPP include this information? If this is part of a practice’s NPP, I wonder whether a breach occurred when I scheduled an appointment for my fiancé in the past.

A: There are a couple of issues here. First, the office should certainly provide you with a copy of its NPP. In fact, it is required to post it on its website if it has one, and at minimum on the wall at the practice.

HIPAA addresses disclosure of information. You can make an appointment for your fiancé without office staff needing to reveal any information about him to you and, therefore, this is acceptable under HIPAA. You are not bound by HIPAA as an individual and may share whatever information requested by the practice to make and confirm the appointment.

It may be that staff at the practice refused to make the appointment because they are confused or that they are concerned about no shows. However, there is no reason to refuse your request to make an appointment for your fiancé—unless, of course, he has requested this restriction.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Comments (4)

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health IT (ONC) recently announced the Digital Privacy Notice Challenge.

OCR and ONC recently developed paper model notices of privacy practices (NPP) to help organizations develop updated NPPs that comply with the HIPAA Omnibus Rule. The two agencies are calling on designers, developers, and privacy experts to submit their concepts for a digital model NPP. The submission deadline is April 7.

OCR and ONC will host the Digital Privacy Notice Informational Webinar at 2 p.m. (Eastern) Thursday, February 27. Join the webinar by visiting the challenge website.

Comments (0)

Q . May organizations include inserts in their current patients’ rights brochures with updated information about their right to receive their medical files electronically, or must they reprint their entire brochures? We have a backstock of brochures and prefer to use them before we reprint them.   

A. Reprinting the entire brochure is not required; an insert is permissible as long as it doesn’t contradict information in the actual notice. You should call this a notice of privacy practices (NPP) rather than a patient’s rights brochure because the latter includes rights unrelated to PHI, and there are specific things that must be included in each. Access sample NPPs at www.hhs.gov/ocr/privacy/hipaa/modelnotices.html. Note that the HIPAA Omnibus Rule requires changes beyond the right to receive an electronic copy. Remember that the intent of the NPP is to explain to your patients what you are doing with their information and their rights pertaining to their PHI. Be sure to date your NPP and post the additional information prominently in your facility and on your website.

Editor’s note: This question was answered by Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H. This information does not constitute legal advice. Consult legal counsel for answers t j o specific privacy and security questions. Send your HIPAA questions to Associate Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com.