Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 7: Use of Notice of Privacy Practices for PHI

Audience:

The information in this document applies to all UTD faculty, staff, students, volunteers, and any other contractors or agents granted access to Protected Health Information (PHI).

Definitions:

Protected Health Information (PHI):

Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

Treatment, Payment, and health care Operations (TPO):

Three core functions of providing health care to patients. Treatment involves the administering, coordinating and management of health care services by UTD for its patients. Payment includes any activities undertaken either by UTD or a third party to obtain premiums, determine or fulfill its responsibility for coverage and the provision of benefits or to obtain or provide reimbursement for the provision of health care. Health care Operations are activities related to UTD’s functions as a health care provider, including general administrative and business functions necessary for UTD to remain a viable health care provider.

Prisoner: a person incarcerated in or otherwise confined to a correctional institution.

Policy:

General Rule:

1. An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by UTD, and of the individual’s rights and UTD’s responsibilities with respect to PHI. UTD is required to provide a notice of privacy practices document to all patients, as well as other individuals requesting a copy. Those persons who register or admit patients will be responsible for distributing a copy of the notice to all patients.

UTD must:

1. Provide the notice no later than the date of the first service rendered.

2. Make a good faith effort to obtain an initial written acknowledgement of the receipt of notice from the patient and document the receipt of the Notice of Privacy Practices Acknowledgement Form. Please see the Notice of Privacy Practices Acknowledgment Form.

3. Have the notice available at the service delivery site for individuals to talk

with them;

4. Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from UTD to be able to read the notice; and

5. Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision.

Exception:

Prisoners:

A prisoner receiving medical attention from UTD does not have a right to receive a copy of the notice of privacy practices.

The Notice of Privacy Practices contains the following elements:

Header:

The notice must contain the following statement as a header or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

Uses and disclosures:

The notice must contain:

1. A description, including at least one example, of the types of uses and disclosures that UTD is permitted to make for each of the following purposes: Treatment, Payment, and health care Operations (TPO);

2. A description of each of the other purposes for which UTD is permitted or required to use or disclose PHI without the individual’s written authorization;

3. A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization as provided by (Uses and Disclosures of PHI based on Patient Authorization.);

4. A statement that UTD may contact the individual to provide appointment reminders or information about treatment alternatives or other heath-related benefits and services that may be of interest to the individual; and

5. A statement that UTD may contact the individual to raise funds for UTD. The notice must contain a statement of the individual’s rights with respect to PHI and a brief description of how the individual may exercise these rights, as follows:

  • The right to request restrictions on certain uses and disclosures of PHI as provided by Patient Right to Request Restrictions, including a statement that UTD is not required to agree to a requested restriction;
  • The right to receive confidential communications of PHI as provided by (Patient Right to Confidential Communications)
  • The right to inspect and attain a copy of the patient’s PHI as provided by (Patient Right to Copy PHI);
  • The right to request an amendment to PHI as provided by (Patient Right to Amend PHI);
  • The right to receive an accounting of disclosures of PHI as provided by (Patient Right to Accounting of PHI); and
  • The right of an individual, including an individual who has agreed to receive the notice electronically, to obtain a paper copy of the notice from UTD upon request.

Covered entity’s duties:

The notice must contain a statement that:

UTD is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI; 1. Is required to abide by the terms of the notice currently in effect; and 2. Reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. The statement must also describe how it will provide individuals with a revised notice.

Complaints:

The notice must contain a statement that individuals may complain to UTD and to the Department of Health and Human Services (HHS) if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with UTD, and a statement that the individual will not be retaliated against for filing a complaint.

Contact:

The notice must contain the name, or title, and telephone number of a person or office to contact for further information. Effective date April 14, 2003. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.

Requirements for Electronic Notice:

1. UTD will provide an updated electronic version of the notice of privacy practices on its website at http://www.utdallas.edu 2. UTD may provide the notice to an individual by e-mail, if the requirements for communicating with the individual through email is in compliance with the HIPAA Electronic Mail Policy. If UTD knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. 3. Provision of electronic notice by UTD will satisfy the provision requirements if receipt of the notice by the individual is documented. 4. The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from UTD upon request.

Documentation of Notice:

UTD must document compliance with the notice requirements by retaining copies of the notices issued by UTD.

Those persons who register new patients will be responsible for distributing the notice to all patients and documenting the receipt of the Notice of Privacy Practices Acknowledgement Form in Patient Index System. UTD must also keep the original Notice of Privacy Practices Acknowledgement Form in the official medical record. If a written acknowledgement was not obtained from the patient, UTD must document the reason for the failure to obtain the written acknowledgement on the Notice of Privacy Practices Acknowledgement Form. Such reason for failure simply may be, for example, that the patient refused to sign after being requested to do so.

Revisions to the Notice

UTD must promptly revise and make available its notice whenever there is a material change to the uses or disclosures, the individual’s rights, UTD’s legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected.