P2

SNO Policy 200: Notice of Privacy Practices

Purpose and Principles: This recommended policy incorporates the HIPAA requirements obligating entities to provide individuals a notice of the entities’ privacy practices.⁴ The policy exceeds HIPAA’s requirements by also requiring disclosures to individuals of certain information related to the SNO and RLS.⁵ For example, under the model policy, the Privacy Notice should inform individuals about what information the Participant may make available through the SNO and RLS, who is able to access the information, and how they can have information concerning them removed from the RLS. These are not HIPAA requirements, but rather build and expand upon the privacy law to help incorporate information related to the NHIN and the RLS. This recommended model policy also exceeds HIPAA’s requirements by providing suggestions for additional, voluntary protections that could be implemented on the Participant level to enhance consumer protections, such as excluding individuals from the RLS index unless prior consent is obtained or loading information into the RLS only after a notification and opportunity to decline participation has been provided to individual patients.

This recommended model policy promotes the privacy principles of openness and transparency, purpose specification and minimization, use limitation, collection limitation, and individual participation and control. In addition, the model policy helps ensure that information is collected and shared electronically in a fair manner with the knowledge of relevant individuals, which is particularly important in a networked environment where the technology may be unfamiliar to average users.

Recommended Language

Scope and Applicability: This Policy applies to all Participants that have registered with and are participating in the SNO and the RLS and that may provide or make available health information through the SNO and the RLS.

Policy: Each Participant shall develop and maintain a notice of privacy practices (the “Notice”) that complies with applicable law and this Policy.

1. Content. The Notice shall meet the content requirements set forth under the HIPAA Privacy Rule⁶ and comply with all applicable laws and regulations. The Notice also shall include a description of the SNO and the RLS and inform individuals regarding: (1) what information the institution may include in and make available through the SNO and the RLS; (2) who is able to access the information in the SNO and the RLS; (3) for what purposes such information can be accessed; and (4) how the individual can have his or her information removed from the RLS.
2. Provision to Individuals. Each Participant shall have its own policies and procedures governing distribution of the Notice to individuals, which policies and procedures shall be consistent with this Policy and comply with applicable laws and regulations.
   • For Participants that are health care providers, the Notice shall be: (1) available to the public upon request; (2) posted on all web sites of the Participant and available electronically through such sites; (3) provided to a patient at the date of first service delivery; (4) available at the institution; and (5) posted in a clear and prominent location where it is reasonable to expect individuals seeking service to be able to read the Notice.⁷
   • For Participants that are health plans, the Notice shall be: (1) available to the public upon request; (2) provided to new enrollees at the time of plan enrollment; (3) provided to current plan enrollees within 60 days of a material revision; and (4) posted on the plan’s web sites and available electronically through such sites. Participating health plan institutions also shall notify individuals covered by the plan of the availability of the Notice and how to obtain a copy at least once every three years.⁸
3. Individual Acknowledgement. Each Participant that is a health care provider shall make a good faith effort to obtain the individual’s written acknowledgement of receipt of the Notice or to document their efforts and/or failure to do so. The acknowledgement of the Notice shall comply with all applicable laws and regulations.⁹ Each Participant shall have its own policies and procedures governing obtaining an acknowledgement, which policies and procedures shall be consistent with this Policy and comply with applicable laws and regulations.
4. Participant Choice. Participants may choose a more proactive notice distribution process than provided herein and may include more detail in their notice of privacy practices. Possible additional protections for individuals whose information may be made available through the RLS (not all of which pertain to notice policies alone) could include: mailing the revised notice or a notification letter allowing for removal or exclusion of the information about that individual from the RLS to every individual prior to loading the information into the RLS or shortly thereafter; excluding individuals from the RLS index unless individual consent is obtained; loading individual information into the RLS on a going-forward, new individual encounter basis only; developing a method for time-stamping an RLS record to indicate when the record was loaded into the index; developing a method for allowing individuals to limit access to their RLS records; and obtaining individual consent prior to each inquiry made to the RLS index by a Participant, or on a periodic basis.