verification-layer 0.20.0 → 0.22.0

package/templates/notice-of-privacy-practices.md

@@ -0,0 +1,491 @@
+# NOTICE OF PRIVACY PRACTICES
+
+**[COMPANY NAME]**
+
+**Effective Date:** [DATE]
+
+---
+
+> **⚠️ TEMPLATE INSTRUCTIONS**
+>
+> This template complies with HIPAA §164.520 as of February 2026, including the 2024 NPP modifications. Replace all [BRACKETED] fields with your organization's information. Have this reviewed by a healthcare attorney before publishing.
+>
+> **2024 Updates Included:**
+> - Right to inspect and copy reduced to 15 days (from 30 days)
+> - New right to inspect in person and take photographs
+> - Updated electronic access requirements
+> - Enhanced breach notification language
+
+---
+
+## THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
+
+---
+
+## 1. OUR DUTY TO PROTECT YOUR HEALTH INFORMATION
+
+We are required by law to:
+
+- **Maintain the privacy** of your Protected Health Information (PHI)
+- **Provide you with this Notice** of our legal duties and privacy practices with respect to PHI
+- **Follow the terms** of the Notice currently in effect
+- **Notify you** following a breach of unsecured PHI
+
+We understand that medical information about you and your health is personal. We are committed to protecting your health information and will not use or disclose your health information without your authorization, except as described in this Notice or as otherwise permitted by law.
+
+**What is Protected Health Information (PHI)?**
+
+PHI is information about you, including demographic information, that may identify you and that relates to:
+- Your past, present, or future physical or mental health or condition
+- The provision of healthcare to you
+- Your past, present, or future payment for healthcare
+
+---
+
+## 2. HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION
+
+We may use and disclose your health information for the following purposes:
+
+### A. Uses and Disclosures That Do Not Require Your Authorization
+
+#### Treatment
+
+We may use and disclose your health information to provide, coordinate, or manage your healthcare and related services. This includes consultation and coordination of your care with other healthcare providers.
+
+**Examples:**
+- Sharing your medical history with specialists who are treating you
+- Coordinating care between your doctor, therapist, and case manager
+- Sending your prescription information to your pharmacy
+- Communicating test results to you and your healthcare team
+- For ABA (Applied Behavior Analysis) services: sharing behavioral assessments, treatment plans, and progress notes with members of your care team (BCBAs, RBTs, therapists, educators)
+
+#### Payment
+
+We may use and disclose your health information to bill and collect payment for the treatment and services we provide to you. This includes determinations of eligibility and coverage, and other utilization review activities.
+
+**Examples:**
+- Submitting claims to your health insurance company
+- Verifying your insurance benefits and coverage
+- Collecting copayments, deductibles, or other amounts you may owe
+- Responding to requests from your insurance company for medical necessity reviews
+- Providing documentation to your insurance company for pre-authorization of services
+
+#### Healthcare Operations
+
+We may use and disclose your health information for our healthcare operations. These uses and disclosures are necessary to run our practice and ensure that our patients receive quality care.
+
+**Examples:**
+- Quality assessment and improvement activities
+- Training students, interns, and healthcare professionals
+- Conducting or arranging for medical review, legal services, and audits
+- Business planning and development
+- Credentialing and peer review activities
+- Compliance programs and internal investigations
+- Patient safety activities and risk management
+- Customer service, including responding to inquiries and complaints
+
+### B. Uses and Disclosures Required by Law
+
+We will disclose your health information when required to do so by federal, state, or local law. This includes:
+
+**Public Health Activities**
+- Reporting diseases, injuries, vital events (births, deaths), and public health surveillance
+- Reporting to the Food and Drug Administration (FDA) regarding adverse events or product defects
+- Notifying persons who may have been exposed to a disease or are at risk of contracting or spreading a disease
+- Reporting suspected abuse, neglect, or domestic violence to appropriate authorities when authorized or required by law
+
+**Health Oversight Activities**
+- Audits, investigations, inspections, and licensure actions by government agencies that oversee the healthcare system
+- Civil, administrative, or criminal proceedings or actions
+- Government monitoring of healthcare programs and compliance with civil rights laws
+
+**Judicial and Administrative Proceedings**
+- In response to a court order, subpoena, discovery request, or other lawful process
+- To defend ourselves in a lawsuit or other legal proceeding
+
+**Law Enforcement**
+- When required by law or in response to a valid court order or subpoena
+- To identify or locate a suspect, fugitive, material witness, or missing person
+- About a crime victim if the victim agrees or in emergency circumstances
+- About a death we believe may be the result of criminal conduct
+- About criminal conduct at our facility
+- In emergency circumstances to report a crime
+
+**Coroners, Medical Examiners, and Funeral Directors**
+- To coroners or medical examiners for identification purposes, determining cause of death, or other duties as authorized by law
+- To funeral directors to carry out their duties
+
+**Organ and Tissue Donation**
+- If you are an organ donor, we may release health information to organizations that handle organ procurement, transplantation, or tissue banking
+
+**Research**
+- For research purposes when the research has been approved by an Institutional Review Board (IRB) or Privacy Board that has reviewed the research proposal and established protocols to ensure the privacy of your health information
+
+**To Avert a Serious Threat to Health or Safety**
+- When necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person
+- Disclosures would only be made to someone able to help prevent the threat
+
+**Specialized Government Functions**
+- Military and veterans: if you are a member of the armed forces, we may release health information as required by military command authorities
+- National security and intelligence activities: to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law
+- Protective services for the President and others: to authorized federal officials for protection of the President, other authorized persons, or foreign heads of state
+- Correctional institutions: if you are an inmate or under custody of law enforcement, we may release health information to the correctional institution or law enforcement official for certain purposes
+
+**Workers' Compensation**
+- We may disclose your health information as authorized by and to comply with laws relating to workers' compensation or similar programs
+
+**Abuse or Neglect**
+- We may disclose your health information to appropriate authorities if we reasonably believe that you are a possible victim of abuse, neglect, or domestic violence
+- This is particularly important for minors receiving ABA therapy or other behavioral health services
+- We will only disclose this information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm
+
+### C. Uses and Disclosures That Require Your Written Authorization
+
+The following uses and disclosures will be made only with your written authorization:
+
+**Marketing Communications**
+- We will not use or disclose your health information for marketing purposes without your written authorization
+- Exception: We may communicate with you about products or services related to your treatment, case management, or care coordination without authorization
+
+**Sale of Health Information**
+- We will not sell your health information without your written authorization
+
+**Psychotherapy Notes**
+- We will not use or disclose psychotherapy notes without your written authorization, except for limited treatment, payment, or healthcare operations purposes as permitted by law
+
+**Other Uses**
+- Other uses and disclosures not described in this Notice will be made only with your written authorization
+- You may revoke your authorization in writing at any time, except to the extent that we have already taken action in reliance on your authorization
+
+---
+
+## 3. YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION
+
+You have the following rights regarding your health information:
+
+### Right to Inspect and Copy
+
+You have the right to inspect and obtain a copy of your health information that may be used to make decisions about your care.
+
+**How to Exercise This Right:**
+- Submit a written request to our Privacy Officer (contact information at the end of this Notice)
+- We will respond to your request within **15 days** (updated from 30 days in 2024)
+- We may extend the response time by an additional 15 days if we notify you in writing of the delay
+
+**What You Can Access:**
+- Medical and billing records
+- Treatment plans and progress notes
+- Test results and diagnostic reports
+- Medication lists and immunization records
+
+**Fees:**
+We may charge a reasonable, cost-based fee for:
+- Copying (per page or per file)
+- Postage (if you request mailing)
+- Preparing a summary (if you request a summary instead of full copy and agree to the fee)
+
+**Denials:**
+- In certain limited circumstances, we may deny your request to inspect and copy
+- If we deny your request, we will provide you with a written explanation
+- You may request a review of the denial by another licensed healthcare professional chosen by us
+
+### Right to Inspect in Person and Take Photographs (NEW 2024)
+
+You have the right to inspect your health information **in person** at our facility and to take photographs of your records using your own device (smartphone, camera, etc.).
+
+**How to Exercise This Right:**
+- Submit a written request to our Privacy Officer to schedule an appointment
+- We will respond within **15 days** and schedule a convenient time for you to review your records
+- You may bring a smartphone or camera to photograph pages of your record
+- We may have a staff member present during your inspection
+
+**Limitations:**
+- You must inspect records during normal business hours
+- You may not remove original records from the facility
+- We may deny photography if it would interfere with operations or violate another person's privacy
+
+### Right to Request Electronic Copy
+
+You have the right to request an electronic copy of your health information in an electronic format.
+
+**How to Exercise This Right:**
+- Submit a written request specifying the electronic format you prefer (PDF, XML, HL7, etc.)
+- If we cannot produce the record in your requested format, we will work with you to agree on a readable electronic format
+- We will respond within **15 days**
+
+**Direct Transmission:**
+- You may request that we transmit your electronic health information directly to another person or entity you designate
+- Your request must be in writing, signed by you, and clearly identify the designated recipient
+
+### Right to Amend
+
+If you believe that your health information is incorrect or incomplete, you have the right to request that we amend the information.
+
+**How to Exercise This Right:**
+- Submit a written request to our Privacy Officer
+- Provide a reason supporting your request for amendment
+- We will respond within **60 days** (may extend by 30 days with written notice)
+
+**If We Accept Your Request:**
+- We will make the amendment and inform you
+- We will notify others who need to know about the amendment
+
+**If We Deny Your Request:**
+- We will provide a written explanation
+- You may submit a written statement of disagreement
+- We may prepare a written rebuttal, and you will receive a copy
+- Reasons for denial may include:
+  - The information was not created by us
+  - The information is not part of the records we maintain
+  - You would not be permitted to inspect or copy the information
+  - The information is accurate and complete
+
+### Right to Accounting of Disclosures
+
+You have the right to request an "accounting of disclosures" — a list of certain disclosures we have made of your health information.
+
+**What's Included:**
+- Disclosures for purposes other than treatment, payment, or healthcare operations
+- Disclosures not made pursuant to your authorization
+- Timeframe: Up to 6 years prior to your request (but not before April 14, 2003)
+
+**What's NOT Included:**
+- Disclosures to you
+- Disclosures pursuant to your authorization
+- Disclosures for treatment, payment, or healthcare operations
+- Disclosures for national security or intelligence purposes
+- Disclosures to correctional institutions or law enforcement officials
+
+**How to Exercise This Right:**
+- Submit a written request to our Privacy Officer
+- Specify the time period for the accounting (up to 6 years)
+- We will respond within **60 days** (may extend by 30 days with written notice)
+
+**Fees:**
+- The first accounting in a 12-month period is **free**
+- We may charge a reasonable fee for additional requests within the same 12-month period
+
+### Right to Request Restrictions
+
+You have the right to request restrictions on how we use or disclose your health information for treatment, payment, or healthcare operations. You also have the right to request that we restrict disclosures to family members, friends, or others involved in your care.
+
+**How to Exercise This Right:**
+- Submit a written request to our Privacy Officer
+- Specify what information you want to limit
+- Specify how you want to limit our use or disclosure
+
+**Our Response:**
+- We are **not required** to agree to your request, except in the following circumstance:
+- **Required Restriction:** If you pay **out-of-pocket in full** for a healthcare item or service and request that we not disclose information about that item or service to your health plan for payment or healthcare operations purposes, we **MUST** agree to your request (unless disclosure is required by law)
+
+**If We Agree:**
+- We will comply with your request unless the information is needed to provide emergency treatment to you
+- We may terminate the restriction if you agree or if we notify you of the termination
+
+### Right to Request Confidential Communications
+
+You have the right to request that we communicate with you about your health information in a certain way or at a certain location.
+
+**Examples:**
+- Request that we call you at work instead of home
+- Request that we mail information to a P.O. Box instead of your home address
+- Request that we use email instead of phone calls
+- Request that we not leave voicemail messages
+
+**How to Exercise This Right:**
+- Submit a written request to our Privacy Officer
+- You do not need to provide a reason for your request
+- We will accommodate all reasonable requests
+
+**Your Request Must Specify:**
+- How or where you wish to be contacted
+- Alternative contact information if applicable
+
+### Right to Be Notified of a Breach
+
+You have the right to be notified if there is a breach of your **unsecured** health information.
+
+**What is a Breach?**
+- A breach is the unauthorized acquisition, access, use, or disclosure of your health information that compromises the security or privacy of your information
+
+**When We Will Notify You:**
+- We will notify you **without unreasonable delay**, no later than **60 days** after we discover the breach
+- Notification will include:
+  - A description of what happened
+  - The types of information involved
+  - Steps you should take to protect yourself
+  - What we are doing in response
+  - Contact information for questions
+
+**How We Will Notify You:**
+- Written notification by **first-class mail** to your last known address
+- **Email** if you have agreed to receive communications electronically
+- If we have insufficient contact information for 10 or more individuals, we will post a notice on our website or in major media outlets
+
+### Right to a Paper Copy of This Notice
+
+You have the right to receive a **paper copy** of this Notice at any time, even if you have previously agreed to receive it electronically.
+
+**How to Obtain:**
+- Request a copy from our Privacy Officer
+- Download from our website: [WEBSITE URL]
+- Pick up a copy at our reception desk
+
+---
+
+## 4. CHANGES TO THIS NOTICE
+
+We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain, including information created or received before the changes were made.
+
+**If We Make Material Changes:**
+- We will post the revised Notice in our facility
+- We will make copies available at our reception desk
+- We will post the revised Notice on our website (if applicable): [WEBSITE URL]
+- The effective date will be listed at the top of the Notice
+
+**You can request a copy of our current Notice at any time.**
+
+---
+
+## 5. COMPLAINTS
+
+If you believe your privacy rights have been violated, you have the right to file a complaint.
+
+### File a Complaint with Us
+
+**Privacy Officer:** [PRIVACY OFFICER NAME]
+**Address:** [ADDRESS]
+**Phone:** [PHONE]
+**Email:** [EMAIL]
+
+**How to File:**
+- Submit a written complaint describing the violation
+- You may also call or email to discuss your concerns
+
+### File a Complaint with the Federal Government
+
+**U.S. Department of Health and Human Services**
+**Office for Civil Rights (OCR)**
+
+**Website:** https://www.hhs.gov/ocr/privacy/hipaa/complaints/
+**Phone:** 1-800-368-1019
+**TTY:** 1-800-537-7697
+**Email:** OCRComplaint@hhs.gov
+
+**Mail:**
+Office for Civil Rights
+U.S. Department of Health and Human Services
+200 Independence Avenue, S.W.
+Room 509F, HHH Building
+Washington, D.C. 20201
+
+**Online Complaint Portal:** https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
+
+### Important Information
+
+- **You will NOT be penalized or retaliated against** for filing a complaint
+- **No action will be taken against you** for exercising your rights or filing a complaint
+- We support your right to protect your privacy
+
+---
+
+## 6. CONTACT INFORMATION
+
+If you have questions about this Notice or would like to exercise any of your rights, please contact:
+
+**Privacy Officer:** [PRIVACY OFFICER NAME]
+**Address:** [FULL MAILING ADDRESS]
+**Phone:** [PHONE NUMBER]
+**Email:** [EMAIL ADDRESS]
+**Office Hours:** [BUSINESS HOURS]
+**Website:** [WEBSITE URL]
+
+---
+
+## ACKNOWLEDGMENT OF RECEIPT
+
+**I acknowledge that I have received a copy of the Notice of Privacy Practices.**
+
+**Patient/Individual Name (Print):** _________________________________
+
+**Signature:** _________________________________ **Date:** _________
+
+**Relationship to Patient (if not the patient):** _________________________________
+
+---
+
+**For Office Use Only:**
+
+☐ Patient received copy of Notice
+☐ Patient refused to sign acknowledgment (document reason): _______________
+☐ Unable to obtain acknowledgment (document reason): _______________
+
+**Staff Signature:** _________________________________ **Date:** _________
+
+---
+
+## ADDITIONAL INFORMATION
+
+### For Parents/Guardians of Minors
+
+If you are the parent or legal guardian of a minor, you generally have the right to access your child's health information. However, there may be circumstances under state law where a minor has the right to consent to treatment and control access to their own health information.
+
+**Exceptions may include:**
+- Certain mental health services
+- Substance abuse treatment
+- Reproductive health services
+- Services where the minor is considered a "mature minor" under state law
+
+We will comply with applicable state and federal laws regarding access to minors' health information.
+
+### For Personal Representatives
+
+If you have appointed a **personal representative** (such as through a power of attorney for healthcare, legal guardian, or executor of your estate), that person may exercise your rights and make decisions about your health information on your behalf.
+
+**We may require documentation** of the personal representative's authority before allowing access to your health information.
+
+### For Deceased Individuals
+
+The privacy protections described in this Notice continue for **50 years** after an individual's date of death. Personal representatives of deceased individuals may exercise the rights described in this Notice.
+
+### State Privacy Laws
+
+Some states have privacy laws that provide additional protections beyond HIPAA. Where applicable state law provides greater privacy protections or rights, we will comply with state law. If you have questions about state-specific privacy laws, please contact our Privacy Officer.
+
+### Minors Receiving ABA or Behavioral Health Services
+
+For families with children receiving Applied Behavior Analysis (ABA) or other behavioral health services:
+
+- We may share information with educators, case managers, and other care team members as necessary for coordinated treatment
+- Parents/guardians generally have full access to their child's treatment records
+- We are required by law to report suspected abuse or neglect to appropriate authorities
+- We will maintain the confidentiality of your child's information as required by HIPAA and state law
+
+---
+
+## EFFECTIVE DATE AND COMPLIANCE
+
+**This Notice is effective as of:** [EFFECTIVE DATE]
+
+**HIPAA Compliance:** This Notice complies with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Parts 160 and 164) and incorporates updates through February 2026.
+
+**Document Retention:** This Notice must be retained for a minimum of **six (6) years** from the date of its creation or the date when it last was in effect, whichever is later (45 CFR §164.316(b)(2)).
+
+**Version:** [VERSION NUMBER, e.g., 2.0]
+**Last Revised:** [LAST REVISION DATE]
+**Next Review Date:** [NEXT REVIEW DATE - typically annual]
+
+---
+
+**Additional Resources:**
+
+- **HIPAA Privacy Rule:** https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
+- **Patient Rights:** https://www.hhs.gov/hipaa/for-individuals/index.html
+- **OCR Guidance:** https://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
+
+---
+
+*This Notice of Privacy Practices template was generated using vlayer - HIPAA Compliance Scanner*
+*https://github.com/Francosimon53/verification-layer*
+
+*Template complies with 45 CFR §164.520 and includes 2024 regulatory updates*