Privacy Policy


To outline the policy and process for the hospital to distribute the Notices of Privacy Practices (“Notices”) and obtain patient acknowledgment


HPMC workforce members (employees and non-employees), and management.


Terms not defined in this Policy or the Terms and Definitions maintained by the HPMC Compliance Office (available through hyperlinks in the HIPAA policies, online, and from the HPMC Compliance Office) will have the meaning as defined in any related State or Federal privacy law including the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HHS”) at 45 CFR Part 160 and 164, Subparts A and E (“Privacy Regulations” or “Privacy Rule”) and Subparts A and C (“Security Regulations” or “Security Rule”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) privacy and security provisions of the American Recovery and Reinvestment Act (Stimulus Act) for Long Term Care, Public Law 111-5, the American Recovery and Reinvestment Act of 2009 (“ARRA”), Title XIII and related regulations.


The hospital will distribute Notices of Privacy Practices to patients that will provide notice of the uses and disclosures of protected health information (“PHI”) that may be made by the Hospital, as well as the patient’s rights and the Hospital’s duties with respect to PHI as required under HIPAA.


The Hospital will provide patients with a notice of privacy practices (“Notice”) that clearly explains patients’ privacy rights under HIPAA and will document patient acknowledgement of receipt of the Notice using the procedure described below.

HPMC has developed the following template for the Notice that is included as an attachment to this Policy:

  • Notice of Privacy Practices

Distribution of the Notice:

The Hospital will distribute the Notices as follows:

  • Make the Notice available on the Hospital’s website;

  • Make the Notice available to any individual who requests it;

  • Prominently post the Notice in a location where it is reasonable to expect individuals seeking service from the Hospital will be able to see and read it;

  • Provide a copy of the Notice no later than the date of the first service delivery;

  • Have copies of the Notice available where the health care services are rendered for individuals to take with them; and

  • Provide Notices in English and Spanish formats.

The Hospital may email the Notice if the individual agrees to receive an electronic Notice.

Emergency Situations:

In an emergency situation, the Notice will be provided as soon as reasonably practicable once the emergency has ended.

Acknowledgment of Receipt of the Notice:

The hospital will make a good faith effort to obtain a written or electronic acknowledgement of receipt of the Notice from every individual prior to the date of the first delivery of services to the extent practicable (in emergency situations, this may be delayed). Only the patient or authorized personal representative can provide acknowledgment of receipt of the Notice. Inability to obtain an acknowledgment will be clearly documented. In no event will treatment be conditioned on the patient’s acknowledgement of the receipt of the Notice.

Amendment of the Notice

If the Notice is amended, the Notice must be made available by the Hospital upon request on or after the effective date of the amendment – a good faith effort to obtain an individual’s acknowledgment is only required at the first service delivery.

Retention of the Notice

The Notice will be retained by the Hospital Privacy Officer or their designee for six (6) years.


45 C.F.R. Parts 160 and 164

45 C.F.R. § 160.520

ARRA, Title XIII, Subtitle D