Link to Sample
We have prepared a sample notice you can copy and adapt.

Privacy Practices Notice … Requirements and Comments

Michaele P. Dunlap, Psy.D.


Quoting from: pp. 82547-56 of the Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations, about the required content of “covered entities’” Privacy Practices Notice:



  • entities must describe all uses and disclosures of protected health information that they are permitted or required to make under this rule without authorization, including those uses and disclosures subject to the consent requirements under 164.506.
  • If other applicable law prohibits or materially limits the covered entity’s ability to make any uses or disclosures that would otherwise be permitted under the rule, the covered entity must describe only the uses and disclosures permitted under the more stringent law.
  • Covered entities must separately describe each purpose for which they are permitted to use or disclose protected health information under this rule without authorization, and must do so in sufficient detail to place the individual on notice of those uses and disclosures.
  • With respect to uses and disclosures to carry out treatment, payment, and health care operations, the description must include at least one example of the types of uses and disclosures that the covered entity is permitted to make. This requirement is intended to inform individuals of all the uses and disclosures that the covered entity is legally required or permitted to make under applicable law, even if the covered entity does not anticipate actually making such uses and disclosures. We do not require covered entities to distinguish in their notices between those uses and disclosures required by law and those permitted but not required by law.
  • … we … require covered entities that wish to contact individuals for any of the following activities to list these activities in the notice: 

     providing appointment reminders,

     describing or recommending treatment alternatives,

     providing information about health related benefits and services that may be of interest to the individual, or

     soliciting funds to benefit the covered entity. If the covered entity does not include these statements in its notice, it is prohibited from using or disclosing protected health information for these activities without authorization.

  • the notice must state that all other uses and disclosures will be made only with the individual’s authorization and that the individual has the right to revoke such authorization.
  • Covered entities must describe individuals’ rights under the rule and how individuals may exercise those rights with respect to the covered entity.
  • Covered entities must describe each of the following rights, as provided under the rule:

       the right to request restrictions on certain uses and disclosures, including a statement that the covered entity is not required to agree to a requested restriction ( 164.522(a));

     the right to receive confidential communications of protected health information ( 164.522(b));

     the right to inspect and copy protected health information ( 164.524);

     the right to amend protected health information ( 164.526);

     and the right to an accounting of disclosures of protected health information ( 164.528).


        We additionally require the notice to describe the right of an individual, including an individual that has agreed to receive the notice electronically, to obtain a paper copy of the notice upon request.

        … we additionally require the covered entity, if it wishes to reserve the right to change its privacy practices and apply the revised practices to protected health information previously created or received, to make a statement to that effect and describe how it will provide individuals with a revised notice.

        … a covered entity’s notice must inform individuals about how they can lodge complaints with the covered entity if they believe their privacy rights have been violated.

        The notice must also state that individuals may file complaints with the Secretary.

          we additionally require the notice to include a statement that the individual will not suffer retaliation for filing a complaint.

          we also permit and encourage covered entities to include optional elements that describe the actual, more limited, uses and disclosures they intend to make without authorization.

        Covered health care providers that have direct treatment relationships with individuals must provide the notice to such individuals as of the first service delivery after the compliance date…

        ... Covered providers that maintain a physical service delivery site must prominently post the notice where it is reasonable to expect individuals seeking service from the provider to be able to read the notice.

         a covered entity that maintains a web site describing the services and benefits it offers must make its privacy notice prominently available through the site.

        Section 164.520(d)—Joint Notice by Separate Covered Entities …regarding the ability of legally separate covered entities to produce a single notice. In the final rule, we allow covered entities that participate in an organized health care arrangement to comply with this section by producing a single notice that describes their combined privacy practices.  See 164.501 and the corresponding preamble discussion regarding the definition of organized health care arrangement.


Are your eyes glazed yet?  I’ve condensed this, leaving out many pages of dense repetitive verbiage.

    Because I am a psychotherapist, my records must now have two parts… (p. 82497)  the clinical record which will include:  medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment; summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress; and my psychotherapy notes, which must be kept separate from the clinical record.  Psychotherapy notes covering the content of my conversations with my client, any comments or analyses I  make of those conversations are not accessible to the client for inspection and copying under HIPAA . ( I must note that in the privacy notice)  Nor are the psychotherapy notes to be available for audit. (p. 82653)  

Why does this trouble me? It all sounds so good, every client will get to read these dense, specific documents, will be assured that I can be reported not only to my licensing Board if I violate the privacy of their protected health information but also to the Secretary of Health and Human Services, (HHS).

But I am not comforted.  I feel somehow that the statement  (p 82499) that there are only two instances that require me, the “covered entity” to disclose protected health information: “When individuals request access to information about themselves, and when disclosures are compelled by the Secretary for compliance and enforcement purposes” (p. 82499) is the opening wedge for making my clients’ information federal property.  Am I paranoid?  Or is the dizzying fall down the rabbit hole a reminder that I need to be very clear with myself and clients that my clinical record will contain minimal information, that if they use insurance or managed care the company may request my clinical record as a standard practice, that the clinical record will be increasingly at risk for review on demand. Do I create an emotional barrier with my client from our first session when I must present this privacy notice?