The HIPAA Privacy Rule mandates that every covered provider create, and make available to its patients, a "Notice of Privacy Practices." So critical was this document in the opinion of the federal government, that HIPAA even mandates what the first 26 words of every Notice of Privacy Practices (Privacy Notice) must be.

The Privacy Notice should be the foundation on which the entire HIPAA privacy regime of a practice is built. The Privacy Notice, and the group of policies and procedures documents HIPAA also requires a practice to have, must be consistent with each other and both must be consistent and in compliance with the HIPAA rule. One must be careful to develop and construct the Privacy Notice to include all of the elements mandated for it, not the least of which are detail as to the permitted as well as required uses and disclosures of health information and detail as to patients’ rights with respect to their health information.

The Privacy Notice must be written in "plain language," and the HIPAA rule requires every covered practice to distribute a copy of its Privacy Notice to patients no later than the first date of service delivery. If a one has a web site, the Privacy Notice must be prominently posted there, and it must be posted in a prominent location in the office – the lobby/waiting area.

Further, as a covered provider, a practice is required to make a "good faith effort" to obtain a written and signed acknowledgment of each patient's receipt of its Privacy Notice. Even when the Privacy Notice is distributed via the Internet or by mail, written acknowledgement of receipt must be obtain. The acknowledgment must be retained for a period of six years.

In those instances in which a patient's signed written acknowledgment of receipt of the Privacy Notice cannot be obtain, a practice must document the efforts that were made and the reason(s) why it was not obtained. In an emergency situation, a written acknowledgment of receipt of the Privacy Notice must be obtained as soon as practicable.

The section of the HIPAA regulations describing and mandating the Privacy Notice has 2,300 plus words, and 1,100 words in that part of the section that details the required elements/contents.

Practitioners must live with and do with patients' health information all they tell their patients in the Privacy Notice, thus, while each must be certain to include all the HIPAA mandated elements, each must base its Privacy Notice on the realities and practical considerations inherent in its own practice. While a practitioner should promise in the Privacy Notice what is required of one, practitioners should not promise more than they can deliver.