What is a HIPAA Notice of Privacy Practices?

The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute Notices of Privacy Practices (NPPs). The Notice of Privacy Practices must be given to patients. The notice must describe how the covered entity (CE) may and may not use protected health information (PHI), and what the patient’s rights and obligations with respect to the PHI are. Covered entities are defined as 1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with a HIPAA-related transaction. PHI is individually identifiable health information held or transmitted by a covered entity, in any form or medium, whether electronic, on paper, or oral.

What Information Must the Notice of Privacy Practices Contain?

Under HIPAA regulations, covered entities are required to provide individuals with a Notice of Privacy Practices in plain language that contains:   

  • The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
  • A description of how PHI can be used for treatment, payment, and health care operations.
  • A description of the types of PHI uses and disclosures requiring patient authorization.
  • A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
    •  A covered entity may use or disclose PHI without authorization for a number of purposes. Examples include public health and health oversight activities, and judicial proceedings.
  • The name, title, and phone number of a person or office to contact for further information or questions about the notice.
  • The date on which the notice is first in effect.
  • A statement that an individual may revoke an authorization.

Patient Rights Information

The notice must also contain a statement of the patient’s rights with respect to PHI. These rights include:

  • The right to request restrictions on certain uses and disclosures of PHI.
  • The right to receive confidential communications of PHI, as permitted by law.
  • The right to inspect and copy PHI.
  • The right to amend PHI, as permitted by law.
  • The right to receive an accounting of disclosures of PHI.
  • The right of an individual to obtain a paper copy of the notice, upon request.
  • The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes his or her privacy rights have been violated. 

The notice must also contain a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint.

Information About Covered Entity Duties

Finally, the notice must contain information regarding the covered entity’s duties with respect to PHI. The required information includes:

  • A statement that the covered entity is required by law to maintain the privacy of PHI.
  • A statement that the covered entity must  provide individuals with notice of its legal duties and privacy practices with respect to PHI.
  • A statement that the covered entity must notify affected individuals following a breach of unsecured PHI.
  • A statement that the covered entity must abide by the conditions of the notice currently in effect.

To Whom Must the Notice be Given?

A covered entity must make its notice available to any person who asks for it.  

When Must the Notice be Provided?

Providers typically give the notice to patients at their first appointment with the provider. In the event of emergency, the provider must give the notice to the patient as soon as possible after the emergency.

A health plan must give its notice to individuals at the time of enrollment. It must also send a reminder at least once every three years that enrollees can ask for the notice at any time.

A health plan can give the notice to the “named insured” (subscriber for coverage). It does not also have to give separate notices to spouses and dependents.

How Must the Notice be Posted?

A provider must post the notice in a clear and easy-to-find location where patients are able to see it.

Any covered entity that maintains a website providing information about its customer services or benefits must prominently post and make the notice available on the website.  


When Must the Notice of Privacy Practices be Updated?

A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices.

Compliancy Group Simplifies HIPAA Compliance

Developing a Notice of Privacy Practices that complies with all legal requirements is only one small part of what an organization must do to become HIPAA compliant. The challenge of becoming HIPAA compliant can be a daunting one.

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of HIPAA regulation.

Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!

Find Out More!