Covered entities are required to provide individuals with a NOTICE OF PRIVACY PRACTICES (NPP) and to revise the NPP whenever there is a material change to any of its privacy practices. The purpose of the NPP is to enable an individual to understand what happens to their PHI. The NPP tells individuals why their PHI is needed, and how it is being used. The NPP should state what information is being collected, how it is being used, disclosed, and stored, and who should be contacted with questions or complaints.
The Final Rule issued January 25, 2013, commonly known as the "Omnibus Rule," requires modifications and redistribution of the notice of privacy practices so that it reflects the current HIPAA requirements. This must be completed by September 23, 2013.
It is essential that covered entities faithfully adhere to their own NPP.
NOTE: Laboratories that were previously exempt from providing individuals with their test results under the CLIA regulations are now responsible for modifying their notice of privacy practices to reflect the current HIPAA requirements. HIPAA-covered laboratories have to inform individuals of their right to access test reports directly from the laboratory and how to exercise that right. For laboratories, this must be completed by October 6, 2014.