Covered entities are required to provide individuals with a NOTICE OF PRIVACY PRACTICES (NPP) and to revise the NPP whenever there is a material change to any of its privacy practices. The purpose of the NPP is to enable an individual to understand what happens to their PHI. The NPP tells individuals why their PHI is needed, and how it is being used. The NPP should state what information is being collected, how it is being used, disclosed, and stored, and who should be contacted with questions or complaints.
NOTE: Laboratories that were previously exempt from providing individuals with their test results under the CLIA regulations are now responsible for modifying their notice of privacy practices to reflect the current HIPAA requirements. HIPAA-covered laboratories have to inform individuals of their right to access test reports directly from the laboratory and how to exercise that right.