Under the Privacy Rule, an individual has a right to adequate notice of how a covered entity may use and disclose his/her PHI. Individuals also have the right to know a covered entity’s obligations with respect to the protection of that information. This notice is known as the Notice of Privacy Practices (NPP or “the Notice”) and is often part of the first interaction that an individual has with a covered entity during intake/admission.

The Privacy Rule requires that certain language or topics are addressed in the NPP, but obligations don’t end with the Notice itself. Some items to consider regarding your organization’s Notice of Privacy Practices (NPP):

  • Is it posted prominently in all the locations (physical and virtual) that it should be?
  • Do you have an accompanying policy to create your NPP?
  • Does the Notice of Privacy Practices reflect your policies regarding the use and disclosure of PHI including marketing, research, the sale of PHI, and information exchange?
  • When was it last reviewed or updated?
    • Has it been updated since 2013 to include required HITECH language?
    • What happens when there are changes to the Notice of Privacy Practices?