Privacy Rule Requirements

Within the Privacy Rule, requirements for covered entities to distribute a notice of privacy practices or NPP are defined. The NPP must describe the uses and disclosures of Protected Health Information that a covered entity is permitted to make, the covered entity’s legal duties and privacy practices with respect to PHI, and the individual’s rights concerning Protected Health Information. A CE must also include separate statements about permitted uses and disclosures that the covered entity intends to make, including uses and disclosures for certain treatment, payment, or health care operations purposes. The Privacy Rule currently requires that the NPP contain a statement that any uses and disclosures other than those permitted by the Privacy Rule will be made only with the written authorization of the individual and that the individual has the right to revoke an authorization at any time.


The following pieces of information must also be included within the NPP


The NPP must have an effective date and if it’s updated at any time, you must update all documents also.


This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.” That specific statement must also be included on your NPP.


You must also have Contact and Complaint Information as well as your office’s Chief Security Officer contact information.