Get started Bring yourself up to speed with our introductory content.

HIPAA Omnibus Rule 2013: New Notice of Privacy Practices requirements

Expert Mike Chapple explains how Notice of Privacy Practices requirements have changed for covered entities under the HIPAA Omnibus Rule 2013.

In the past, my organization posted a Notice of Privacy Practices on our website and distributed it to patients, but I'm unsure what changes we should make to that documentation based on the HIPAA Omnibus Rule coming into effect. Could you explain any new Notice of Privacy Practices requirements, and what changes companies need to make to NPP documentation and distribution?

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The Notice of Privacy Practices (NPP) is an important component of compliance with the Health Insurance Portability and Accountability Act (HIPAA) regulations. This notice, required by HIPAA's Privacy Rule, must explain the uses and disclosures of protected health information (PHI) by an organization. The HIPAA Omnibus Rule 2013 does contain some changes to the regulations surrounding the NPP, including what must be contained in the notice and how revisions to the NPP may be communicated online.

From a content perspective, the NPP must be revised to include a description of the uses of PHI that require an explicit authorization from patients. These include the disclosure of psychotherapy notes, the use of PHI for marketing purposes and the sale of PHI by the covered entity. In cases where marketing or a sale includes financial renumeration, the authorization must state that the covered entity is being compensated for the disclosure. Additionally, any organization that intends to contact patients for fundraising purposes must inform them in its NPP, including giving them the opportunity to opt out of such communications. In addition to these changes, providers and health plans must also include details about both patients' rights and relevant breach notification requirements, which may vary based upon applicable state laws.

Finally, covered entities must continue to distribute copies of the current NPP to patients and alert them of any revisions. Health plans that use their websites to distribute an NPP must post any material changes to the documentation on their sites by the effective date of the change, and must include information about the change in their next annual mailing to plan participants.

This was last published in January 2014

Dig Deeper on HIPAA

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

So True
Covered entities must provide a “notice of privacy practices” NPP that describes permissible uses and disclosures of individuals’ “protected health information” PHI by covered entities, covered entities’ legal duties regarding PHI, and individuals’ rights concerning their PHI. The Final Rule requires the NPP to incorporate changes to HIPAA made to the Privacy Rule and by the Health Information Technology for Economic and Clinical Health HITECH Act