Covered entities are required to provide individuals with a Notice of Privacy Practices (NPP) and to revise the NPP whenever there is a material change to any of its privacy practices. The purpose of the NPP is to enable an individual to understand what happens to their PHI. The NPP tells individuals why their PHI is needed, and how it is being used. The NPP should state what information is being collected, how it is being used, disclosed, and stored, and who should be contacted with questions or complaints.
The Omnibus Rule, also known as the Final Rule, went into effect on March 26, 2013. It requires modifications and redistribution of the notice of privacy practices so that it reflects the current HIPAA requirements.
It is essential that covered entities faithfully adhere to their own NPP.