Elements of the Notice of Privacy Practices
Content of the Notice.
One important requirement under the final HIPAA Omnibus Rule is that covered entities must update their notice of privacy practices. Below are the elements that are required to be a part of the updated Notice of Privacy Practices.
Covered entities are required to provide a notice of privacy practices in plain language that describes:
1. How the covered entity may use and disclose protected health information about an individual.
2. The individual’s rights with respect to the information and how the individual may exercise these
rights, including how the individual may complain to the covered entity.
3. The covered entity’s legal duties with respect to the information, including a statement that the
covered entity is required by law to maintain the privacy of protected health information.
4. Whom individuals can contact for further information about the covered entity’s privacy policies.
5. The notice must include an effective date.
6. The HITECH Act also states that if a medical practice shares information electronically with another
covered entity, that information must be listed in the Notice of Privacy Practices. Examples that must be
disclosed: A physician office is electronically connected to transmit and/or receive lab reports from on
outside vendor through the practice’s EMR.
Required Additions by the HITECH Omnibus Rule: All covered entities must include the following in their
notice of privacy practices:
7. A statement that the following uses and disclosures will be made only with authorization from the
uses and disclosures for marketing purposes;
uses and disclosures that constitute the sale of PHI;
most uses and disclosures of psychotherapy notes (if the covered entity maintains psychotherapy
other uses and disclosures not described in the notice
8. A statement regarding an individual’s right to notice in the event of a breach
9. Notice of the right to opt out of fundraising communications (if the covered entity conducts
10. Health care providers must include in their notice of privacy practices a statement about an
individual’s right to restrict disclosures of protected health information to health plans if an individual
has paid for services out of pocket in full.
11. Health plans (except for long-term care plans) must include in their notice of privacy practices a
statement that the health plan is prohibited from using or disclosing genetic information for
Notes: A covered entity is required to promptly revise and distribute its notice whenever it makes
material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health
plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with
individuals. All patients must sign that they have received the updated Notice. The HITECH Omnibus is a
material change to the Notice and therefore requires resigning of the Receipt of NPP by all of your
You must include your Notice of Privacy Practices on your web site (if you have one) and post or place a
copy in your waiting area.
At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. Reach out to us to review your current HIPAA Compliance Program. A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.
For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit .