The HIPAA Privacy Rules mandate that a ("covered entity") direct health care provider:
- 1) Provide the individual with a Notice of Privacy Practice (NPP), usually at the first face-to-face. The NPP must contain the information specified in Section 164.520 of the Rules.
- 2) Ask the individual to sign an "acknowledgement" that he/she has been provided with the NPP. If the individual refuses to sign the "acknowledgement", an explanatory notation would need to be included in the clients "designated record set." In either case, the signed acknowledgement or notation would need to be maintained for 6 years.
- 3) Post the NPP in a client accessible area at the provider's office(s)
- 4) Post an electronic copy of the NPP at the provider's Website (i.r., if the provider maintains a Website.)
- 5) Revise and distribute the NPP whenever there is a material change to the uses or disclosures, the individual’s rights, the covered entity’s legal duties, or other privacy practices stated in the notice.
Notice of Privacy Practices