This health reform alert summarizes the key changes to the Notice of Privacy Practices ("NPP")[1] requirements in the revised Health Insurance Portability and Accountability Act ("HIPAA") regulations (the "Omnibus Rule")[2] as well as what covered entities need to do to be compliant.[3] Because many covered entities may have modified their NPPs based on the Notice of Proposed Rulemaking issued on July 14, 2010 ("NPRM"),[4] this alert also details the similarities and differences between the NPRM and the Omnibus Rule related to NPPs. In addition, Table 1 of this alert provides a quick summary of the NPRM proposals adopted—or not adopted—by the Omnibus Rule.

As covered entities work toward compliance, they should keep in mind that the Omnibus Rule becomes effective on March 26, 2013, but the deadline for compliance is September 23, 2013.

Key Changes to NPP Content -

1. Description of Uses and Disclosures Requiring Authorization:

In the NPRM, the U.S. Department of Health and Human Services ("HHS") proposed amending 45 C.F.R. § 164.520(b)(1)(ii)(E) of the HIPAA Privacy Rule to require that NPPs include information regarding certain types of uses and disclosures of protected health information ("PHI") that require an authorization under Sections 164.508(a)(2) through (a)(4). These include (1) most uses and disclosures of psychotherapy notes, (2) uses and disclosures of PHI for marketing purposes, and (3) disclosures that constitute a sale of PHI. The NPRM also proposed requiring that a NPP contain a statement that other uses and disclosures not described in the NPP will be made only with an individual's authorization.