Understanding the Notice of Privacy Practices (NPP) in HIPAA


What is Notice of Privacy Practices (NPP) in HIPAA?

In the context of HIPAA, a Notice of Privacy Practices (NPP) is a document that explains to patients, employees, and clients how relevant health information will be collected, processed, stored, and used. It also explicitly outlines individuals' privacy rights over their Protected Health Information (PHI). Unlike many other aspects of HIPAA, the NPP in healthcare is a highly visible representation of the Act's intentions and purpose, as it is a physical document that effectively must pass through the hands of, and be signed by, all consumers of a covered entity's services.

The Notice of Privacy Practices (NPPs) are connected to HIPAA's Privacy Rule. This rule gives patients important rights in regards to their PHI and identifies proper use and disclosure of PHI for patient care and other purposes. The original drafters of HIPAA were concerned that the average healthcare consumer did not know their rights as a patient, so the NPP was created "to focus individuals on privacy issues and concerns, and to prompt them to have discussions with both their health plans, and their health care providers, and exercise their rights". The HIPAA legislature helps ensure that patients enter into a business relationship with their provider with all the information they need to be an informed patient, therefore HIPAA requires that each provider proactively deliver an NPP to each consumer. A standard NPP consists of an easily understandable notice that covers how a HIPAA-covered entity may use and disclose PHI as well as an overview of an individual's rights, a covered entity's legal duties when storing or using PHI, and any additional privacy policies.

What is in a HIPAA NPP (Notice of Privacy Practices)?

The Notice of Privacy Practices helps educate a new patient on how their provider will manage and protect their data. It also outlines a patient's rights to track and potentially remove that data. A HIPAA-approved NPP must include a few key elements to be considered compliant. Covered entities are required to provide notice, in plain language, that describes:

A covered entity must also include an effective date on their NPP. If it makes any updates to its privacy practices, the company must edit that date and redistribute its NPP. These requirements are why it sometimes seems as though every trip to the doctor includes reading and signing dozens of pages of information. Providers often make small changes to their Notice of Privacy Practices to reflect tweaks in regulations or changes in their IT environment, so they must provide the current notice to everyone who has not yet read and signed it.

Correctly writing your company's Notice of Privacy Practices can be technical and tricky, which is why the Department of Health and Human Services maintains templated versions on their website that can be used with minimal editing by most providers.

What rights does a HIPAA NPP outline?

To help patients be advocates of their data, the NPP must outline the rights that HIPAA provides, including the following:

In short, healthcare providers have a duty and an obligation to be transparent both about the practices they are committing to in order to protect PHI. They also have a responsibility to share that information with the patient themselves. Companies do not, however, always have to respond to all requests for information. For instance, any patient may request a correction to their medical history, but a provider has the right to decline to do so, although it must provide a written answer within 30 days.

When should the NPP be provided to a patient

So far, we've talked about what needs to be in an NPP and discussed the requirement for covered entities to produce and distribute one. Since HIPAA is government regulation, there are some complicated rules on when and how companies must provide an NPP:

The notice of privacy practices should be provided under the following circumstances:

How PubNub can help with HIPAA and NPPs?

As a technology provider that has been certified HIPAA-compliant since 2015, PubNub has a rich history of helping providers to operate with the confidence that their operations are in compliance. Hundreds of healthcare and health tech applications have been built and deployed using PubNub APIs and network, all with HIPAA compliance implicitly provided.

Ensuring that technology applications match the commitments and obligations outlined in the NPP is vital to avoid technical violations of the HIPAA Privacy Rule. We encourage you to learn more about the solutions that organizations have already built and to refer to our E-Book Building a HIPAA-Compliant App.