[45 CFR 164.520]


The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the  privacy practices of their health plans and of most of their health care providers, as well as to be  informed of their privacy rights with respect to their personal health information. Health plans  and covered health care providers are required to develop and distribute a notice that provides a  clear explanation of these rights and practices. The notice is intended to focus individuals on  privacy issues and concerns, and to prompt them to have discussions with their health plans and  health care providers and exercise their rights.  

How the Rule Works

General Rule. The Privacy Rule provides that an individual has a right to adequate notice  of how a covered entity may use and disclose protected health information about the individual,  as well as his or her rights and the covered entity’s obligations with respect to that information.  Most covered entities must develop and provide individuals with this notice of their privacy  practices.

The Privacy Rule does not require the following covered entities to develop a notice:

See 45 CFR 164.520(a).

Content of the Notice. Covered entities are required to provide a notice in plain language that describes:

The notice must include an effective date. See 45 CFR 164.520(b) for the specific  requirements for developing the content of the notice.  

A covered entity is required to promptly revise and distribute its notice whenever it makes  material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals.

Providing the Notice.

See 45 CFR 164.520(c) for the specific requirements for providing the notice.

Organizational Options.