Medical practices that have not added new patient rights to their privacy notices, as required by the federal government, have until September 23 to become law-abiding.

The formal name for the ubiquitous set of papers that receptionists hand to patients is the Notice of Privacy Practices (NPP). It was created by the Health Insurance Portability and Accountability Act (HIPAA). The notice explains how physicians may use and disclose the “protected health information (PHI)” of patients without their authorization, and what uses and disclosure require prior approval. In January, the Department of Health and Human Services (HHS) published new HIPAA privacy regulations, which NPPs must abide by which took effect March 26. HHS gave physicians and other entities governed by HIPAA until September 23, 2013 to comply.

NPPs must inform patients about new prerogatives they have under HIPAA. For example, patients now can order their healthcare provider not to tell their health insurer about services they elect to pay for out of pocket. Some of these private payments are for psychiatric treatment, said practice management consultant Mary Pat Whaley, founder of a Web site called Manage My Practice.

“Many people are skittish about running mental health issues through their insurance,” said Whaley, noting the stigma frequently placed on psychiatric disorders in the workplace and elsewhere.

NPPs also must state that patients can opt out of receiving information about any fundraising conducted by a healthcare provider, a provider cannot sell a patient’s PHI without his or her explicit authorization, and if a patient’s PHI accidentally goes public, the provider must notify him or her about the breach.

Whaley said medical practices need to post the updated NPP in their office and on their Web site (if they have one) and to make a hard copy available to anyone who asks for it. Although NPPs can strike some patients as paperwork they would just as soon abandon in a waiting room magazine rack, requests for these documents are not hard to imagine in the age of identity theft, said Whaley.

Medical practices are obligated to give the updated NPP to new patients, but they need not bother established patients with it, she said.

Instead of rewriting their current NPPs, practices can download an updated and customizable NPP from the Web sites of state and national medical societies and practice management consultants such as Whaley.

Aside from NPPs, the recent changes to HIPAA also expand a patient’s right to obtain a digital copy, as opposed to a hard one, of his or her electronic health record, and extend many privacy and security requirements to billing companies, medical consulting firms, and other companies privy to patient information in the course of dealing with physicians. Accordingly, physicians must update their required agreements with these “business associates” by September 23.

More information about the new HIPAA regulations is available on the HHS Web site and the American Medical Association Web site.

The author of this article is Robert Lowe. For more regulation news or training information visit or call 1-888-771-1902.