The Final Rule requires Covered Entities (CE) to revise their Notice of Privacy Practices to include a statement that:
1) Describes the types of uses and disclosures that require authorization under HIPAA (if the CE intends to engage in any of them)
2) Informs individuals that they have the right to opt out of receiving fundraising communications (if the CE uses PHI to conduct fundraising activities)
3) Informs individuals that they have a right to pay out-of-pocket for a service and the right to require that the CE not submit PHI to the individual’s health plan if they do so
4) Informs individuals that the CE has a duty to notify affected individuals following a breach of unsecured PHI
Taken in part from: Miller & Martin, PLLC 3/8/2013