Covered entities are required to provide patients with a Notice of Privacy Practices (NPP) and to revise the NPP whenever there is a material change to any privacy practices. The purpose of the NPP is to enable a patient to understand what happens to their PHI. The NPP tells patients why their PHI is needed and how it is being used. The NPP should state what information is being collected, how it is being used, disclosed, and stored, and who should be contacted with questions or complaints.