HIPAA Notice of Privacy Practices
A HIPAA Notice of Privacy Practices is a document provided to patients on first contact, and to health plan members on enrollment, that outlines how a HIPAA covered entity can use or disclose Protected Health Information (PHI) and the rights individuals have to obtain copies of their PHI. The Notice must also include the contact details for an individual who can answer questions or to whom complaints can be made.
However, although the core elements of a HIPAA Notice of Privacy Practices have to follow the Privacy Rule standards in §164.520, the content can differ depending on whether a covered entity is a healthcare provider or a group health plan, or – for example – whether the covered entity is part of a Health Maintenance Organization (HMO) or Organized Health Care Arrangement (OHCA).
In addition, there are different rules for distributing HIPAA Notices of Privacy Practices depending on whether a covered healthcare provider has a direct treatment relationship with the individual (i.e., this rule would not apply to pharmacies), and different rules for reminding individuals that a HIPAA Notice of Privacy Practices exists (i.e., health plans must do this every three years).
This article looks at the HIPAA Notice of Privacy Practices requirements, how Notices can differ in their content, what other information may be beneficial to include in a Notice, and how a Notice – or changes to a Notice – should be made available to individuals. We conclude the article with a selection of frequently asked questions about the standard HIPAA privacy notice.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA Notice of Privacy Practices Definition
A HIPAA Notice of Privacy Practices is a document that outlines how a covered entity may use or disclose individuals´ Protected Health Information (PHI). The notice of HIPAA privacy practices must contain the patient’s rights and the covered entity’s legal duties with respect to PHI, and who to contact for further information or to file a complaint.
As discussed above, §164.520 stipulates the HIPAA Notice of Privacy Practices requirements. These requirements are:
- A header containing the statement “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully”.
- A description of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and health care operations – with at least one example of each.
- A description of other uses and disclosures the covered entity is permitted to make that do not require the individual´s authorization – again, with at least one example of each.
- A description of the types of uses and disclosures that require an authorization (as per §164.508, plus any further uses and disclosures that require an authorization according to state laws).
- A statement that any uses or disclosures not described in the Notice will be made only with the individual´s written authorization – which they have the right to revoke whenever possible.
- The Notice must contain a statement that informs individuals of their HIPAA rights to:
- Request restrictions on certain uses and disclosures of PHI.
- Choose how they receive communications that include PHI.
- Request a copy of PHI maintained in HIPAA designated record sets.
- Request amendments to incorrect or incomplete PHI.
- Request and receive an accounting of disclosures of PHI.
Additionally, in order to be HIPAA compliant the HIPAA Notice of Privacy Practices must include a statement explaining that the covered entity is required by law to protect the privacy of PHI, that the covered entity will notify the individual if a breach occurs that compromises the privacy of PHI, and that it will follow the privacy practices as described in the HIPAA Notice of Privacy Practices for Protected Health Information.
Finally, the HIPAA Privacy Notice must include information about the individual´s right to complain, the contact details for who they can complain to (which must include the contact details for the covered entity´s Privacy Officer), and a statement stating that the individual will not be retaliated against for filing a complaint. Details of how the covered entity will notify individuals about changes to the Notice must be included, along with the date from which the HIPAA Notice of Privacy Practices is effective.
How Notices Can Differ in Their Content
It was stated above that the contents of a Notice of Privacy Practices form can differ depending on whether a covered entity is a healthcare provider or group health plan. This can be a source of confusion for some individuals when they receive one HIPAA Notice of Privacy Practices from their healthcare provider and a different one from their group health plan.
The reason for the two Notices being different is that the two covered entities perform different functions. For example, under the description of the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and health care operations, a healthcare provider might include “Treat You”, whereas this would not feature in a Notice issued by a group health plan.
Conversely, a HIPAA Notice of Privacy Practices issued by a group health plan might include a description of how PHI is disclosed to a plan sponsor to administer the plan or to justify the premiums being charged. This information would not be included in a Notice issued by a healthcare provider because a healthcare provider would not discuss premiums with a plan sponsor.
What Other Information is Beneficial to Include
A further reason for Notices differing in their content is that some covered entities include only the bare minimum requirements of §164.520 in their HIPAA Notices of Privacy Practices, while other covered entities include additional information in the content or in the explanations and examples – which can be both beneficial to the recipient of the Notice and the covered entity issuing it.
One example of how additional information can be beneficial to individuals is to include an explanation of the Minimum Necessary standard. This can reassure individuals that only the minimum medical information required to achieve the intended purpose will be used or disclosed to third parties, rather than the individual´s entire medical history.
With regard to how including other information can be beneficial to covered entities, §164.520 does not stipulate that details of how to contact the Department of Health and Human Services must be included in the Notice. However, by including this information, covered entities can reduce the number of complaints they receive and let HHS´ Office for Civil Rights handle the paperwork. It is worth noting that two-thirds of complaints received by HHS´ Office for Civil Rights are rejected for being unjustified.
How the Notice Should be Made Available to Individuals
The introduction to §164.520 states “an individual has a right to adequate notice”, but you have to delve much deeper into the standard to find out how the notice should be made available to individuals. It is important for covered entities to know this information because the failure to provide a HIPAA Notice of Privacy Practices when required is a violation of the Privacy Rule.
Generally, health plans have to provide individuals with a HIPAA Notice of Privacy Practices at the time of enrollment, and advise individuals at least every three years of their right to obtain a copy and how to go about it. Exceptions exist for group health plans that provide benefits through an HMO if they only receive summary health information and do not create or receive PHI.
Healthcare providers that have a direct treatment relationship (i.e., not pharmacies) have to provide individuals with a HIPAA Notice of Privacy Practices “no later than the date of the first service delivery”, except for in emergency treatment situations, when a Notice should be provided as soon as reasonably practical. HIPAA Notices of Privacy Practices should also be displayed in a prominent physical location (i.e., a waiting room) and published on the covered entity´s website.
Significantly, the Privacy Rule currently requires covered entities with a direct treatment relationship (hospitals, counsellors, dentists, etc.) to obtain a written acknowledgement that each individual has received a HIPAA Notice of Privacy Practices – but not other types of covered entities. Individuals do not have to sign the acknowledgement; but, provided covered entities document that an individual declined to acknowledge receipt of the Notice, they can still use and disclose the individual´s PHI.
Notice of Privacy Practices Example
Different covered entities have different operating models. For example, a hospital operates differently from a dental office or a pharmacy. Additionally, different types of covered entities use and disclose Protected Health Information in different ways. Even with regard to hospitals, some will participate in a Health Information Exchange or an Organized Health Care Arrangement – or both, or neither.
Consequently, there is no one-size-fits-all Notice of Privacy Practices example. However, HHS’ Office for Civil Rights has produced Notice of Privacy Practices templates that are free to download, complete as necessary, and distribute to healthcare patients. Provided it is completed appropriately for the organization’s uses and disclosures of PHI, the HHS Notice of Privacy Practices examples tick the necessary boxes for complying with §164.520.
In February 2026, OCR uploaded a new model NPP for Part 2 Programs. The NPPs for healthcare providers and health plans have also been updated, and while there are no substantive differences between the old and new versions, minor changes have been made to improve readability, including expanded narrative language and some formatting changes. The new versions of the NPPs are linked below.
Instructions for NPPs
- Health Plan Instructions – PDF
- HC Provider Instructions – PDF
- Questions and Instructions for using the Model Notices – PDF
NPP For Healthcare Providers
- NPP Booklet – HC Provider – PDF
- NPP Layered – HC Provider – PDF
- NPP Full Page – HC Provider – PDF
- NPP HC Provider – Text Version
NPP For Health Plans
- NPP Booklet – Health Plan – PDF
- NPP Full Page – Health Plan – PDF
- NPP Layered – Health Plan – PDF
- NPP Health Plan – Text Version
If a Part 2 Program is also a HIPAA-covered entity, it is permitted to combine the HIPAA and Part 2 notices, provided the combined notice meets both the HIPAA NPP and the Part 2 Privacy Notice requirements.
NPP for Part 2 Programs
How to Use the Notice of Privacy Practices Template
HHS has conveniently added some instructions to the Notice of Privacy Practices template at the beginning of the template and on Pages 4 and 5. However, covered entities that participate in a Health Information Exchange will need to complete details of how they share information with the Exchange in Instruction C (rather than Instruction G) while it is also advisable to add any permissible disclosures under §164.512 (for which an opportunity to agree or object is not required) that frequently occur.
If the organization operates a patient portal (regardless of whether it is Blue Button compatible) or provides patients with a connected mobile app, it is important that how PHI is collected, used, and disclosed by these services is also included. It is necessary to give patients the option to opt out of PHI being disclosed by these services, and, if state laws that mandate disclosures for certain events exist, it is also necessary to alert patients that they cannot opt out of mandated disclosures.
Notice of Privacy Practices under the Part 2 Regulations
HIPAA-regulated entities that have Part 2 programs are required to comply with the 42 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations. The Part 2 regulations provide greater protection for SUD records than HIPAA affords for protected health information. The requirements of the Part 2 regulations with respect to SUD records are beyond the scope of this article; however, a recent update has implications for Notices of Privacy Practices, the compliance date for which was February 16, 2026. The new requirements are now being actively enforced by OCR, which announced its new enforcement program on February 13, 2026.
HIPAA-regulated entities with Part 2 programs are required to update their HIPAA Notice of Privacy Practices and their specific Part 2 Notice of Privacy Practices, although the simplest solution is to combine the two into a single notice, which is now permitted by law. It is important to note that these updates are also required by HIPAA-regulated entities that do not have Part 2 programs, but have received Part 2 records from other covered entities and business associates. The information that must be included to comply with the Part 2 regulations can be found in 42 C.F.R. Section 2.22 Notice to patients of Federal confidentiality requirements.
The key new requirements are as follows:
- Notice must include patient rights with respect to SUD records – The entity must provide individuals with “adequate notice of the uses and disclosures of such records, and of the individual’s rights and the covered entity’s legal duties with respect to such records.” The rules concerning uses and disclosures of protected health information under HIPAA and SUD records under Part 2 are different. If the HIPAA NPP and the Part 2 NPP are combined, then the NPP must contain all of the required elements under 42 CFR 2.22.
- The limits on the use of SUD Records – The NPP must inform individuals about the difference between Part 2 and HIPAA. A statement must be included with respect to SUD treatment records to explain that “[SUD Records] received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.”
- Notice about other laws that are more restrictive than HIPAA – Individuals must be informed that the permitted uses and disclosures explained in the NPP are limited by laws more restrictive than HIPAA, such as Part 2, and the description of uses and disclosures must reflect the more stringent law. If another law permits or requires disclosures, the description in the NPP about uses and disclosures must include sufficient detail to place the individual on notice of uses and disclosures permitted or required by HIPAA, along with any other applicable law, including Part 2.
- Notice about redisclosure of Part 2 records – The NPP must contain a statement advising patients about the potential redisclosure of records. If information is disclosed pursuant to the HIPAA Privacy Rule, the records could potentially be redisclosed and will no longer be protected under the HIPAA Privacy Rule.
- Notice about fundraising – If an entity that creates or maintains Part 2 records wishes to use that information for fundraising purposes, individuals must be presented with a clear and conspicuous opportunity to choose not to receive fundraising communications.
HIPAA NPP Summary
- When providing an individual with a Notice of Privacy Practices, HIPAA stipulates what must be included in a Notice of Privacy Practices and where the Notice of Privacy Practices should be posted (if applicable).
- In general, a written HIPAA Privacy Notice contains the permitted uses and disclosures of PHI and those that require authorization. The HIPAA NPP must also explain individuals’ rights – including the right to make a complaint.
- It is a best practice to provide public-facing members of the workforce with HIPAA training on the content of an organization’s NPP to answer questions from plan members and patients and prevent unjustified complaints.
- A HIPAA notice for patients of a healthcare facility will likely differ from a HIPAA NPP for health plan members because the two covered entities will use PHI in different ways. There may also be differences in the NPPs of similar healthcare facilities.
- HHS provides a Notice of Privacy Practices template, but it is not suitable for all organizations. If you wish to use HHS HIPAA Notice of Privacy Practices example, but you are unsure how to complete it, it is advisable to seek professional compliance advice.
HIPAA Notice of Privacy Practices FAQs
What is the Notice of Privacy Practices?
The Notice of Privacy Practices is a document issued or published by a health plan and some healthcare providers that outlines how they are allowed to use and disclose PHI. The document explains the covered entities´ responsibilities to safeguard PHI, informs individuals of their HIPAA rights, and provides contact details for individuals to complain if their PHI is used or disclosed impermissibly or if their HIPAA rights are violated.
What is the best location to post a Notice of Privacy Practices?
The best location to post a Notice of Privacy Practices is in the waiting room of a healthcare provider. However, as individuals are allowed to ask for a copy of the Notice at any time, it can be beneficial to have the content of the Notice published in a leaflet or booklet form. This can avoid a scenario in which multiple people are trying to read the Notice at the same time, potentially blocking an access route.
When should the NPP be provided to a patient?
The NPP should be provided to a patient no later than the first time they receive treatment. This includes when a service is delivered electronically (i.e., via a telehealth service); and, in this case, it may be necessary to send the NPP by email and ask for an acknowledgement by email. In neither circumstance can treatment be conditioned on the receipt of an acknowledgement.
Medical practices can demonstrate their HIPAA compliance with a HIPAA compliance logo.
What must the Notice of Privacy Practices inform patients of?
The Notice of Privacy Practices must inform patients of how their PHI will be used and disclosed (with examples), the covered entity´s responsibilities for safeguarding the privacy of PHI, and their rights to restrict certain uses and disclosures, choose how they are communicated with, request a copy of their PHI, request amendments when errors exist, and request an accounting of disclosures.
In what ways must the Notice of Privacy Practices be available?
The Privacy Rule does not stipulate the ways Notices of Privacy Practices must be available other than the requirements to display a physical notice in a prominent position and publish a downloadable notice on a website. As the Notice must be available on request, HHS´ Office for Civil Rights recommends that the Notice be printed on a leaflet or in a booklet to accommodate in-person requests for a copy. Email and phone requests can be sent electronically or via mail.
Does an individual have to acknowledge every receipt of an NPP?
An individual should only be asked to acknowledge the first receipt of an NPP. If the individual asks for a subsequent copy of an NPP, it is not necessary to ask for a further acknowledgement. However, if the privacy practices in the NPP have changed since the first receipt, it is advisable to document a subsequent request alongside the original acknowledgement.
Why do pharmacies not have to provide a HIPAA Notice of Privacy Practices?
Pharmacies do have to provide a HIPAA Notice of Privacy Practices when requested – just not at the point of first service delivery. Individuals can request a copy of a pharmacy´s HIPAA Notice of Privacy Practices at any time, plus the Notice must be displayed in a prominent position in the pharmacy and be available via the pharmacy´s website.
Why do Notices of Privacy Practices include nothing about data security?
Notices of Privacy Practices do not have to include anything about data security, but they can. Generally, the issue of data security is covered by the statement in the Notice of Privacy Practices that the covered entity is required by law to protect the privacy of PHI. This includes the privacy of electronic PHI because ePHI is a subset of PHI. However, if a covered entity believes it will be beneficial to include information about data security, there is nothing stopping them.
What happens with regard to NPPs when a covered entity is part of an Organized Health Care Arrangement?
When a covered entity is part of an Organized Health Care Arrangement (OHCA), each individual entity can issue its own HIPAA Notice of Privacy Practices, or the OHCA can issue a joint Notice. In either case, it will be necessary to include a section explaining who the other members of the OHCA are, where they are located, and how PHI may be shared with them for each use or disclosure listed in the Notice of Privacy Practices.
