45 CFR 164.520 Explained: A Plain-English Guide to HIPAA's Notice of Privacy Practices

45 CFR 164.520 is the HIPAA provision that tells you exactly what must appear in your Notice of Privacy Practices, when you must give it, and how to document distribution. Think of it as your playbook for Privacy Rule Compliance that patients can easily understand.

The Notice of Privacy Practices (NPP) explains how you may use and disclose a patient’s Protected Health Information (PHI), the rights patients have, and your legal duties. It is both a patient-facing promise and a core compliance artifact auditors will expect to see.

This guide breaks down the rule into plain-English steps: the essential content every notice needs, procedures for provision and acknowledgment, rules for updates, and the ongoing compliance responsibilities of covered entities.

Overview of 45 CFR 164.520

Scope and purpose

45 CFR 164.520 requires covered entities to provide a clear, consumer-friendly notice describing their HIPAA privacy practices. The notice helps patients understand how their PHI may be used or disclosed and how to exercise Patient Rights under HIPAA.

Who must comply

The rule applies to HIPAA covered entities—health care providers, health plans, and health care clearinghouses. Business associates do not issue an NPP, but their contracts must support the covered entity’s Privacy Rule compliance.

Plain language and availability

Your NPP must be written in plain English so that patients can readily understand it. You must also make it readily available on request, post it prominently where care is delivered, and, if you maintain a website, post it there.

Essential Content of the Notice of Privacy Practices

Required elements every NPP must include

• How you use and disclose PHI for treatment, payment, and health care operations (TPO), with practical examples.
• Other uses and disclosures permitted or required by law (for example, public health, health oversight, and law enforcement), described in summary with examples.
• A clear statement that any use or disclosure not described in the notice will be made only with the individual’s written authorization.
• How individuals can exercise their rights: access, copies, inspection, amendment, accounting of disclosures, request for restrictions, and confidential communications.
• Your legal duties: maintain the privacy of PHI, provide the notice, follow its terms, and notify individuals if you cannot agree to a requested restriction.
• How to complain to you and to the U.S. Department of Health and Human Services without fear of retaliation.
• Whom to contact for more information and how to reach that privacy contact.
• The effective date of the notice.

Special statements commonly required

• Health Information Breach Notification: a statement that individuals will be notified following a breach of unsecured PHI.
• Authorizations: disclosures of psychotherapy notes; sale of PHI; and most marketing communications require written authorization.
• Out-of-pocket restriction: if an individual pays in full out of pocket, they may require you not to disclose that information to a health plan for payment or operations.
• Fundraising: if you may contact individuals for fundraising, state that and explain their right to opt out of such communications.
• Health plans: include a statement that genetic information may not be used or disclosed for underwriting purposes.

Patient rights under HIPAA, in plain English

• Right to access: receive or inspect a copy of PHI in the designated record set, often within set timeframes; request electronic copies when maintained electronically.
• Right to amend: request a correction if information is inaccurate or incomplete, with a written explanation when a request is denied.
• Right to an accounting of disclosures: obtain a list of certain PHI disclosures not related to TPO or made with authorization.
• Right to request restrictions: ask you to limit certain uses or disclosures; you generally are not required to agree, except for the out-of-pocket rule above.
• Right to confidential communications: request communications at an alternative address or by alternative means when reasonable.
• Right to a paper copy: receive a paper copy of the NPP at any time, even if previously agreed to electronic delivery.

Procedures for Provision of the Notice

Direct treatment providers

• Provide the NPP no later than the first service delivery date and make it available at service locations.
• Post the notice in a clear and prominent place where individuals seek care.
• In emergencies, provide the notice as soon as reasonably practicable after the emergency has passed.

Health plans

• Provide the NPP to new enrollees at enrollment.
• After a material revision, provide the revised notice (or a summary of changes and how to obtain the full notice) to all then-covered individuals within 60 days.
• At least once every three years, notify individuals that the notice is available and how to obtain it.

Electronic delivery and websites

• You may provide the NPP by email if the individual agrees. If an email bounces, provide a paper copy.
• If you maintain a website describing services or benefits, post the current NPP there prominently.
• Offer a paper copy on request at any time, regardless of prior electronic consent.

Requirements for Acknowledgment of Receipt

If you are a direct treatment provider, you must make a good-faith effort to obtain each patient’s written acknowledgment of receipt of the NPP on or before the first service delivery date. Electronic signatures are acceptable when consistent with your policies.

• Do not condition treatment on signing the acknowledgment.
• If you cannot obtain it, document why (for example, patient refusal, emergency care, or other practical obstacles).
• For minors or individuals with a personal representative, obtain the acknowledgment from the appropriate representative when applicable.
• Retain acknowledgments and related documentation for at least six years as part of your compliance records.

Guidelines for Revisions to the Notice

When a revision is required

Update the NPP when there is a material change to your privacy practices, individual rights, legal duties, or other terms described in the notice. Common triggers include new uses/disclosures, new patient rights clarified by rulemaking, or changes to how individuals can exercise rights—collectively, your HIPAA Privacy Practices Updates.

Effective date and distribution

• Include a new effective date on the revised notice.
• Providers: post the revised NPP at service locations and on your website (if you have one), make copies available on request, and provide the revised notice to new patients.
• Health plans: deliver the revised notice—or a summary of material changes with instructions to obtain the full version—to all then-covered individuals within 60 days, and update the website posting.

Version control and retention

• Keep prior versions and proof of distribution for at least six years.
• Document when and how revisions were approved, posted, and disseminated.

Compliance Responsibilities of Covered Entities

Program-level duties that support the NPP

• Designate a privacy official and a contact person to handle questions and complaints.
• Adopt policies and procedures that align with your NPP and the Privacy Rule, and train your workforce accordingly.
• Apply appropriate sanctions for workforce violations and mitigate harmful effects of improper uses or disclosures.
• Maintain a complaint process and ensure non-retaliation for individuals who exercise their rights.
• Coordinate your NPP with breach response procedures so that Health Information Breach Notification duties can be met promptly.
• Retain the NPP, acknowledgments, and related documentation for at least six years.

Covered Entities Obligations: a practical checklist

• Draft a plain-language NPP that includes all required elements and special statements relevant to your organization.
• Post and distribute the notice as required; for providers, obtain and document acknowledgment in good faith.
• Review the notice periodically; when material changes occur, revise, date, and redistribute consistent with your entity type.
• Align intake, portal, and telehealth workflows to deliver the NPP and capture acknowledgments seamlessly.
• Audit periodically to confirm postings, website availability, record retention, and workforce understanding.

Conclusion

Your Notice of Privacy Practices is more than a form—it is the patient-facing core of HIPAA privacy. By including every required element, distributing it correctly, capturing acknowledgments, and updating it when practices change, you meet the letter of 45 CFR 164.520 and strengthen trust with the patients you serve.

FAQs.

What is the purpose of 45 CFR 164.520?

It requires covered entities to provide a clear Notice of Privacy Practices that explains how PHI may be used and disclosed, the patient’s rights, and the entity’s legal duties, enabling informed choices and transparent Privacy Rule compliance.

When must covered entities provide the Notice of Privacy Practices?

Providers must give the notice no later than the first service delivery and post it where care is provided; in emergencies, they provide it as soon as practicable. Health plans must provide it at enrollment, send updated notices within 60 days of a material revision, and remind individuals at least every three years that the notice is available.

How should covered entities handle updates to their Notice of Privacy Practices?

Revise the notice when a material change occurs, add a new effective date, and follow the distribution rules for your entity type. Providers should post and make revised copies available; health plans must deliver the revised notice—or a summary of changes with instructions to obtain the full notice—within 60 days and update the website posting.

What are the patient's rights under the Notice of Privacy Practices?

Patients have rights to access and obtain copies of PHI, request amendments, receive an accounting of certain disclosures, request restrictions (including limiting disclosures to a health plan after full out-of-pocket payment), request confidential communications, obtain a paper copy of the NPP at any time, and file complaints without retaliation.