45 CFR §164.520 Explained: HIPAA Notice of Privacy Practices Requirements & Compliance Checklist

45 CFR §164.520 sets the baseline for how you inform individuals about your privacy practices under HIPAA. This guide distills the rule into clear actions so you can publish a compliant Notice of Privacy Practices (NPP), prove Covered Entity Obligations, and integrate State Privacy Law Integration where required.

Use this as a practical roadmap to draft, post, distribute, revise, and document your NPP while safeguarding Protected Health Information (PHI) and meeting HIPAA Compliance Deadlines built into the rule.

Right to Notice

Every individual has the right to receive an NPP that explains how their Protected Health Information (PHI) may be used and disclosed, and what rights they have over that information. Your duty to provide this notice varies by relationship and setting.

Direct Treatment Relationship

If you are a provider with a Direct Treatment Relationship, you must give the NPP no later than the first service encounter and make a good-faith effort to obtain written acknowledgment of receipt. In emergencies, provide it as soon as practicable after the emergency ends.

Health Plans and Indirect Treatment Providers

Health plans must furnish the NPP at enrollment and, at least once every three years, notify enrollees of the notice’s availability and how to obtain it. Providers without a direct treatment relationship (e.g., many laboratories) must make the NPP available upon request and post it prominently and online if they maintain a website.

State Privacy Law Integration

Your NPP should clearly state that where state law is more protective of privacy than HIPAA, you follow the more stringent rule. Many entities add brief state-specific addenda to explain enhanced rights or additional consent requirements.

Content Requirements

Your NPP must be plain-language, prominently titled, and include a mandatory header beginning “This notice describes how medical information about you may be used and disclosed… Please review it carefully.” Build the content around what you may do with PHI, what you will not do without permission, individual rights, and your duties.

What you may do with PHI (without authorization)

• Treatment, payment, and health care operations, consistent with the minimum necessary standard where applicable.
• Situations required or expressly permitted by law (e.g., public health reporting, health oversight, certain law enforcement purposes, to avert a serious threat, and specialized government functions).
• Emergency Disclosure Procedures where the patient’s agreement cannot be obtained, followed by post-event review when appropriate.

What requires authorization

• Marketing communications, except limited face-to-face communications and promotional gifts of nominal value.
• Sale of PHI.
• Most uses and disclosures of psychotherapy notes.
• Any other use or disclosure not described as permitted by the notice.

Individual rights you must describe

• Right to access and obtain copies of PHI; right to request amendments.
• Right to an accounting of disclosures not for treatment, payment, or operations.
• Right to request restrictions, including the right to restrict disclosure to a health plan for services paid in full out of pocket.
• Right to request confidential communications (e.g., alternate address or phone).
• Right to file a complaint with you and with the U.S. Department of Health and Human Services (HHS) without retaliation.

Covered Entity Obligations you must state

• Your legal duty to maintain the privacy and security of PHI and to abide by the terms of the current notice.
• Your duty to notify affected individuals following a breach of unsecured PHI.
• Your right to change the notice and how new terms will apply.
• How to contact your Privacy Officer (name or title, and telephone number or other contact method).
• The effective date of the notice.

Emergency Disclosure Procedures

Explain when you may use or disclose PHI in emergencies or when the individual is incapacitated, the factors you consider (e.g., best interest, relevance), and that you will limit disclosures to what is necessary.

State Privacy Law Integration and special protections

Identify categories of PHI that may be subject to stricter federal or state protections (e.g., mental health, substance use disorder, HIV status, reproductive health, genetic information for underwriting by plans) and state that you follow those heightened standards.

Compliance checklist: NPP content

• Plain-language format with required header and effective date.
• Clear lists of permitted uses/disclosures and those requiring authorization.
• Comprehensive statement of individual rights and how to exercise them.
• Covered Entity Obligations, including breach notification and non-retaliation.
• Privacy Officer contact information.
• Statement about changes to the notice and applicability of new terms.
• State-specific additions where laws are more protective.

Prohibited Uses and Disclosures

HIPAA bars certain uses and disclosures unless an individual gives a valid written authorization. Your NPP must flag these prohibitions so individuals understand your boundaries and choices.

Prohibited without written authorization

• Sale of PHI.
• Most marketing activities, aside from narrow exceptions noted in the rule.
• Use or disclosure of psychotherapy notes, with limited exceptions.
• Any use/disclosure not otherwise permitted or required by HIPAA.

Additional guardrails you should reflect

• Minimum necessary standard for non-treatment purposes.
• No conditioning of treatment on authorization for prohibited purposes.
• Respect for more stringent state or federal protections that limit sharing without specific consent.

Provision of Notice

How you deliver the NPP matters. You must provide, post, and make the notice accessible using methods consistent with your role and the individual’s preferences.

Timing and method

• Providers with a Direct Treatment Relationship: provide at first service; for emergencies, provide as soon as practicable afterward.
• Health plans: provide at enrollment and notify members at least every three years about availability and how to obtain the NPP.
• Posting: display in a clear and prominent location at service sites; post on your website if you maintain one.
• Electronic delivery: allowed if the individual agrees; furnish a paper copy upon request at any time.

HIPAA Compliance Deadlines embedded in the rule

• Initial provision aligned with the first service encounter or plan enrollment.
• Website and on-premises posting on and after the notice’s effective date.
• Triennial reminder by health plans that the notice is available and how to get it.

Acknowledgment of Receipt

For a Direct Treatment Relationship, you must make a good-faith effort to obtain a written acknowledgment that the individual received the NPP. If you cannot obtain it, document why (e.g., patient refused, emergency, communication barrier) and retain the record.

Documentation and retention

• Keep the current and prior NPP versions, distribution logs, and acknowledgments for at least six years from the later of the date created or the date last in effect.
• Train staff to request acknowledgment consistently and to note exceptions clearly.

Availability of Notice

Individuals must be able to access your NPP easily, in multiple formats, and at any time upon request. Accessibility is part of compliance and trust.

Make it easy to find

• Prominent posting at physical locations and on your website’s home page or a readily apparent landing page.
• Provide copies on request without unreasonable barriers or delay.

Language and accessibility

• Offer alternative formats and reasonable accommodations for disabilities.
• Provide translations for languages commonly encountered in your service area, consistent with civil rights obligations.

Revisions to Notice

Revise your NPP whenever you make a material change to your privacy practices, individual rights, legal duties, or other notice terms. The revised NPP must carry a new effective date.

How to roll out revisions

• Providers: post the updated NPP at service sites and on your website by its effective date; make copies available on request and at the next encounter.
• Health plans with a website: post the revised NPP online by the effective date and include the revised notice or information about significant changes in the next regular mailing to members.
• Health plans without a website: distribute the revised NPP to enrollees within a reasonable period (e.g., within 60 days of a material revision).

Compliance checklist: operational steps

• Map all PHI uses/disclosures; confirm each appears under “permitted” or “authorization required.”
• Verify all Individual Rights and Covered Entity Obligations are plainly described.
• Insert Privacy Officer contact, complaint process, and effective date.
• Post onsite and online; stock paper and electronic copies.
• Capture acknowledgment at first service; document exceptions.
• Schedule triennial health plan reminders; monitor for material changes.
• Retain notices, acknowledgments, and distribution records for six years.
• Integrate State Privacy Law Integration via addenda where stricter rules apply.
• Test Emergency Disclosure Procedures and update staff training annually.

Summary

45 CFR §164.520 requires a clear, accessible Notice of Privacy Practices that explains how you handle PHI, honors individual rights, and demonstrates your legal duties. Deliver it on time, post it prominently, revise it when practices change, and document everything. Following this checklist-centered approach keeps your Notice aligned with HIPAA while building trust with the people you serve.

FAQs.

What information must be included in the HIPAA Notice of Privacy Practices?

Your NPP must describe permitted uses/disclosures of PHI; identify what requires an authorization (e.g., most marketing, sale of PHI, psychotherapy notes); explain individual rights (access, amendments, accounting, restrictions, confidential communications, complaints); state your legal duties (privacy, security, breach notification, adherence to the notice); provide your Privacy Officer contact; include the effective date; and state how future changes will apply. It should also note stricter state or federal protections you follow.

How must covered entities provide the notice to individuals?

Providers with a Direct Treatment Relationship must give the NPP at the first service encounter (or as soon as practicable after an emergency) and seek a written acknowledgment. Health plans must provide it at enrollment and remind members at least every three years that the NPP is available and how to obtain it. All covered entities must post the NPP prominently at service sites and on their website if they have one, and supply a paper copy on request.

When must the notice be revised and redistributed?

Revise the NPP whenever you make a material change to privacy practices, individual rights, or legal duties. Providers must post and make the revised notice available by its effective date. Health plans with a website must post the update online by the effective date and include the revised notice or summary of material changes in the next regular mailing; plans without a website should distribute the revised notice within a reasonable period (often within 60 days) after a material revision.

Are there exceptions to the notice requirement under HIPAA?

Emergency settings allow delayed provision until practicable. Indirect treatment providers generally are not required to obtain acknowledgment but must make the NPP available and post it. Disclosures required by law or for specified public interest purposes can occur as permitted by HIPAA and should be explained in the NPP. More protective state laws may add exceptions or additional consent requirements that you must reflect in your notice.