Beginner’s Guide to the HIPAA Notice of Privacy Practices (NPP): Requirements, Patient Rights, and Examples

HIPAA Notice of Privacy Practices Overview

The Notice of Privacy Practices (NPP) explains how a health care provider or health plan uses and discloses your Protected Health Information (PHI), what choices you have, and whom to contact with questions. It is a core requirement of HIPAA Privacy Rule compliance and must be written in plain language you can understand.

Covered entities—health care providers, health plans, and health care clearinghouses—must provide an NPP to people they serve. The NPP is not a consent form; rather, it describes routine medical information disclosure practices and your rights so you can make informed decisions about your health information.

Why the NPP matters

• Sets clear expectations about how PHI is handled.
• Identifies your health information access rights and options.
• Explains the organization’s duties and how to raise concerns.

Content Requirements of the Notice

HIPAA specifies what the NPP must include. While format can vary, the content must cover the elements below in a concise, understandable way.

Core elements

• Permitted uses and disclosures: A description—often with examples—of when PHI may be used or shared for treatment, payment, and health care operations, and for certain public interest purposes.
• Individual rights: Your rights to access, obtain copies, request amendments, request restrictions, receive confidential communications, obtain an accounting of disclosures, and get a paper or electronic copy of the NPP.
• Covered entity duties: A statement that the organization must protect privacy, provide the NPP, follow its terms, and notify you following certain privacy breaches.
• How to exercise rights: Instructions and contact information for submitting requests or concerns, including how to file a complaint.
• Effective date and changes: The NPP’s effective date and a statement that the organization may change the notice and how you will be informed of updates.

Authorization vs. no authorization

Some uses of PHI require your written patient authorization—such as most marketing, the sale of PHI, and many uses of psychotherapy notes. The NPP must highlight when authorization is needed and clarify that medical information disclosures not described in the notice will be made only with your authorization.

Clarity and readability

• Plain language, headings, and examples that make complex rules easy to understand.
• Availability in alternate formats and languages, when reasonable, to support accessibility.

Distribution and Accessibility of NPP

When you must receive it

• Providers with a direct treatment relationship must give you the NPP no later than the first service encounter (or as soon as practicable after an emergency).
• Health plans must provide it at enrollment and whenever the notice is materially revised, and periodically remind members that the NPP is available upon request.

How it must be made available

• Paper copy on request and a prominent posting in facilities where care is delivered.
• Posting on the organization’s website if it maintains one, with an option to download or request an electronic copy.
• Good-faith effort to obtain written acknowledgment of receipt from you; if not obtained, the provider documents the attempt.

Updates and revisions

When material changes occur, covered entities update the NPP and make the revised version available through standard distribution methods and on their websites. The most recent effective date should appear on the notice.

Patient Rights Under HIPAA

Your NPP summarizes the rights HIPAA grants you. These health information access rights help you stay informed and in control of your data.

Key rights you can exercise

• Access and copies: You can review and obtain electronic or paper copies of your PHI, generally within 30 days, and request that records be sent to a designated third party.
• Amendment: You can request corrections to information you believe is inaccurate or incomplete; denials must include a written reason and how to submit a statement of disagreement.
• Restrictions: You can ask to limit certain disclosures. If you pay in full out of pocket for a specific service and request no disclosure to your health plan for that service, covered entities must honor that restriction unless disclosure is required by law.
• Confidential communications: You can request communications by alternative means or at alternative locations (for example, mailing to a P.O. box).
• Accounting of disclosures: You can request a list of certain non-routine disclosures made by the covered entity.
• Notice and complaints: You can obtain a copy of the NPP at any time and file complaints without fear of retaliation.

Examples of Permitted Uses and Disclosures

Treatment, payment, and health care operations (no authorization required)

• Treatment: Sharing PHI among your clinicians to coordinate care—for example, sending a referral and recent lab results to a specialist.
• Payment: Submitting claims to your health plan and verifying eligibility or coverage.
• Operations: Quality improvement, population health activities, audits, accreditation, and training with safeguards in place.

Public interest and other purposes (without authorization, when conditions are met)

• Public health reporting (e.g., certain infectious diseases, adverse events).
• Health oversight activities (audits, inspections, licensure reviews).
• Judicial and law enforcement requests that meet legal standards.
• To avert a serious threat to health or safety, consistent with applicable law.
• Organ and tissue donation, coroners/medical examiners, and specialized government functions.
• Research under an Institutional Review Board waiver or with a limited data set and data use agreement.

Uses requiring patient authorization

• Most marketing communications and any sale of PHI.
• Psychotherapy notes, in most cases.
• Any medical information disclosure not described in the NPP as otherwise permitted or required by law.

De-identified information

Information that has been de-identified according to HIPAA standards is not PHI and may be used or shared without authorization.

Responsibilities of Covered Entities

Governance and workforce

• Designate a Privacy Officer and establish policies and procedures that reflect Privacy Rule compliance.
• Train workforce members and apply appropriate sanctions for violations.
• Apply the minimum necessary standard for non-treatment disclosures and implement administrative, physical, and technical safeguards.

Business associates

Covered entities must execute business associate agreements with vendors that create, receive, maintain, or transmit PHI on their behalf and monitor compliance, including breach reporting obligations.

Privacy breach procedures

• Conduct a risk assessment when unsecured PHI is compromised.
• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Report certain breaches to regulators and, for large incidents, to prominent media, consistent with HIPAA requirements.
• Document incidents and mitigation steps to reduce risk of harm.

Documentation and retention

Maintain required HIPAA documentation, notices, acknowledgments, authorizations, risk assessments, and training records for the applicable retention period, and update them when laws or practices change.

Enforcement and Compliance Considerations

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces HIPAA. OCR investigates complaints, conducts compliance reviews, and may require corrective action and impose tiered civil monetary penalties for violations.

Practical compliance tips

• Perform periodic risk analyses and adjust safeguards accordingly.
• Review and update the NPP when practices or laws change; ensure consistent distribution.
• Test privacy breach procedures and incident response plans before you need them.
• Monitor business associates and maintain current agreements.
• Foster a culture where patients and staff know how to ask questions and report concerns.

FAQs.

What is the purpose of the HIPAA Notice of Privacy Practices?

The NPP tells you how a covered entity uses and discloses your PHI, outlines your rights and choices, and explains the organization’s legal duties and contacts. It empowers you to understand, question, and direct how your information is handled.

When must a covered entity provide the NPP to patients?

Providers give it no later than the first service encounter (or soon after an emergency), and post it prominently in their facilities and on their websites if they have one. Health plans provide it at enrollment, make revised versions available when updated, and periodically remind members that the notice is available on request.

What rights do patients have under the NPP?

You can access and obtain copies of your records, request corrections, ask for restrictions (including limiting disclosure to a health plan for services you paid for in full), request confidential communications, receive an accounting of certain disclosures, and get a copy of the NPP at any time.

How can patients file a complaint if their privacy rights are violated?

You may contact the covered entity’s Privacy Officer using the information in the NPP, and you may also submit a complaint to the appropriate government agency. You cannot be retaliated against for filing a complaint in good faith.