HIPAA Notice of Privacy Practices: Best Practices and Compliance Tips

Notice of Privacy Practices Requirements

A HIPAA Notice of Privacy Practices (NPP) explains how your organization uses and discloses Protected Health Information (PHI), the privacy rights patients have, and your legal duties. It is required for Covered Entities, including most health care providers and health plans, that create or maintain PHI.

Purpose and scope

The NPP gives clear Patient Rights Notification and tells people how to exercise those rights. It also states your responsibility to safeguard PHI, follow the terms of the notice, and notify individuals if a breach of unsecured PHI occurs.

Who must provide an NPP

Health care providers with a direct treatment relationship must provide an NPP to patients. Health plans must provide it to enrollees. Members of an Organized Health Care Arrangement may issue a joint NPP that accurately reflects shared practices.

Plain Language Requirement

Your NPP must be written in plain language—short sentences, everyday terms, informative headings, and examples. Avoid jargon and define necessary legal terms so people can quickly understand how their information is used.

Written Acknowledgment

Providers must make a good-faith effort to obtain and document a patient’s Written Acknowledgment of receipt at the first service encounter (or as soon as practicable after an emergency). If the patient refuses or cannot sign, document the reason.

Record retention

Retain each version of the NPP and acknowledgment records for at least six years from the date last in effect, along with related NPP policies and procedures.

Providing the NPP to Patients

Make the NPP easy to obtain, read, and keep. Patients should not have to hunt for it or navigate complex steps to get a copy.

Timing and method

• Providers: hand the NPP to patients at the first visit; in emergencies, provide it as soon as reasonably practicable.
• Health plans: provide the NPP at enrollment and upon request thereafter.
• Always keep copies available at points of service and provide a paper copy on request, even if the patient has previously agreed to electronic delivery.

Electronic delivery and telehealth

You may deliver the NPP by email or through a patient portal if the individual agrees. For telehealth or other electronic visits, make the NPP available before the encounter and let patients save or print it. Electronic signatures are acceptable for the Written Acknowledgment if permitted by your policies.

Special situations and accessibility

Provide the NPP to a personal representative when applicable (for example, a parent of a minor, subject to state law). Make accessible formats available—large print, audio, or screen-reader friendly files—and provide translations where significant patient populations speak languages other than English.

Content of the NPP

Your NPP must clearly describe what you do with PHI, when you need authorization, and how individuals can exercise their rights. Keep statements accurate to actual practices.

How PHI may be used and disclosed

• Core uses: treatment, payment, and health care operations.
• Uses/disclosures requiring authorization: most marketing, sale of PHI, and many non-routine disclosures; include the right to revoke an authorization.
• Uses/disclosures permitted or required without authorization: for example, certain public health, health oversight, and law enforcement purposes, subject to HIPAA limits and applicable law.
• Opportunities to agree or object: facility directories and sharing with family or friends involved in care when appropriate.

Patient Rights Notification

• Right to access and obtain copies of PHI, including electronic copies when maintained electronically.
• Right to request amendments to PHI you maintain.
• Right to receive an accounting of certain disclosures.
• Right to request restrictions, including the right to restrict disclosure to a health plan for items or services paid in full out of pocket.
• Right to request confidential communications (for example, alternate address or phone).
• Right to receive a paper copy of the NPP at any time.
• Right to file a complaint with your organization and with the U.S. Department of Health and Human Services, without fear of retaliation.

Your duties and key statements

• Maintain the privacy and security of PHI and follow the NPP’s terms.
• Notify affected individuals following a breach of unsecured PHI.
• State that other uses and disclosures not described in the NPP will be made only with authorization.
• Identify how to contact your privacy official to exercise rights or ask questions.
• Display the effective date prominently on the NPP.

Situational content that may apply

• Fundraising communications and the individual’s right to opt out.
• A statement that health plans will not use or disclose genetic information for underwriting.
• Additional protections for certain sensitive records if applicable under federal or state law.

Posting the NPP

Post the current NPP prominently where you deliver care so patients can easily see it before they register. Keep a supply of copies nearby and post a sign telling patients they can take one.

Website posting

If you maintain a website that provides information about your services or benefits, prominently post the NPP there and keep it downloadable. Ensure the online version matches the paper version and is accessible to individuals with disabilities.

Multiple locations

Each clinic, department, or satellite site that serves patients should display the current NPP. Replace posters and handouts immediately when you update the notice.

Revising the NPP

Update the NPP whenever you make Privacy Practice Material Changes. Revisions must be accurate, dated, and promptly implemented across all channels.

When a change is “material”

• Changes to how you use or disclose PHI, including new routine disclosures or new recipients.
• Changes to patient rights or how individuals exercise them.
• Changes to your legal duties or breach-notification practices.
• Significant contact information changes (for example, a new privacy official or address).

Effective date, version control, and retention

Put the new effective date on the revised NPP, archive prior versions, and retain them with approval records for at least six years. Keep a clear audit trail of edits and sign-offs.

Redistribution after revision

Providers must replace posted copies, update websites, and make the revised NPP available on request; obtaining a new Written Acknowledgment is not required but is a prudent practice after major changes. Health plans must provide the revised NPP or a notice of material changes to enrollees and, at least every three years, remind them of the NPP’s availability and how to obtain it.

Best Practices for NPP Compliance

Go beyond minimums to make your NPP understandable, accessible, and integrated into daily workflows. These practices reduce risk and build trust.

Make it usable

• Apply the Plain Language Requirement: aim for an 8th-grade reading level, short paragraphs, bullets, and helpful headings.
• Translate for prevalent languages; provide large-print and screen-reader–friendly formats.
• Use examples that reflect your services and typical disclosures.

Integrate into intake and telehealth

• Send the NPP before visits via portal or email and capture electronic acknowledgments.
• Train front-desk and telehealth staff to explain the NPP and handle questions quickly.
• Scan or auto-file acknowledgments in the EHR with alerts for missing signatures.

Align words with actions

• Inventory actual PHI uses and disclosures and confirm the NPP accurately reflects them.
• Confirm fundraising, marketing, and sale-of-PHI statements match real practices.
• Verify that your complaint process and privacy contact details work as written.

Monitor and document

• Conduct periodic NPP audits: posters visible, handouts stocked, website current.
• Track exceptions to Written Acknowledgment and follow up promptly.
• Review for legal updates and state law changes at least annually.

Governance and training

• Designate a privacy official to own the NPP lifecycle, including reviews and approvals.
• Provide role-based training and scripts so staff can explain key rights consistently.
• Maintain a change log and keep all versions and approvals for required retention periods.

Conclusion

A clear, accurate HIPAA Notice of Privacy Practices helps patients understand how their PHI is used and how to exercise their rights. By writing in plain language, integrating distribution and Written Acknowledgment into workflows, posting prominently, and promptly updating for material changes, you meet HIPAA requirements and strengthen patient trust.

FAQs

What are the key components of the HIPAA Notice of Privacy Practices?

The NPP should describe how PHI is used and disclosed; list uses requiring authorization; explain individual rights (access, amendment, accounting, restrictions—including out-of-pocket restrictions—confidential communications, and a paper copy of the NPP); state your legal duties and breach-notification obligations; explain how to exercise rights and file complaints; identify your privacy contact; and display the effective date.

How must covered entities provide the NPP to patients?

Providers must give the NPP at the first visit (or as soon as practicable after an emergency), post it prominently at service locations, and make a good-faith effort to obtain a Written Acknowledgment. Health plans must provide it at enrollment. Both should post the current NPP on their websites if they have one, honor requests for paper copies at any time, and may deliver the NPP electronically with the individual’s agreement.

When should the NPP be revised and redistributed?

Revise the NPP whenever you make Privacy Practice Material Changes—such as new routine disclosures, altered patient rights processes, or changes to legal duties—and update the effective date. Providers must update posted and electronic copies and provide the revised notice on request; health plans must provide the revised NPP or a notice of material changes to enrollees and periodically remind them of its availability.