HIPAA Notice of Privacy Practices Requirements: What You Must Include

Header Statement

Your Notice of Privacy Practices (NPP) must open with a prominent header that clearly tells individuals the notice explains how their medical information may be used and disclosed, how they can access it, and that they should review it carefully. Use plain language and define Protected Health Information (PHI) the first time you use the term so readers understand what information the HIPAA Privacy Rule protects.

Write for nonlawyers. Keep sentences short, use active voice, and organize with logical subheadings. If you serve diverse populations, consider providing versions in prevalent languages. The header should be visually prominent on the first page and immediately signal that the document covers privacy rights and Covered Entity Obligations.

Uses and Disclosures of PHI

Core purposes with examples

• Treatment: Sharing PHI among providers to diagnose, treat, or coordinate care (for example, sending a referral or medication list).
• Payment: Using PHI to bill, obtain prior authorization, or determine coverage.
• Health care operations: Quality assessment, accreditation, auditing, customer service, and training.

Other disclosures permitted or required without authorization

Explain that you may use or disclose PHI as allowed by the HIPAA Privacy Rule for specific purposes, such as public health reporting, health oversight activities, law enforcement, judicial and administrative proceedings, organ and tissue donation, workers’ compensation, research under approved safeguards, coroners and medical examiners, to avert a serious threat to health or safety, specialized government functions, and as otherwise required by law. Clarify any state law limits that are more protective.

Authorizations and heightened protections

• State that uses and disclosures not described in the notice will occur only with a valid written authorization, and that individuals may revoke an authorization in writing at any time.
• Note heightened rules for marketing, the sale of PHI, and psychotherapy notes, which generally require authorization.
• Mention fundraising communications, if applicable, and the individual’s right to opt out of further solicitations.

Emergency Disclosure Protocols and disaster relief

Describe how you may share limited PHI during emergencies or disasters to coordinate care, notify or assist in locating family or caregivers, or reduce imminent threats, consistent with Emergency Disclosure Protocols and the minimum necessary standard when it applies.

Individual Rights Under HIPAA

• Right of access: To inspect or obtain a copy of PHI in the designated record set, including an electronic copy when you maintain it electronically, delivered in the form and format requested if readily producible.
• Right to request restrictions: To ask you to limit certain uses or disclosures of PHI. Explain that you must agree to restrict disclosure to a health plan for payment or operations when the individual has paid for the item or service in full out of pocket.
• Right to confidential communications: To receive communications by alternative means or at alternative locations (for example, at a P.O. Box or via secure portal).
• Right to amend: To request corrections or addenda to PHI the individual believes is incomplete or inaccurate, with a written explanation if you deny the request.
• Right to an accounting of disclosures: To receive a list of certain disclosures made without authorization for a defined period, excluding routine treatment, payment, and operations.
• Right to a paper copy: To obtain a paper copy of the NPP at any time, even if the individual agreed to receive it electronically.
• Right to breach notification: To be notified following a breach of unsecured PHI, including what happened, what information was involved, and steps to protect against potential harm.

Legal Duties of Covered Entities

• Maintain the privacy of PHI and provide individuals with the NPP that describes your legal duties and privacy practices.
• Abide by the terms of the current notice and apply the minimum necessary standard where applicable.
• Provide timely breach notifications and refrain from retaliating against anyone who files a privacy complaint or exercises their rights.
• Reserve the right to change the terms of the notice and state how the new terms will apply to PHI you already maintain, consistent with the HIPAA Privacy Rule.
• Explain any special rules relevant to your operations (for example, limits on using genetic information for underwriting by health plans, or disclosures to plan sponsors when plan documents include required privacy provisions).

Contact Information for Privacy Questions

Identify how individuals can reach your Privacy Officer for questions, requests, or complaints. Include a mailing address, telephone number, and email or secure portal instructions. Explain how to file a complaint with your organization and with the U.S. Department of Health and Human Services, and state that you will not retaliate for filing a complaint or exercising privacy rights.

Effective Date and Updates

Place a clear effective date on the first page of the NPP. Describe your process for updates and Material Change Notification—what triggers a “material” update (for example, new uses or disclosures, changes to individual rights or your legal duties, or updated contact information), how you will adopt the revised notice, and how you will communicate changes to individuals.

When you materially revise the NPP, finalize the updated notice before using the new practices, replace posted copies, update your website, and follow the distribution steps that apply to your organization type. Keep prior versions and their effective dates for your records.

Distribution and Posting Requirements

Healthcare providers with a direct treatment relationship

• Provide the NPP no later than the first service delivery (in emergencies, as soon as practicable after the emergency subsides).
• Make a good-faith effort to obtain the individual’s written acknowledgment of receipt and document efforts if you cannot obtain it.
• Post the current notice in a clear and prominent location where patients receive care and on any public-facing website you maintain.
• Have paper copies readily available at service sites and provide a copy upon request.

Health plans

• Send the NPP at Health Plan Enrollment Notices (upon enrollment) and to individuals then covered when you first adopt the notice.
• Provide the revised notice—or information about the material change and how to obtain the full notice—within 60 days of a material revision.
• At least once every three years, notify individuals that the notice is available and how to obtain it (Notice Distribution Requirements).
• Post the current NPP prominently on your public website and keep it up to date.

Electronic delivery and accessibility

• Electronic delivery is permitted if the individual agrees to receive the NPP electronically; always provide a paper copy on request.
• Ensure reasonable accommodations for disabilities and prevalent language needs so individuals can meaningfully understand their rights and your practices.

Conclusion

Your NPP is the front door to your privacy program. When you plainly explain how you use and share PHI, spell out individual rights, document Covered Entity Obligations, and follow robust distribution and update practices, you meet HIPAA Privacy Rule expectations and help individuals make informed choices about their health information.

FAQs

What must be included in a HIPAA Notice of Privacy Practices?

Include a prominent header statement; descriptions and examples of how you use and disclose PHI for treatment, payment, and operations; other permitted or required disclosures; a statement that other uses need written authorization (with special rules for marketing, the sale of PHI, and psychotherapy notes); individual rights (access, restrictions, confidential communications, amendment, accounting, paper copy, breach notification); your Covered Entity Obligations; how to file complaints without retaliation; contact details for privacy questions; how you will handle Material Change Notification; and the effective date.

When must a covered entity provide the notice to individuals?

Providers with a direct treatment relationship must give the notice at the first service delivery and obtain a written acknowledgment when feasible; in emergencies, they may delay delivery until practicable afterward. They must also post the current notice prominently at the point of care and on their website. Health plans must provide the notice at enrollment (and initially to those already covered), keep it posted on their website, and send updates following material changes.

How often must health plans update and distribute the notice?

Update the NPP whenever practices or legal duties materially change, distribute the revised notice or a summary of changes with instructions to obtain the full notice within 60 days of a material revision, keep the web version current, and at least once every three years remind members that the NPP is available and how to get a copy.

What are the consequences of not complying with NPP requirements?

Noncompliance can trigger investigations by federal regulators, corrective action plans, and civil monetary penalties based on the nature and extent of the violation and the level of culpability. You may also face contractual exposure, state enforcement, and reputational harm. Gaps often surface during incidents, so aligning your notice content, Emergency Disclosure Protocols, and distribution processes reduces risk.