HIPAA Notice of Privacy Practices: What It Should Include and How It Should Be Provided

Your HIPAA Notice of Privacy Practices (NPP) explains how you handle a patient’s Protected Health Information and how individuals can exercise their rights. This guide distills the regulatory requirements for privacy notices and shows you how to deliver the notice clearly and consistently.

Required Content of Notice of Privacy Practices

Core elements the notice must describe

• How you use and disclose PHI for treatment, payment, and health care operations.
• Other disclosures permitted or required by law (for example, public health reporting, health oversight, judicial and administrative proceedings, law enforcement, organ donation, research under approved safeguards, workers’ compensation, and to avert a serious threat to health or safety).
• That any other use or disclosure requires a written authorization and that the individual may revoke that authorization at any time.

Individual Rights Under HIPAA

• Right to access, inspect, and obtain a copy of PHI (including an electronic copy when maintained electronically).
• Right to request an amendment of PHI.
• Right to an accounting of certain disclosures.
• Right to request restrictions, including the right to restrict disclosure to a health plan when the individual pays in full out of pocket for a service.
• Right to request confidential communications (for example, alternative address or phone).
• Right to receive a paper copy of the NPP, even if the individual agreed to receive it electronically.
• Right to be notified following a breach of unsecured PHI.

Covered Entity Legal Duties

• Statement that you are required by law to maintain the privacy of PHI, provide the NPP, and abide by its terms.
• Notice that you reserve the right to change the NPP and how you will communicate and make the revised notice available.
• Assurance that there will be no retaliation for filing a privacy complaint.

Additional required statements (as applicable)

• Fundraising contacts: disclose that individuals may be contacted and can opt out of further fundraising communications.
• Marketing and sale of PHI: explain that most such activities require a written authorization.
• Genetic information: health plans must state they will not use or disclose genetic information for underwriting purposes.

Contact and complaint information

Identify how individuals can ask questions, make requests, and file complaints with your organization and with the government. Provide a phone number, email, or mailing address that is actively monitored.

Considerations for Substance Use Disorder Records (42 CFR Part 2 Compliance)

If you create or maintain Substance Use Disorder Records subject to 42 CFR Part 2, your notice should clearly explain heightened confidentiality protections and any consent requirements. Include language about the prohibition on redisclosure where applicable and align the NPP with your 42 CFR Part 2 policies.

When your organization is both a HIPAA covered entity and a Part 2 program, ensure your NPP and operational forms work together so patients understand how their information may be used and disclosed once the proper consent is in place.

Distribution Requirements for Health Care Providers

When and how to deliver the notice

• Provide the NPP no later than the first service delivery date to individuals with a direct treatment relationship. In emergencies, provide it as soon as reasonably practicable after the emergency has passed.
• Offer the notice in paper form and, when the patient agrees, electronically (for example, via patient portal, secure email, or a QR code linking to the current notice).
• Make the notice available at each service location and give a copy to anyone who asks.

Digital and remote care

• For telehealth or other remote modalities, present the NPP before the first encounter, allow easy download, and capture any required acknowledgments electronically.
• Keep the most current NPP posted on your website if you maintain one.

Distribution Requirements for Health Plans

Enrollment and ongoing obligations

• Provide the NPP to new enrollees at enrollment and to anyone who requests it.
• Provide the revised NPP to all enrollees within 60 days of a material revision.
• At least once every three years, notify enrollees that the NPP is available and how to obtain a copy.
• If you maintain a website describing customer services or benefits, post the current NPP prominently and make it available electronically.

Posting and Availability of the Notice

Where and how to post

• Post the NPP in a clear, prominent location where you deliver care or interact with members.
• Post the current NPP on your website home page or a clearly labeled privacy page that is easy to find from the home page.

Accessibility and language

• Use plain language and a readable layout (layered format, headings, and bullets work well).
• Offer auxiliary aids and alternative formats when needed (large print, Braille, audio, or accessible digital formats) and provide translations for prevalent languages in your service area.

Updates to the Notice

When a revision is required

• Revise the NPP whenever you make a material change to uses or disclosures, individual rights, your legal duties, or other privacy practices described in the notice.
• Update the notice when federal or state privacy laws change in ways that affect your practices, including any changes relevant to 42 CFR Part 2 Compliance.

Effective dates and retention

• Display the effective date on the first page of the NPP.
• Retain prior versions and related documentation for at least six years, consistent with HIPAA recordkeeping rules.

Redistribution after updates

• Providers: replace posted copies immediately, use the updated version going forward, and make it available upon request (you are not required to mail it to all existing patients).
• Health plans: deliver the revised notice to all current enrollees within 60 days of a material revision and keep the website version updated.

Acknowledgment of Receipt

Written Acknowledgment of Receipt

• For providers with a direct treatment relationship, make a good-faith effort to obtain the patient’s written acknowledgment of receipt of the NPP. If you cannot obtain it, document your efforts and the reason (for example, patient declined).
• Obtaining the acknowledgment is not a condition of treatment.
• Accept electronic signatures, portal clicks, or signature-pad captures; store acknowledgments securely and retain them for at least six years.

Special cases

• In emergencies, defer the acknowledgment until it is practical.
• For minors or individuals with a personal representative, obtain the acknowledgment from the appropriate legal representative consistent with state law.

Model Notices of Privacy Practices

Using models effectively

• Leverage model NPP templates to accelerate compliance while ensuring plain language and consistent formatting.
• Customize the template to reflect your actual practices, your designated contact, any fundraising practices, and special programs (such as Substance Use Disorder Records subject to 42 CFR Part 2).
• Consider a layered notice: a brief, user-friendly summary on top with the full legal notice below.

Quality and governance tips

• Review the NPP annually and after any operational or legal change that affects privacy practices.
• Coordinate among compliance, legal, IT, and patient-facing teams so the posted, printed, and electronic versions always match.
• Train staff on how to explain the NPP and process requests that invoke Individual Rights Under HIPAA.

Conclusion

A clear, accurate HIPAA Notice of Privacy Practices is the cornerstone of patient trust and compliance. Define your practices plainly, fulfill distribution duties for providers and health plans, keep the notice posted and current, obtain and retain acknowledgments, and tailor model templates to your operations—including any added protections for Substance Use Disorder Records.

FAQs.

What information must be included in a HIPAA Notice of Privacy Practices?

Your NPP must describe how you use and disclose PHI, list the individual rights under HIPAA (access, amendment, accounting, restrictions, confidential communications, paper copy, and breach notification), explain your covered entity legal duties, state when authorizations are required, and provide clear contact and complaint information. Include any special statements that apply to you, such as fundraising opt-outs, marketing/sale-of-PHI authorizations, and—if you are a health plan—a statement about not using genetic information for underwriting.

How must the notice be distributed to patients and health plan members?

Providers must give the NPP no later than the first service delivery (or as soon as practicable after an emergency), post it prominently at service sites, keep copies available, and post it online if they maintain a website. Health plans must provide the NPP at enrollment, redistribute it within 60 days of a material revision, post it on their website if they have one, remind members at least every three years that it is available, and provide a copy upon request.

When should the notice be updated and redistributed?

Revise the NPP whenever there is a material change to your privacy practices, legal duties, or individual rights described in the notice, or when applicable laws change. Providers must replace posted copies and use the updated notice going forward; health plans must also send the revised notice to all current enrollees within 60 days of a material revision.

Is patient acknowledgment required for the notice of privacy practices?

Providers with a direct treatment relationship must make a good-faith effort to obtain a written acknowledgment of receipt, but treatment cannot be conditioned on signing. If you cannot obtain it, document why. Electronic acknowledgments are acceptable, and retention of acknowledgments and related records should be at least six years.