How to Create a HIPAA Privacy Notice: Step-by-Step Guide and Compliance Checklist

Understand HIPAA Privacy Notice Requirements

A HIPAA Privacy Notice—often called a Notice of Privacy Practices (NPP)—explains how you use, disclose, and safeguard a patient’s Protected Health Information (PHI), and what rights patients have over that information. Your goal is to provide clear, actionable information that patients can rely on at a glance.

Most covered entities with a direct treatment relationship to individuals must give this notice to patients and make it readily available thereafter. Health plans must provide it to enrollees and keep them informed when the notice changes. Whether you are a solo practitioner, group practice, telehealth provider, or health plan, the same core requirements apply.

For planning, build a simple HIPAA Compliance Checklist that maps each regulatory element to a specific place in your draft. If you are starting from scratch, use Model Privacy Notices as a baseline and tailor them to your actual practices, services, and state law overlays.

What the notice must accomplish

• Explain how PHI may be used and disclosed, with practical examples.
• Inform individuals of their privacy rights and how to exercise them.
• Describe your legal duties and how to contact you with questions or complaints.
• State when and how the notice takes effect and how you will communicate future changes.

Include Required Content Elements

Use the following framework to ensure your Notice of Privacy Practices contains all mandatory components. Treat this like a fill‑in‑the‑blanks checklist, customized to your operations.

Core elements to include

• Permitted uses and disclosures without authorization (for treatment, payment, and health care operations), with at least a few concrete examples patients will recognize.
• Other uses/disclosures allowed or required by law (e.g., public health reporting, health oversight, law enforcement, judicial proceedings, organ donation, workers’ compensation, averting serious threats, and specialized government functions), again with brief, plain‑language examples.
• Authorization-required uses/disclosures (e.g., marketing communications, sale of PHI, most uses of psychotherapy notes) and a statement that any other use or disclosure will require written authorization that the individual may revoke.
• Individual rights: access and copies, inspection, amendment, accounting of disclosures, request for restrictions (including the right to restrict disclosures to a health plan for items/services paid in full out of pocket), confidential communications, a paper copy of the notice, and the right to choose a personal representative.
• Complaint process: how to complain to your organization and that the individual may also file a complaint with the federal government; include a no‑retaliation statement.
• Legal duties: your obligation to maintain privacy and security of PHI, provide a notice of privacy practices, abide by its terms, and provide breach notification if unsecured PHI is compromised.
• Effective date and a clear description of how you will communicate future changes (your Material Revision Notification approach).
• How to contact your privacy office (name/title, phone, mailing address, and email).

Presentation tips

• Use headings, short paragraphs, and white space so the notice reads at an 8th–10th grade level.
• Provide translated versions where your patient population needs them, and keep all versions consistent.

Develop a Clear Header Statement

Place the required HIPAA header prominently at the top of the notice. Use the exact, legally prescribed wording that begins, “This notice describes how medical information about you may be used and disclosed …” and ensure it is unmistakable on paper and screens. Keep the header in a larger font than body text, and avoid decorative language that could dilute its visibility.

Design and readability

• Use plain language, short sentences, and patient‑facing examples.
• Highlight rights and key actions with bullets and bold labels (e.g., “Your Rights,” “Your Choices,” “Our Uses and Disclosures”).
• Provide a one‑page summary sheet if helpful, but never omit or replace the full notice.

Describe Uses and Disclosures of PHI

Describe what you actually do with Protected Health Information (PHI) today. Patients value specifics, not legal abstractions. Use categories plus examples to set expectations.

Treatment, payment, and health care operations (TPO)

• Treatment: sharing PHI among clinicians to diagnose and treat, e-prescribing, care coordination, or referrals.
• Payment: billing, claims processing, eligibility checks, prior authorization, and collections.
• Operations: quality assessment, accreditation, training, auditing, and customer service.

Other permitted or required disclosures

• Public health and safety: disease reporting, product recalls, suspected abuse or neglect, or preventing serious threats.
• Health oversight and law enforcement: audits, investigations, subpoenas, court orders, and locating a suspect or missing person (subject to safeguards).
• Research: when an institutional review board waives authorization or with individual authorization.
• Workers’ compensation and similar programs as permitted by law.
• Specialized government functions: military or national security, correctional institutions, or custody situations.

Authorizations and individual choice

• State clearly that marketing, sale of PHI, and most uses of psychotherapy notes require written authorization.
• Explain optional communications (e.g., fundraising) and how to opt out.
• Note the “minimum necessary” standard for non‑treatment disclosures and your safeguards for limiting PHI.

Outline Patient Rights and Legal Duties

Your patients’ rights

• Access and obtain copies of PHI, including electronic copies when maintained electronically.
• Request confidential communications (for example, contacting them at a different address or phone number).
• Request restrictions on certain disclosures; if they pay in full out of pocket, they can require you not to disclose that item/service to a health plan.
• Request an amendment to PHI they believe is incorrect or incomplete.
• Receive an accounting of certain disclosures.
• Designate a personal representative when appropriate.
• Receive a paper copy of the notice at any time.

Your organization’s legal duties

• Maintain the privacy and security of PHI and abide by the current notice.
• Notify individuals following a breach of unsecured PHI.
• Provide the notice, distribute it as required, and post it prominently in your facility and on your website if you have one.
• Refrain from retaliation against anyone who exercises their rights or files a complaint.

Provide Contact Information and Effective Date

Dedicate a section to how people can reach you with questions, requests, or complaints. Name a privacy officer or point of contact and provide multiple channels.

What to include

• Privacy officer name/title, mailing address, phone number, and email.
• Instructions for submitting access, amendment, restriction, and confidential communication requests.
• How to file a privacy complaint with you, along with a no‑retaliation statement.
• Effective date of the notice and a space for the most recent revision date.

Implement Distribution and Acknowledgment Procedures

Once your content is final, operationalize it. The distribution process is as important as the text itself. Build and follow a repeatable workflow that shows a Good Faith Effort to deliver the notice and to document patient acknowledgment.

For health care providers with a direct treatment relationship

• Give the notice at the first service encounter (in person or electronically before telehealth visits) and keep copies readily available afterward.
• Post the notice prominently in your physical locations and on your public website, if you maintain one.
• Make a Good Faith Effort to obtain written acknowledgment of receipt; if the patient refuses or circumstances prevent it, document why.
• When you issue a material revision, replace posted copies, update the website, make revised copies available at the next encounter, and document your Material Revision Notification steps.

For health plans

• Provide the notice at enrollment and with any material revision thereafter.
• At least once every three years, inform enrollees that the notice is available and how to obtain it.
• For members who consent to electronic delivery, provide it electronically and offer a paper copy on request.

Recordkeeping and quality control

• Retain prior versions of the notice and acknowledgment records for at least six years from the later of creation or last effective date.
• Train frontline staff to explain key sections and route rights requests properly.
• Conduct periodic audits using your HIPAA Compliance Checklist to confirm posting, website availability, distribution at first encounter, and documentation of acknowledgments.

Summary

Your HIPAA Privacy Notice should mirror how you actually handle PHI, explain rights in plain language, and be delivered consistently. Use a checklist to confirm every required element is present, maintain clear contact and effective dates, and document distribution and acknowledgments—especially after any material revision.

FAQs.

What are the mandatory elements of a HIPAA Privacy Notice?

Include: permitted uses/disclosures (with examples), authorization-required uses, individual rights (access, amendment, accounting, restrictions including self‑pay restrictions, confidential communications, paper copy), your legal duties (privacy, security, breach notification, and adherence to the notice), how to file complaints without retaliation, your contact information, and the notice’s effective date plus how you will communicate material changes.

How often must the HIPAA Privacy Notice be updated?

Update the notice whenever your privacy practices or legal duties change in a way that materially affects what individuals read in the notice. Providers should post and make the revised notice available at encounters; health plans must distribute revised notices to enrollees and, at least every three years, remind them that the notice is available and how to obtain it.

Who must receive a copy of the HIPAA Privacy Notice?

Providers with a direct treatment relationship must give the notice to each patient at the first service encounter and keep copies available thereafter; personal representatives may receive it when appropriate. Health plans must provide it at enrollment and with material revisions, and make it readily accessible to members at all times (including electronically if the member accepts that format).

What steps ensure compliance with HIPAA distribution requirements?

Follow a documented workflow: deliver the notice at the first encounter or enrollment; post it prominently in facilities and on your website; obtain and retain acknowledgment (or document why it was not feasible); communicate material revisions promptly; remind plan members every three years that the notice is available; and keep notices and acknowledgment records for at least six years while training staff to handle rights requests and questions.