The HIPAA Privacy Rule Requires That the NPP Be Provided and Posted—What It Must Include and When

The HIPAA Privacy Rule requires Covered Entities to give individuals a clear, plain‑language Notice of Privacy Practices (NPP) that explains how Protected Health Information (PHI) is used and disclosed, what rights individuals have, and how those rights can be exercised. This guide explains exactly what the NPP must include and the timing, posting, and redistribution rules you must follow.

Whether you are a health care provider or a health plan, the NPP is a foundational compliance document. Done well, it protects privacy, sets expectations, and demonstrates your commitment to accountability and transparency.

Required Uses and Disclosures of PHI

Under the HIPAA Privacy Rule, there are two disclosures of PHI you are required to make: (1) to the individual (or their personal representative) when they request access to their information, and (2) to the U.S. Department of Health and Human Services (HHS) for compliance investigations or reviews. All other common disclosures—such as for treatment, payment, and health care operations—are generally permitted, not required, and must be described in the NPP with illustrative examples.

The NPP must also describe other permitted disclosures without authorization, such as for public health activities, health oversight, judicial and law enforcement purposes, organ donation, worker’s compensation, and to avert serious threats to health or safety. It should explain when authorization is required, including for uses and disclosures of psychotherapy notes, most marketing communications, and any sale of PHI. If you conduct fundraising, your NPP must note that individuals may be contacted and have a right to opt out of further fundraising communications.

What your Notice of Privacy Practices must explain

• That PHI may be used and disclosed for treatment, payment, and health care operations, with practical examples.
• The two required disclosures (to the individual and to HHS) and the difference between “required” and “permitted” disclosures.
• Situations requiring an authorization (for example, marketing, sale of PHI, and psychotherapy notes) and how authorizations can be revoked.
• That only the minimum necessary PHI is used or disclosed, except for treatment and other specified situations.
• How de‑identified information and limited data sets fall outside most PHI rules, where applicable.

Individual Rights Under the NPP

Your Notice of Privacy Practices (NPP) must clearly list the rights individuals have regarding their PHI and how to exercise them. These rights apply to paper and electronic PHI maintained by Covered Entities.

Core rights you must describe

• Right of access: to inspect or obtain copies of PHI, including electronic copies of records you maintain electronically.
• Right to request restrictions, including the right to restrict disclosure to a health plan when the individual pays in full out‑of‑pocket for a service.
• Right to request confidential communications (for example, contact at a different address or phone number).
• Right to request an amendment of PHI in the designated record set.
• Right to an accounting of certain disclosures of PHI.
• Right to obtain a paper copy of the NPP, even if the individual agreed to receive it electronically.
• Right to be notified following a breach of unsecured PHI.
• Right to opt out of fundraising communications, if applicable.

How individuals exercise these rights

• State where requests should be sent (for example, your Privacy Office) and what information is needed to process them.
• Explain any verification steps, expected response timeframes, and when a request may be denied with an opportunity to appeal (as applicable).
• Clarify any reasonable fees for copies, consistent with HIPAA requirements.

Legal Duties of Covered Entities

The NPP must state your legal obligations and promises under HIPAA. These statements build trust and set expectations for how you handle PHI.

• You are required by law to protect the privacy and security of PHI, provide an NPP, and follow the terms of your current NPP.
• You reserve the right to change your privacy practices and the NPP, and you will follow the processes in this notice to make revised versions available and effective.
• You will notify affected individuals following a breach of unsecured PHI.
• You will not use or disclose PHI in ways the NPP does not describe without a valid authorization, and you will not condition treatment or coverage on providing an authorization where HIPAA prohibits it.
• You will comply with more stringent state privacy laws where they apply.

Clarify the scope of who is covered by your NPP (for example, an Organized Health Care Arrangement), and name any Business Associates only to the extent needed to explain shared services, while noting that they are contractually bound to protect PHI.

Complaint Procedures and Contact Information

The NPP must explain how individuals can ask questions, raise concerns, and file complaints without fear of retaliation.

• Provide the name or title and telephone number (and, if used, email or mailing address) of your privacy contact person or office.
• Explain how to file a complaint with your organization and with HHS, and state that you will not retaliate for making a complaint in good faith.
• Note any time limits that apply to complaints under federal rules, and encourage prompt submission so concerns can be addressed quickly.

Timing and Methods for Providing the NPP

Direct treatment providers

• Provide the NPP no later than the date of first service delivery. For Emergency Service Delivery, give it as soon as reasonably practicable after the emergency has passed.
• Make a good‑faith effort to obtain the individual’s Written Acknowledgment of receipt; if you cannot obtain it, document why (for example, the patient declined or circumstances prevented it).
• Post the current NPP in a clear, prominent location at each service delivery site and make copies readily available for individuals to take.

Health plans

• Provide the NPP at enrollment and to new enrollees upon joining the plan.
• After any Material Changes to Privacy Practices, distribute the revised NPP—or a summary of the changes and how to obtain the full notice—to all then‑covered individuals within 60 days.
• At least once every three years, notify individuals that the NPP is available and how to obtain a copy.

Electronic delivery and patient portals

• You may deliver the NPP electronically (for example, by secure portal or email) if the individual agrees, but you must provide a paper copy upon request.
• If the first encounter is electronic, present the NPP automatically and allow the individual to print or save it.
• Document electronic acceptance or acknowledgment captured via your portal or e‑signature workflow.

Recordkeeping

• Maintain copies of all NPP versions, distribution methods, and Written Acknowledgment records for at least six years from the later of the date created or the date last in effect.

Language and Posting Requirements

Your NPP must be in plain language—concise, readable, and free of legal jargon. Use short sentences, active voice, and everyday terms. Start with a prominent header that tells individuals the notice explains how their information may be used or disclosed and how to access it.

Post the current NPP in a clear and prominent location where you deliver care, and ensure individuals can readily take a copy. If you maintain a website that provides information about customer services or benefits, prominently post your current NPP online and keep it up to date.

Consider your community’s language needs. While HIPAA requires plain language, other federal civil rights laws may require language assistance and accessible formats. Providing translated versions and accessible formats (for example, large print or screen‑reader friendly files) is a best practice that supports equity and understanding.

When appropriate, use HHS Model Notices as a starting point and tailor them to reflect your specific operations, state law obligations, and contact channels.

Revising and Redistributing the NPP

When you make Material Changes to Privacy Practices—such as new categories of uses/disclosures, changes to individual rights or your legal duties, or new restrictions—you must revise the NPP and include a new effective date. Update all posted copies and ensure staff begin using the new notice on the effective date.

• Health plans must distribute the revised NPP (or a summary with instructions to get the full notice) to all then‑covered individuals within 60 days of the material revision, and continue the three‑year availability reminder thereafter.
• Direct treatment providers must post the revised notice at service locations, update the website, and make copies available on request. A new Written Acknowledgment is not required, though providing the revised notice at the next visit is a strong practice.
• Keep prior versions and documentation of when and how you distributed or posted each version for at least six years.
• Train your workforce on the updated practices before the effective date so your operations match the commitments in the revised NPP.

Clear, accurate NPPs that are timely provided, prominently posted, and promptly revised help you meet HIPAA requirements, safeguard Protected Health Information, and build patient and member trust.

FAQs

When must the NPP be provided to individuals?

Direct treatment providers must give the NPP no later than the first date of service delivery—after emergencies, as soon as reasonably practicable—and make a good‑faith effort to obtain Written Acknowledgment. Health plans must provide the NPP at enrollment, send the revised notice (or a summary and how to obtain it) within 60 days of any material change, and at least every three years remind individuals that the NPP is available upon request.

What information must the NPP include?

It must describe permitted uses and disclosures of PHI (with examples), the two required disclosures, the individual rights and how to exercise them, your legal duties (including breach notification), when an authorization is required, how to file complaints, who to contact for questions, and the notice’s effective date. If you conduct fundraising, the NPP must explain that individuals may be contacted and how to opt out.

How should covered entities document the receipt of the NPP?

Direct treatment providers must make a good‑faith effort to obtain a Written Acknowledgment of receipt and, if not obtained, document why. Acceptable evidence includes a signed form, an electronic check‑box or e‑signature captured through a portal, or staff notation of the reason acknowledgment could not be obtained. Retain acknowledgment records and prior NPP versions for at least six years.

Are covered entities required to post the NPP online?

Yes—if you maintain a website that provides information about customer services or benefits, you must prominently post the current NPP online. Providers must also post it in a clear, prominent location at each service delivery site and make copies available for individuals to take; health plans must ensure members can easily access the most current notice online and on request.