What Does a Written HIPAA Privacy Notice (NPP) Contain?

A written HIPAA Privacy Notice—often called a Notice of Privacy Practices (NPP)—explains how a covered entity collects, uses, and shares your Protected Health Information (PHI). It outlines your Patient Privacy Rights and the organization’s duties so you can make informed choices about your health information.

Required Elements of a HIPAA Privacy Notice

An NPP must be clear, prominent, and easy to read. It sets expectations for how your PHI may be handled and how you can exercise your rights.

Core components every NPP includes

• A plain-language overview stating that the notice describes how medical information may be used and disclosed and how you can access it.
• Descriptions—and examples—of permitted uses and disclosures for treatment, payment, and healthcare operations.
• A statement that other uses and disclosures require your Authorization for Disclosure, and how you may revoke that authorization.
• A complete list of your individual rights and how to exercise them.
• The covered entity’s legal duties, including a duty to maintain privacy and provide the notice.
• Instructions for submitting questions or complaints, including contact information.
• The notice’s effective date and a statement that the entity may change its practices and issue a revised notice.

Additional statements commonly required

• A HIPAA Breach Notification statement explaining you will be informed if a breach compromises your unsecured PHI.
• Notices about marketing, the sale of PHI, and psychotherapy notes, clarifying that these generally require authorization.
• Fundraising communications, including your right to opt out.

Individual Rights Regarding PHI

HIPAA guarantees specific Patient Privacy Rights. The NPP must describe each right and how to use it.

• Right of access: You may inspect or receive a copy of your PHI, including an electronic copy when available.
• Right to request restrictions: You can ask to limit certain uses or disclosures; if you pay a provider in full out-of-pocket, you can require that information not be sent to your health plan for that service.
• Right to confidential communications: You may request communications at alternative locations or by alternative means.
• Right to amend: You can ask to correct or add information in your record if you believe it is inaccurate or incomplete.
• Right to an accounting of disclosures: You can request a list of certain disclosures made without your authorization.
• Right to a paper copy of the NPP: You may obtain a paper copy at any time, even if you agreed to receive it electronically.
• Right to be notified of a breach: You will be informed if your unsecured PHI is compromised by a qualifying breach.

Covered Entity's Legal Duties

Covered entities—healthcare providers, health plans, and clearinghouses—must protect Protected Health Information (PHI) and follow the practices described in their current NPP.

• Maintain the privacy and security of PHI and apply the minimum necessary standard where applicable.
• Provide the NPP, abide by its terms, and promptly update it when practices materially change.
• Train workforce members and implement safeguards to prevent unauthorized uses or disclosures.
• Mitigate harmful effects of any improper disclosure and provide HIPAA Breach Notification when required.
• Refrain from retaliating against anyone who exercises their rights or files a complaint.
• Cooperate with oversight by the Department of Health and Human Services, which enforces HIPAA rules.

Uses and Disclosures of PHI

An NPP distinguishes when PHI can be used or disclosed without your authorization and when your written permission is required.

Permitted without authorization

• Treatment, payment, and healthcare operations (for example, care coordination, billing, quality improvement).
• Public health and safety activities, such as reporting certain diseases or preventing serious threats.
• Health oversight, judicial and administrative proceedings, and limited law enforcement purposes.
• Research under specific safeguards and approvals, organ and tissue donation, and decedent-related disclosures.
• Workers’ compensation, specialized government functions, and disclosures required by law.

Your opportunity to agree or object

• Facility directories and sharing with family, friends, or others involved in your care or payment, when appropriate.
• Disaster relief efforts to help locate or inform family members.

Requires your Authorization for Disclosure

• Most uses of psychotherapy notes, marketing communications, and any sale of PHI.
• Any use or disclosure not otherwise described in the NPP; you may revoke authorization in writing at any time.

Complaints and Contact Information

The NPP must explain how to ask questions, request help, or file complaints without fear of retaliation.

• Designated contact: name or title of the privacy official, telephone number, and mailing or email address for inquiries.
• Complaint process: how to submit a concern to the covered entity and how to file with the Department of Health and Human Services, Office for Civil Rights.
• Non-retaliation statement: you will not be penalized for exercising your rights or filing a complaint.

Distribution and Availability

Covered entities must make the NPP easy to obtain and keep it visible to patients and members.

Healthcare providers

• Provide the NPP at the first service encounter and make a good-faith effort to obtain written acknowledgment of receipt.
• Post the notice in a clear and prominent location and on any public-facing website; provide copies upon request.
• In emergencies, provide the notice as soon as practicable after the emergency has passed.

Health plans

• Distribute the NPP at enrollment and upon material revisions, and notify members at least every three years that the notice is available on request.
• Post the current NPP on any public-facing website and provide copies upon request.

Conclusion

The written HIPAA Privacy Notice (NPP) is your roadmap to how PHI is used, the limits on sharing, and the choices you can make. Read it carefully, use it to exercise your rights, and contact the privacy official with any questions.

FAQs

What information must be included in a HIPAA privacy notice?

An NPP must describe permitted uses and disclosures, list your PHI rights and how to exercise them, explain the covered entity’s legal duties, include a HIPAA Breach Notification statement, give complaint and contact details, and show the effective date with a statement about revisions.

How are individuals informed of their PHI rights?

Your rights appear in a dedicated section of the NPP in plain language. It explains access, amendments, restrictions, confidential communications, accounting of disclosures, your right to a paper copy, and your right to breach notification, with directions for submitting requests.

What obligations do covered entities have under HIPAA?

They must safeguard PHI, follow the current NPP, limit uses and disclosures, train staff, mitigate improper disclosures, provide breach notifications when required, update the notice after material changes, and cooperate with oversight by the Department of Health and Human Services.

When must the HIPAA privacy notice be provided to patients?

Providers must give the NPP at the first service encounter, post it prominently, and obtain a good-faith acknowledgment. Health plans must share it at enrollment, after material revisions, and remind members at least every three years that it is available on request.

How can individuals file complaints regarding privacy violations?

The NPP tells you how to submit a complaint to the covered entity’s privacy official and how to file with the Department of Health and Human Services, Office for Civil Rights. You have the right to complain without retaliation.