What Does the Notice of Patient Privacy Do? Your HIPAA Rights and How Your Health Information Is Used and Shared

Overview of Notice of Privacy Practices

The Notice of Privacy Practices (NPP)—often called the patient privacy notice—explains how your provider or health plan handles your Protected Health Information (PHI). It outlines the Privacy Practices they follow, when Health Information Disclosure is allowed, and how you can exercise your Patient Rights under HIPAA.

You typically receive the NPP at your first visit or when you enroll in a health plan. Providers post it in their offices, and covered entities make the current version available upon request. Reading it helps you understand HIPAA Compliance in plain language so you know who can see your records, for what purposes, and what choices you have.

The NPP is not a consent form. Instead, it is a required notice that describes your rights and the organization’s duties, including ways to contact the privacy office, file a complaint, and request Confidential Communications.

Legal Requirements for Providers and Plans

Covered entities—health care providers, health plans, and health care clearinghouses—must provide an NPP and follow it. They are required to protect PHI, use and disclose only the minimum necessary for allowed purposes, and maintain HIPAA Compliance through policies, workforce training, and administrative, physical, and technical safeguards.

Organizations must share PHI only as permitted by HIPAA or with your written authorization. When they rely on vendors (business associates) who access PHI, they must have contracts that safeguard your information. They must also notify you if a breach of unsecured PHI occurs, as required by law.

Providers must give you the NPP no later than your first service encounter and make a good‑faith effort to obtain your acknowledgment of receipt. Health plans must give the NPP at enrollment and inform enrollees at least every three years that the notice is available and how to get a copy.

Patient Rights Under HIPAA

HIPAA gives you clear Patient Rights that the NPP explains and that providers and plans must honor:

• Access your records: You can inspect or obtain a copy of your PHI in the designated record set, including an electronic copy when available. Requests are typically fulfilled within set HIPAA time frames, and a reasonable, cost‑based fee may apply for copies.
• Request amendments: If you believe information is wrong or incomplete, you can ask for a correction. If denied for a valid reason, you may submit a statement of disagreement to be included in your record.
• Accounting of disclosures: You can request a list of certain disclosures made without your authorization (excluding routine treatment, payment, and health care operations) for a defined look‑back period.
• Request restrictions: You may ask to limit uses or disclosures for treatment, payment, or operations. While providers are not required to agree to most restrictions, they must honor a request not to disclose PHI to a health plan about a service you paid for in full out‑of‑pocket, unless disclosure is otherwise required by law.
• Confidential Communications: You can ask to receive PHI by alternative means or at an alternative location (for example, a different mailing address or email). Health plans must accommodate reasonable requests when you state that disclosure could endanger you; providers generally accommodate reasonable requests.
• Choose representatives and preferences: You can authorize a personal representative, set communication preferences, and revoke authorizations in writing.
• Receive a paper copy: You can get a paper copy of the NPP at any time, even if you agreed to receive it electronically.
• File complaints: You can complain to the provider or plan’s privacy office, and to regulators, without fear of retaliation.

Uses and Disclosures of Protected Health Information

When your PHI may be used or shared without authorization

HIPAA permits specific uses and disclosures of PHI without your written authorization, including:

• Treatment, payment, and health care operations (TPO).
• When required by law, for public health activities, health oversight, and to report abuse, neglect, or domestic violence as permitted.
• For judicial and administrative proceedings, and for certain law enforcement purposes.
• To coroners, medical examiners, and funeral directors; for organ, eye, or tissue donation.
• For research under approved safeguards or as a limited data set with a data use agreement.
• To avert a serious threat to health or safety, and for specialized government functions.
• For workers’ compensation programs as authorized by law.
• To people involved in your care or payment for care when you agree or have the opportunity to object, or when allowed by HIPAA professional judgment standards.

When your authorization is required

Your written authorization is generally required for uses and disclosures not described above, including most marketing communications, any sale of PHI, and most sharing of psychotherapy notes. You can revoke an authorization at any time in writing, except to the extent action has already been taken.

Minimum Necessary and de‑identification

Outside of treatment, covered entities follow the minimum necessary standard to limit PHI use and disclosure. They may also use or disclose de‑identified information, which is not PHI, to reduce privacy risk while supporting operations such as quality improvement and research.

Procedures for Requesting Privacy Restrictions

If you want to limit how your PHI is used or shared, follow these steps:

• Identify the scope: Specify exactly what information, which providers or plans, and which purposes (for example, “do not disclose to my health plan information about the lab test on [date]”).
• Submit a written request: Contact the provider or plan’s privacy office listed in the NPP. Ask if a standard restriction form is required.
• Document payment in full when applicable: If you paid for a service entirely out‑of‑pocket and want it withheld from your health plan, say so in your request and keep proof of payment.
• Review the response: You’ll receive a written decision. If accepted, the restriction becomes binding; if denied, the entity will explain why.
• Plan for emergencies: Even with a restriction, PHI may be shared for emergency treatment when necessary, and you’ll be informed afterward when feasible.

Handling Amendments and Access to Health Records

Requesting access to your PHI

To see or get a copy of your PHI, submit a written request to the privacy office or through the patient portal. You can choose paper or electronic format when available, or direct a copy to a third party of your choice. The entity must act within HIPAA time frames, and any fees must be reasonable and cost‑based.

Requesting an amendment

Explain what is inaccurate or incomplete and why. The provider or plan must respond within HIPAA’s time limits, granting the amendment or providing a written denial with the reason and instructions for submitting a statement of disagreement. Approved amendments are added to, but do not erase, the original entry.

Requesting an accounting of disclosures

You may ask for a list of certain disclosures made without your authorization for a defined period (up to six years). The first accounting in a 12‑month period is typically free; a reasonable fee may apply for additional requests.

Updates and Distribution of Privacy Notices

Providers and plans must keep the NPP up to date and post the current version with its effective date. When there is a material change in Privacy Practices, they revise the notice and make the new version available—posting it prominently, providing it on request, and distributing it through their usual channels. Health plans also remind enrollees at least every three years that the NPP is available and how to obtain it.

Key takeaways: The Notice of Privacy Practices explains how your health information is used and shared, sets expectations for HIPAA Compliance, and tells you exactly how to exercise your Patient Rights. Keep a copy, know how to contact the privacy office, and use your rights to access, amend, and control disclosures—including Confidential Communications and requestable restrictions.

FAQs

What information is included in a Notice of Privacy Practices?

An NPP describes how a provider or plan may use and disclose your PHI; examples of allowed uses (such as treatment, payment, and operations); which uses require authorization; your rights (access, amendment, accounting, restrictions, and Confidential Communications) and how to exercise them; the entity’s legal duties; how to file a complaint; how to contact the privacy office; and the notice’s effective date.

How can patients request restrictions on their health information?

Write to the privacy office named in the NPP, identify the specific information and disclosures you want limited, and state the timeframe. If you paid for a service in full out‑of‑pocket, note that you are requesting no disclosure to your health plan for that service. You will receive written confirmation if the restriction is accepted or an explanation if it is denied.

What should a patient do if their privacy preferences change?

Send an updated written request to the privacy office to revise any prior restriction or Confidential Communications preference. If you previously signed an authorization, you may revoke it in writing (future uses will stop). Update your patient portal settings where available and keep copies of all requests and confirmations.

How often must providers update the Notice of Privacy Practices?

There is no fixed schedule. Providers and plans must revise the NPP whenever there is a material change to their Privacy Practices or legal duties, post the current version with a new effective date, and distribute it through standard channels. Health plans must also remind enrollees at least every three years that the notice is available and how to obtain it.