What Information Is in the HIPAA Notice of Privacy Practices?

The HIPAA Notice of Privacy Practices explains how a covered entity uses and discloses your Protected Health Information (PHI), your Patient Rights under HIPAA, and the Covered Entity Obligations to protect it. It also outlines Privacy Rule Compliance expectations, how Breach Notification works, who to contact with concerns, and the notice’s effective date.

Uses and Disclosures of Health Information

Routine uses without written authorization

Your PHI may be used or disclosed for three core purposes often called “TPO”:

• Treatment: to coordinate your care among providers and facilities.
• Payment: to bill and collect payment from you or your health plan.
• Health care operations: for quality assessment, audits, accreditation, and compliance.

Other uses and disclosures permitted or required by law

The notice lists additional circumstances when PHI may be shared without your authorization, subject to safeguards and the “minimum necessary” standard:

• When required by law or court/administrative orders.
• Public health activities, such as reporting certain diseases or adverse events.
• Reporting abuse, neglect, or domestic violence when permitted or required.
• Health oversight activities, including audits, inspections, and licensure.
• Law enforcement purposes, as allowed by law.
• Judicial and administrative proceedings.
• Organ and tissue donation, and with coroners, medical examiners, and funeral directors.
• Research under approved protocols or waivers of authorization.
• To avert a serious threat to health or safety.
• Workers’ compensation and similar programs.
• Specialized government functions (e.g., military or national security activities).
• Correctional settings when necessary for safety, security, or health care.

Uses and disclosures that require your authorization

The notice states that certain uses and disclosures occur only with your written authorization, including most marketing, any sale of PHI, and most uses of psychotherapy notes. You may revoke an authorization in writing at any time, except to the extent action has already been taken.

Fundraising, communications, and opting out

You may receive limited fundraising communications; the notice explains your right to opt out at any time without affecting your care or benefits.

De-identified data and limited data sets

Information that has been de-identified is not PHI and may be used or disclosed outside HIPAA. A limited data set may be shared under a data use agreement for specific purposes such as research or public health.

Individual's Rights under HIPAA

Right to access and obtain copies

You have the right to inspect and get copies of your PHI, including an electronic copy when available. Reasonable, cost-based fees may apply for copies, mailing, or electronic media.

Right to request restrictions

You may ask to limit how your PHI is used or disclosed. While entities are not required to agree to most requests, they must comply when you pay in full out-of-pocket for a specific service and request that the related information not be disclosed to your health plan.

Right to confidential communications

You can request that communications be sent to an alternative address, phone number, or by a preferred method to enhance your privacy.

Right to amend

If you believe your record is incomplete or inaccurate, you can request an amendment. If denied, you will receive a written explanation and may submit a statement of disagreement that becomes part of your record.

Right to an accounting of disclosures

You may request an accounting of certain disclosures made without your authorization, excluding routine treatment, payment, and health care operations, among other exceptions.

Right to a paper copy and updated notices

You can obtain a paper copy of the notice at any time, even if you agreed to receive it electronically, and you will be informed when material changes occur.

Right to file a complaint without retaliation

You may file a privacy complaint with the covered entity and with the appropriate government agency. The notice affirms your right to do so without fear of retaliation.

Covered Entity's Legal Duties

Privacy Rule Compliance and safeguards

The notice confirms that the entity is required by law to maintain the privacy and security of PHI, follow the HIPAA Privacy Rule, and implement administrative, physical, and technical safeguards to protect your information.

Notice obligations and adherence

The entity must provide this notice, abide by its terms, and promptly inform you of significant changes. Revised notices will be posted and made available upon request.

Breach Notification commitments

If a breach compromises the privacy or security of your unsecured PHI, the entity will provide Breach Notification without unreasonable delay and within required time frames. Notices describe what happened, the types of PHI involved, steps you can take to protect yourself, what the entity is doing in response, and how to obtain more information.

Authorizations, marketing, and sale of PHI

The entity will obtain your written authorization for most marketing, any sale of PHI, and most uses of psychotherapy notes, and will honor your right to revoke authorizations prospectively.

No retaliation and compliance oversight

The notice assures you will not be penalized for exercising your rights or filing a complaint. Workforce members and business associates are expected to comply with privacy requirements, and violations are addressed.

More protective state laws

When state law provides greater privacy protections or access rights than HIPAA, the entity will follow the more protective law.

Contact Information for Privacy Concerns

The notice identifies how to reach the entity’s Privacy Officer (or similar role). You should see:

• Mailing address for written requests, amendments, or complaints.
• Telephone number and business hours for questions.
• Dedicated email or secure portal instructions for privacy requests.
• Directions for filing a complaint and the assurance of no retaliation.

If you need help preparing a request—such as for access, amendment, restrictions, or confidential communications—the notice explains what to include so your request can be processed efficiently.

Effective Date of the Notice

The notice displays an effective date indicating when its terms take effect. When material changes are made, the revised notice carries a new effective date and is posted and distributed as required. Health care providers typically make a good-faith effort to obtain your acknowledgment of receipt at your first date of service.

Summary

In short, the HIPAA Notice of Privacy Practices tells you how PHI is used and disclosed, outlines your Patient Rights under HIPAA, and defines Covered Entity Obligations for Privacy Rule Compliance and Breach Notification. Keep a copy, review it periodically, and use the listed contacts to exercise your rights or ask questions.

FAQs.

What types of uses and disclosures are permitted under the HIPAA Notice of Privacy Practices?

Permitted uses include treatment, payment, and health care operations; disclosures required by law; and specific purposes like public health reporting, health oversight, certain research, law enforcement, and workers’ compensation. Uses such as most marketing, sale of PHI, and most psychotherapy notes require your written authorization.

What rights does an individual have concerning their PHI in the notice?

You can access and obtain copies of PHI (including electronic copies), request restrictions, ask for confidential communications, request amendments, and obtain an accounting of certain disclosures. You may also receive a paper copy of the notice at any time and file complaints without retaliation.

How does a covered entity protect and notify about PHI breaches?

The entity maintains safeguards to protect PHI and, if a breach of unsecured PHI occurs, provides Breach Notification without unreasonable delay and within required deadlines. The notice explains what details you will receive, actions the entity is taking, and steps you can take to protect yourself.

What contact information is provided for privacy questions or complaints?

The notice lists the Privacy Officer (or equivalent), a mailing address, phone number, and email or portal instructions. It also explains how to submit written requests and complaints and confirms you will not face retaliation for raising privacy concerns.