What Is a Notice of Privacy Practices (NPP)? Definition, Requirements, and Examples

Definition of a Notice of Privacy Practices

A Notice of Privacy Practices (NPP) is the plain‑language document that explains how a healthcare organization uses, discloses, and protects your Protected Health Information (PHI). Required by the HIPAA Privacy Rule, the NPP tells you what the organization may do with your information and what rights you have over it.

Covered entities—healthcare providers, health plans, and healthcare clearinghouses—must give you the NPP and make it easily accessible. The notice outlines uses for treatment, payment, and healthcare operations disclosure, plus when written authorization is required. It also explains how you can exercise your Patient Rights and how to reach the organization with questions or concerns.

Key Requirements of an NPP

Core content the NPP must include

• Permitted uses and disclosures: how Protected Health Information (PHI) may be used for treatment, payment, and healthcare operations disclosure, and other allowed or required disclosures (for example, public health or law enforcement, when applicable).
• Authorization-required uses: a statement that other uses—such as most marketing, the sale of PHI, and many disclosures of psychotherapy notes—require your written authorization, and how you may revoke it.
• Your rights: clear explanation of access, amendments, accounting of disclosures, restrictions (including self‑pay restrictions to health plans), confidential communications, paper copy of the NPP, and fundraising opt‑out.
• Covered entity obligations: assurances to protect privacy, follow the NPP, notify you of breaches, and comply with the HIPAA Privacy Rule.
• Complaint procedures: how you can submit a complaint to the organization and to the federal government, and a non‑retaliation statement.
• Effective date and revisions: the NPP’s effective date and a notice that the organization may change the NPP and will post or provide the updated version.

Distribution and posting duties

• Providers with a direct treatment relationship must give you the NPP no later than the first service encounter and make a good‑faith effort to obtain your written acknowledgment of receipt (with allowances for emergencies).
• Health plans must provide the NPP upon enrollment and notify enrollees at least once every three years that the NPP is available on request and how to obtain it.
• Covered entities must post the current NPP in a prominent location and, if they maintain a website, post it there as well. Electronic delivery is allowed if you agree to receive it electronically.

Format, readability, and accessibility

• Plain language: write for easy understanding; avoid technical jargon.
• Accessibility: provide a paper copy on request and make reasonable accommodations (for example, large print, alternative formats, or translated versions) based on your patient population.

Privacy practices documentation and retention

• Maintain the current and prior versions of the NPP and related acknowledgments as part of the organization’s Privacy Practices Documentation, typically for at least six years from the date created or last in effect.

Individual Rights Under HIPAA

Your NPP should tell you exactly how to exercise the following Patient Rights and where to send requests. Time frames shown reflect common HIPAA Privacy Rule standards.

• Right to access and obtain a copy of your PHI (including an electronic copy when readily producible) within 30 days, with one 30‑day extension if needed.
• Right to direct a copy to a third party of your choice in a readily producible format.
• Right to request amendments to your PHI; the organization generally responds within 60 days, with one allowable 30‑day extension.
• Right to an accounting of certain disclosures made in the past six years, typically fulfilled within 60 days (with one 30‑day extension).
• Right to request restrictions on uses and disclosures; if you pay for a service out of pocket in full, you may require the provider not to disclose that information to your health plan for payment or operations.
• Right to request confidential communications (for example, contacting you at a different address or phone number).
• Right to receive notice of a breach affecting your unsecured PHI.
• Right to a paper copy of the NPP at any time, even if you agreed to electronic delivery.

Legal Duties of Covered Entities

Covered Entity Obligations under the HIPAA Privacy Rule include both policy commitments and day‑to‑day safeguards that protect your PHI.

• Provide, post, and abide by a compliant NPP; apply the minimum necessary standard for most non‑treatment disclosures.
• Implement administrative, physical, and technical safeguards to protect PHI and mitigate any harmful effect of improper uses or disclosures.
• Designate a privacy official and train workforce members on privacy policies and procedures.
• Maintain Privacy Practices Documentation, including policies, the NPP, acknowledgments, forms, and logs, for required retention periods.
• Revise the NPP when material privacy practices change and distribute or post the updated notice as required.
• Provide timely breach notification to affected individuals and, when applicable, to regulators and the media.
• Refrain from retaliating against anyone who files a complaint or exercises their privacy rights.

Contact Information and Filing Complaints

An NPP must clearly explain how to reach the organization’s privacy office and how to escalate concerns. Clear, simple Complaint Procedures build trust and speed resolution.

What to include in the contact section

• Privacy contact’s name or title, mailing address, phone number, and, if available, a dedicated email address.
• Instructions for submitting requests (access, amendments, restrictions, confidential communications) and the forms you may need.

How to file a complaint

• File directly with the organization’s privacy office; include dates, what happened, and the location or department involved.
• File with the federal government if you believe your privacy rights were violated; the NPP must state that you can do this and that you will not face retaliation.
• Keep copies of your submission and any responses; note deadlines referenced in the NPP.

Examples and Templates of NPPs

Below are concise examples and starter templates you can adapt. Customize them to reflect your actual practices, state law nuances, and patient communication preferences.

Example 1: Medical practice (direct treatment provider)

• Overview: “We use your PHI to treat you, bill for services, and run our practice. Other uses require your authorization.”
• Your rights: bullet list of access, amendments, accounting, restrictions (including self‑pay), confidential communications, paper copy, and fundraising opt‑out.
• Our duties: protect privacy, follow this notice, notify you of breaches, and post updates here and on our website.
• Contact and complaints: privacy officer details and directions to file with the federal government.

Example 2: Health plan

• Emphasize plan‑specific operations (claims management, utilization review, case management) and limits on disclosures to employers.
• State that the NPP is provided at enrollment and that members are reminded at least every three years that it is available on request.

Example 3: Telehealth or digital health provider

• Highlight electronic PHI handling, secure messaging, video platforms, and patient portal features.
• Explain any third‑party services involved in treatment, payment, or operations and your approach to data minimization.

Mini‑template (fill‑in‑the‑blanks)

[Organization Name] Notice of Privacy Practices — Effective [Date]. We may use and disclose your PHI for treatment, payment, and healthcare operations. Other uses require your written authorization. You have rights to access, obtain an electronic copy, request amendments, request restrictions (including for self‑pay services), request confidential communications, receive an accounting of disclosures, and obtain a paper copy of this notice. We are required by law to maintain the privacy of PHI, provide this notice, follow it, and notify you of breaches. To exercise your rights or submit a complaint, contact: [Privacy Officer/Title], [Address], [Phone], [Email]. You may also file a complaint with the federal government. We will not retaliate for filing a complaint.

Importance of Transparency and Trust in Healthcare

A clear, accurate NPP promotes transparency, sets expectations, and shows respect for your choices. When organizations explain why and how they use PHI—and provide straightforward ways to exercise your rights—you are more likely to engage in care and share information that improves outcomes.

Strong privacy communication also reduces confusion, complaints, and risk. Keeping the NPP current, readable, and easy to find demonstrates accountability and reinforces a culture of compliance.

Conclusion

An NPP is more than a form—it is a practical guide to your privacy rights and the organization’s responsibilities. By aligning content with HIPAA Privacy Rule requirements, distributing it properly, and documenting practices, covered entities strengthen trust while giving you clear control over your PHI.

FAQs.

What information must be included in an NPP?

An NPP must describe permitted uses and disclosures (including treatment, payment, and healthcare operations disclosure), list which uses require your written authorization, explain your rights and how to exercise them, state the organization’s legal duties, provide Complaint Procedures and non‑retaliation language, include contact information for the privacy office, and show the effective date with a note that the notice may change.

How often must covered entities provide the NPP?

Providers with a direct treatment relationship must give it no later than your first service encounter and make a good‑faith effort to obtain written acknowledgment. Health plans must provide it at enrollment and then, at least once every three years, notify members that the NPP is available and how to get a copy. Any material revision requires updating postings and providing or making the revised notice available as required.

What rights do individuals have regarding their PHI?

You have rights to access and obtain copies (including electronic), direct a copy to a third party, request amendments, receive an accounting of certain disclosures, request restrictions (including for services you pay for in full out of pocket), request confidential communications, receive breach notifications, and get a paper copy of the NPP at any time.

How can patients file a complaint if their privacy is violated?

Follow the NPP’s Complaint Procedures: submit details to the organization’s privacy office using the listed contact methods, keep copies of what you send, and note any stated response timelines. You may also file a complaint with the federal government. The NPP must state that there will be no retaliation for filing a complaint.