What Is the Notice of Privacy Practices? Your HIPAA Rights Explained

The Notice of Privacy Practices explains how your medical information may be used and shared, and what choices and rights you have under the HIPAA Privacy Rule. It is the plain‑language document you receive from a health plan or health care provider describing its privacy practices and your protections.

Covered entities—health plans, most health care providers, and health care clearinghouses—must give you this notice and follow it. The notice promotes transparency, supports Patient Rights under HIPAA, and demonstrates Covered Entity Compliance.

Uses and Disclosures of Protected Health Information

Protected Health Information (PHI) is any identifiable health data about your past, present, or future health or payment for care. The notice outlines when PHI can be used or disclosed without your written authorization and when your permission is required.

Core purposes allowed without authorization

• Treatment: sharing PHI among clinicians to diagnose and care for you, including care coordination and referrals.
• Payment: billing, eligibility verification, prior authorizations, and claims management.
• Health care operations: quality improvement, audits, accreditation, training, and customer service.

Other permitted or required disclosures

• Public health and health oversight activities, such as preventing disease, reporting adverse events, or audits.
• Judicial and law enforcement purposes, when properly authorized or required by law.
• Organ and tissue donation, coroners/medical examiners, and to avert a serious threat to health or safety.
• Research with institutional review board approval or a privacy waiver, and limited data sets under a data use agreement.
• Workers’ compensation and certain specialized government functions as permitted by law.

When your authorization is required

• Most uses of psychotherapy notes, marketing communications, and any sale of PHI.
• Research or other uses beyond those permitted by the HIPAA Privacy Rule.

The notice also explains options to agree or object to specific disclosures, such as hospital directories or sharing with people involved in your care. It should describe fundraising communications and your right to opt out, and it should reference the “minimum necessary” standard that limits non‑treatment uses.

Individual Privacy Rights

Your Notice of Privacy Practices spells out Patient Rights under HIPAA and how to exercise them. Understanding these rights helps you control how your PHI is handled and promotes accountability.

• Right of access: get copies of your PHI in the form and format requested when readily producible, usually within 30 days.
• Right to request amendments to correct or add to your records.
• Right to an accounting of certain disclosures made without authorization over the prior six years.
• Right to request restrictions, including the right to restrict disclosure to a health plan when you pay a provider in full out of pocket.
• Right to request confidential communications, such as using a different address or phone number.
• Right to receive a paper copy of the notice at any time, even if you agreed to electronic delivery.
• Right to be notified of a breach of unsecured PHI.

Exercising your rights

The notice must explain how to submit requests, expected response times, and any reasonable cost‑based fees (for copies or mailing). It should list whom to contact for privacy questions and how to file complaints without fear of retaliation.

Legal Duties of Covered Entities

Covered Entity Compliance requires safeguarding PHI, following the HIPAA Privacy Rule, and adhering to the practices described in the current notice. Entities must use appropriate administrative, physical, and technical safeguards and limit uses to the minimum necessary where applicable.

• Maintain and follow the Notice of Privacy Practices; update it when practices or laws materially change.
• Designate a privacy official, train the workforce, apply sanctions for violations, and mitigate harmful effects of improper uses or disclosures.
• Execute business associate agreements with vendors that handle PHI and monitor compliance.
• Provide breach notifications without unreasonable delay and no later than 60 days after discovery, when required.

Governance and documentation

The notice should state the entity’s legal duty to protect privacy, its commitment not to retaliate for complaints, and that it will follow the notice’s terms. It must include an effective date and explain how future revisions will be communicated.

Distribution and Timing Requirements

Notice Distribution Requirements vary by entity type. Providers with a direct treatment relationship must give you the notice no later than the first service delivery date and make it available at their service sites.

• Emergency treatment: provide the notice as soon as reasonably practicable after the emergency ends.
• Health plans: provide the notice at enrollment; notify you of material revisions within required timeframes; and at least every three years remind you that the notice is available and how to obtain it.
• Electronic delivery: a notice may be emailed if you agree; you can still request a paper copy at any time.
• Plain language: the notice must be easy to read and understand.

Notice Distribution Requirements in practice

Expect to see the notice at check‑in counters, included in enrollment packets, or delivered via secure portals or email with your consent. Re‑distribution occurs after material changes or as part of required reminders.

Acknowledgment and Patient Consent

HIPAA does not require your consent for routine treatment, payment, and health care operations. Instead, providers with a direct treatment relationship must make a good‑faith effort to obtain your Acknowledgment of Receipt of the notice.

• Your signature simply confirms you received the notice; it is not an authorization for additional disclosures.
• If you decline to sign, care cannot be withheld for that reason; the provider documents the good‑faith attempt and reason acknowledgment was not obtained.
• Separate, written authorization is required for uses like marketing, sale of PHI, most psychotherapy notes, or research beyond permitted pathways.

Consent vs. authorization vs. acknowledgment

Consent is generally optional and internal to the provider; authorization is a specific legal permission for defined disclosures; acknowledgment only confirms you received the notice. Your rights and choices depend on which applies.

Availability and Posting Obligations

Providers must post the current notice in a clear, prominent location where people seek service and make copies available. If they maintain a website describing services or benefits, they must also prominently post the current notice online.

• Provide alternative formats or languages when reasonable to ensure access.
• Keep the most current effective date visible on the notice and remove outdated versions from public areas.
• Ensure staff can explain key sections and direct you to the privacy contact listed in the notice.

Electronic availability

Entities may distribute the notice through patient portals or email with your agreement. Even when delivered electronically, you retain the right to request and receive a paper copy.

Model Notices from HHS

The Department of Health and Human Services publishes model Notices of Privacy Practices to help organizations craft plain‑language, compliant documents. These models are templates, not one‑size‑fits‑all; each entity must tailor content to its actual practices and state law overlays.

• Customize sections on uses and disclosures, your privacy rights, how to exercise them, and how to contact the privacy official.
• Include required statements on marketing, sale of PHI, fundraising opt‑outs, restrictions for self‑pay services, breach notification, and non‑retaliation.
• Review regularly when laws or operations change, train staff on updates, and audit for real‑world adherence.

Summary

Your Notice of Privacy Practices is your roadmap to how PHI is handled, what a covered entity promises to do, and the choices you can make. Read it, ask questions, and use your rights to access, correct, limit, or keep your information confidential.

FAQs.

What information must a Notice of Privacy Practices contain?

It must describe permitted uses and disclosures of PHI; your rights (access, amendment, accounting, restrictions, confidential communications, paper copy, and breach notification); how to exercise those rights; the entity’s legal duties; its commitment to follow the notice; how to file complaints; the privacy official’s contact information; and the effective date. It should also explain when authorization is required, fundraising opt‑out rights, restrictions for services you pay for in full out of pocket, and any other material practices under the HIPAA Privacy Rule.

When should a patient receive the Notice of Privacy Practices?

Providers with a direct treatment relationship must give it to you by the first service delivery date and make it available at the point of care; in emergencies, you should receive it as soon as reasonably practicable afterward. Health plans must provide it at enrollment, notify you of material revisions within required timeframes, and remind you at least every three years that the notice is available and how to get it.

Is patient acknowledgment mandatory for Notice of Privacy Practices?

Providers must make a good‑faith effort to obtain your written acknowledgment of receipt, but your signature is not legally mandatory and treatment cannot be conditioned on signing. If you decline, the provider documents the attempt and reason; health plans are not required to obtain acknowledgments.

How can patients file a complaint if their privacy rights are violated?

You may file a complaint directly with the provider or health plan’s privacy official and through the Department of Health and Human Services Complaint Procedure via the Office for Civil Rights. Complaints generally should be submitted within 180 days of when you knew of the issue; retaliation for filing a complaint is prohibited.