When Is a Notice of Use and Disclosure Required Under HIPAA?

Overview of HIPAA Privacy Requirements

Under the HIPAA Privacy Rule, covered entities must tell individuals how their protected health information (PHI) may be used and disclosed, and what rights they have over that information. This plain‑language explanation is the Notice of Privacy Practices (NPP)—often referred to as the “notice of use and disclosure.”

Covered entities include most health care providers, health plans, and health care clearinghouses. While business associates support HIPAA compliance through contracts, they do not issue an NPP. If you handle Substance Use Disorder Records subject to 42 CFR Part 2, your notice must also address those heightened confidentiality requirements.

Timing for Issuing Notices

For health care providers

• First service encounter: Provide the NPP no later than the date of first service delivery for a direct treatment relationship, whether in person, via telehealth, or by phone.
• Emergency treatment: If the first encounter is an emergency, give the notice as soon as reasonably practicable after the emergency has passed.
• Acknowledgment: Make a good‑faith effort to obtain the individual’s written acknowledgment of receipt and document if it is not obtained.

For health plans

• At enrollment: Furnish the NPP to each new enrollee at or before the time of enrollment.
• Material revisions: Send the revised NPP (or a summary of changes and how to obtain the full notice) to all members within 60 days of a material change, or include it in the next annual mailing if one occurs within that 60‑day window.
• Ongoing reminders: At least once every three years, remind members that the NPP is available and how to request a copy.

Posting and availability

• Facilities: Post the current NPP in a clear and prominent location where individuals seek service and keep copies available on request.
• Websites and portals: If you maintain a website about your services or benefits, prominently post the current NPP and replace it when updated.
• Electronic delivery: You may deliver the NPP electronically (for example, through a patient portal or email) if the individual agrees to electronic communications; offer a paper copy on request.

Notice of Privacy Practices (NPP) Essentials

Core content your NPP must include

• Permitted uses and disclosures: A clear description of how you may use and disclose PHI for treatment, payment, and health care operations, and the circumstances where authorization or consent is required.
• Other allowed disclosures: Summaries of disclosures allowed or required by law (for example, public health, health oversight, or certain law enforcement purposes) and any applicable limits.
• Individual rights: How individuals can access, inspect, and obtain copies of PHI; request amendments; request restrictions; request confidential communications; and obtain an accounting of disclosures where applicable.
• Special options: The right to restrict disclosure to a health plan when the individual pays out of pocket in full; fundraising communications and an easy opt‑out.
• Entity duties: A statement that you are required by law to maintain the privacy of PHI, provide the NPP, and abide by its terms.
• Breach notification: A commitment to notify the individual following a breach of unsecured PHI.
• How to exercise rights or complain: Clear contact information for your privacy office and instructions for filing complaints, including the right to submit one without retaliation.
• Effective date and updates: The notice’s effective date and how updates will be communicated.

Write the NPP in plain language, avoid legalese, and tailor examples to your operations so individuals understand real‑world uses and disclosures.

Requirements for Direct Treatment Relationships

If you are a provider with a direct treatment relationship, HIPAA requires extra steps to ensure transparency at the point of care. You must present the NPP by the first encounter, make a good‑faith effort to obtain a written acknowledgment, and never condition treatment on signing the acknowledgment. If a patient refuses or is unable to sign, document your attempt and the reason.

Keep the NPP visible in waiting areas, include it in intake workflows, and ensure telehealth intake processes display or transmit the notice before care begins. Retain prior versions of your NPP and acknowledgment records for at least six years from their effective or creation date, whichever is later.

Updates for Substance Use Disorder Records

Substance Use Disorder Records protected by 42 CFR Part 2 carry heightened confidentiality requirements. Recent alignment with HIPAA permits a single patient consent that allows the use and disclosure of Part 2 records for treatment, payment, and health care operations, with the patient’s right to revoke that consent. Certain redisclosures are permitted in accordance with HIPAA after that initial consent, while legal proceedings and law enforcement uses remain tightly controlled.

What this means for your NPP

• Scope: If you create, receive, maintain, or transmit Part 2 records, your NPP should plainly explain that those records receive additional protections under 42 CFR Part 2.
• Consent and revocation: Describe the single consent option for treatment, payment, and health care operations, how individuals can grant or revoke consent, and what happens after revocation.
• Limits on disclosure: Explain that certain uses—such as most legal proceedings—require specific authorization or a court order that meets Part 2 standards.
• Clarity for individuals: Use examples that distinguish general HIPAA uses and disclosures from those involving Substance Use Disorder Records.

Legal Compliance Deadlines

• First encounter or enrollment: Provide the NPP by the first service encounter for providers with a direct treatment relationship and at enrollment for health plans.
• Material changes: Health plans must distribute the revised NPP (or a summary and how to obtain it) within 60 days of a material revision or include it in the next annual mailing occurring within that period. Providers must post and make revised notices available as of the effective date.
• Ongoing reminders: Health plans must remind individuals at least every three years that the NPP is available.
• Record retention: Keep NPP versions and acknowledgment documentation for at least six years.
• 42 CFR Part 2 modernization: Most provisions aligning Part 2 with HIPAA carry a compliance date of February 16, 2026. If you handle Part 2 records, ensure your NPP and consent processes reflect these requirements by that date.

Patient Rights and Information Transparency

Your NPP is the front door to patient rights. Make it easy to find, read, and act on. Provide straightforward instructions for requesting records, amending PHI, requesting restrictions or confidential communications, opting out of fundraising, and filing complaints without fear of retaliation.

Use clear headings, short paragraphs, and examples relevant to your services. Keep the notice consistent across paper, digital, and posted versions, and train staff to explain it in everyday language. Doing so strengthens trust, supports HIPAA compliance, and reduces complaints and confusion.

Conclusion

A Notice of Privacy Practices is required when you begin a direct treatment relationship or enroll an individual in a health plan, and it must stay visible, accessible, and current. Build a plain‑language NPP that explains permitted uses and disclosures of PHI, highlights patient rights, and—where applicable—addresses the added protections for Substance Use Disorder Records under 42 CFR Part 2. Timely distribution, clear posting, documented acknowledgments, and prompt updates are the keys to sustained HIPAA compliance.

FAQs

When must the Notice of Privacy Practices be provided?

Providers with a direct treatment relationship must give the NPP no later than the first service encounter (or as soon as practicable after an emergency). Health plans must provide it at enrollment, remind members at least every three years that it is available, and distribute updates within required timeframes after material changes.

What information must be included in the NPP?

The NPP must explain permitted uses and disclosures of PHI, identify when authorization or consent is required, outline patient rights (access, amendment, restrictions, confidential communications, and more), state your legal duties, include breach‑notification language, provide contact and complaint instructions, and display an effective date.

How does the update for substance use disorder records affect the NPP?

If you handle Substance Use Disorder Records protected by 42 CFR Part 2, your NPP should describe the added protections, explain the single‑consent option for treatment, payment, and health care operations, outline the right to revoke consent, and clarify the stricter limits that still apply to legal proceedings and certain redisclosures.