Notice of Privacy Practices: What It Is and Who Needs One
Learn what a notice of privacy practices is, who is required to provide one under HIPAA, what it must contain, and how to create and distribute yours.
A notice of privacy practices is one of the most important patient-facing documents in healthcare compliance. If your organization handles protected health information under HIPAA, you are legally required to create, distribute, and maintain this document. Understanding what the notice must contain and how to distribute it correctly is essential for avoiding enforcement actions from the Department of Health and Human Services (HHS).
This guide explains what a notice of privacy practices is, who must provide one, what it must include, and how to handle distribution and updates. This content is for educational purposes and does not constitute legal advice. Consult a qualified healthcare attorney or compliance officer for guidance specific to your organization.
What Is a Notice of Privacy Practices?
A notice of privacy practices (NPP) is a written document required by the HIPAA Privacy Rule (45 CFR Section 164.520) that informs individuals about how a covered entity uses and discloses their protected health information (PHI). It is sometimes called an NPP, a HIPAA notice, or a privacy notice, though it should not be confused with a website privacy policy, which covers different obligations.
The NPP serves three primary functions:
- Disclosure: It tells patients and health plan members what types of uses and disclosures the covered entity makes, including those that require authorization and those that do not.
- Rights: It explains the individual's rights regarding their PHI, such as the right to access, amend, and receive an accounting of disclosures.
- Accountability: It identifies who is responsible for privacy within the organization and provides contact information for questions and complaints.
The legal requirement for the NPP comes from 45 CFR Section 164.520, which sets out both the content requirements and the distribution requirements. The rule applies to all three categories of HIPAA-covered entities: healthcare providers, health plans, and healthcare clearinghouses.
Who Must Provide a Notice of Privacy Practices?
HIPAA requires every covered entity to develop and distribute a notice of privacy practices. The three categories of covered entities are:
Healthcare providers
Any healthcare provider that transmits health information electronically in connection with a HIPAA-standard transaction must provide an NPP. This includes:
- Hospitals and health systems
- Physician and dental practices
- Pharmacies
- Laboratories and diagnostic facilities
- Mental health and behavioral health providers
- Physical therapy and rehabilitation clinics
- Telehealth providers
- Any other provider that bills electronically
The electronic transmission requirement is met by virtually all providers today, since electronic claims submission is standard practice.
Health plans
Health plans of all types must provide an NPP, including:
- Health insurance companies
- Employer-sponsored group health plans
- HMOs and PPOs
- Government programs (Medicare, Medicaid, CHIP, TRICARE, Veterans Health Administration)
- Dental and vision plans
- Long-term care and disability insurance plans
Small group health plans with fewer than 50 participants that are administered solely by the employer are not exempt from the NPP requirement, though they have some flexibility in how they distribute it.
Healthcare clearinghouses
Healthcare clearinghouses, which process health information from nonstandard to standard formats (or vice versa), must also provide an NPP. In practice, clearinghouses often deal with other entities rather than individuals, so their NPP obligations are narrower.
What about business associates?
Business associates (entities that perform services for covered entities involving PHI) are not required to provide their own notice of privacy practices. However, they must comply with the privacy and security terms in their business associate agreements (BAAs). The covered entity's NPP governs how PHI is handled, including when shared with business associates.
Required Contents of a Notice of Privacy Practices
Section 164.520(b) of the HIPAA Privacy Rule specifies what a notice of privacy practices must contain. The requirements are detailed and prescriptive. Missing any required element can constitute a HIPAA violation.
Header requirement
The notice must contain the following header or substantially similar language: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
Uses and disclosures
The NPP must describe, with at least one example for each category, how the covered entity may use and disclose PHI for:
- Treatment: Sharing information between providers involved in your care
- Payment: Using information to bill your insurance or collect payment
- Healthcare operations: Activities such as quality assessment, training, accreditation, and business planning
The notice must also describe:
- Uses and disclosures that require written authorization from the individual
- Uses and disclosures that may be made without authorization (such as public health reporting, law enforcement, judicial proceedings, and organ donation)
- Uses and disclosures for fundraising (with a clear statement of the right to opt out)
- Uses and disclosures of psychotherapy notes (which require specific authorization under Section 164.508)
Individual rights
The notice must inform individuals of the following rights:
- Right to access: The right to inspect and obtain a copy of their PHI (Section 164.524)
- Right to amend: The right to request corrections to their PHI (Section 164.526)
- Right to an accounting of disclosures: The right to receive a list of certain disclosures made by the covered entity (Section 164.528)
- Right to request restrictions: The right to ask the covered entity to limit certain uses or disclosures (Section 164.522)
- Right to request confidential communications: The right to receive communications through alternative means or at alternative locations (Section 164.522)
- Right to a paper copy: The right to receive a paper copy of the NPP upon request, even if the individual previously agreed to receive it electronically
- Right to be notified of a breach: The right to be notified if their unsecured PHI is breached (added by the HITECH Act and the 2013 Omnibus Rule)
Covered entity's duties
The notice must include a statement that the covered entity is required by law to:
- Maintain the privacy of PHI
- Provide individuals with a notice of its legal duties and privacy practices
- Abide by the terms of the notice currently in effect
- Notify individuals following a breach of unsecured PHI
Contact information
The NPP must provide the name (or title) and contact information for the person or office to contact for further information or to file a complaint. It must also inform individuals of their right to file a complaint with the HHS Office for Civil Rights and provide the OCR's contact information.
Effective date
The notice must include its effective date, which must not be earlier than the date on which it was last revised.
How to Distribute a Notice of Privacy Practices
The distribution requirements differ depending on whether the covered entity is a healthcare provider or a health plan.
Healthcare providers
Under 45 CFR Section 164.520(c)(2), healthcare providers with a direct treatment relationship must:
- Provide the notice no later than the first service delivery: This typically means handing it to the patient at their first visit, or sending it before the first service for telehealth or electronic interactions
- Make the notice available at the service delivery site: Post it in a clear and prominent location where patients can reasonably see it
- Post it on the website: If the covered entity maintains a website about its customer services or benefits, it must prominently post the notice on that website
- Make it available upon request: Anyone who asks for a copy must receive one
- Obtain a written acknowledgment: Make a good faith effort to obtain a written acknowledgment from the patient that they received the notice (this is the signature many patients provide at check-in). If the acknowledgment cannot be obtained, the provider must document its efforts and the reason it was not obtained.
Health plans
Under 45 CFR Section 164.520(c)(1), health plans must:
- Provide the notice at enrollment: Distribute the NPP to new members at the time of enrollment
- Distribute within 60 days of material changes: Send the revised notice (or information about the material change and how to obtain the revised notice) to all members within 60 days of a material revision
- Provide at least every three years: Remind members that the notice is available and explain how to obtain a copy at least once every three years
- Post on the website: If the plan has a website, the notice must be posted prominently
Electronic distribution
Covered entities may provide the notice electronically if the individual agrees to receive it in that format. For healthcare providers, this means the individual must specifically agree to electronic delivery. For health plans, the agreement to receive electronic communications more broadly may suffice.
Even when electronic delivery is agreed upon, the individual retains the right to receive a paper copy upon request.
Common Mistakes in a Notice of Privacy Practices
Many covered entities make avoidable errors in their NPPs that create compliance risk. Here are the most frequent problems:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowUsing a generic template without customization
A notice of privacy practices must reflect your organization's actual practices. A template that describes uses and disclosures your organization does not make, or fails to describe ones it does, is not compliant. For example, if your practice participates in a health information exchange (HIE), the notice must describe that. If you use PHI for fundraising, the notice must say so with an opt-out explanation.
Failing to update after regulatory changes
The 2013 HIPAA Omnibus Rule made significant changes to the Privacy Rule, including new breach notification rights and revised rules about the sale of PHI, genetic information, and marketing. Many organizations still have NPPs that do not reflect these changes. The notice must be revised whenever there is a material change.
Not obtaining or documenting acknowledgment
Healthcare providers must make a good faith effort to obtain a signed acknowledgment from every patient. Skipping this step, or failing to document why acknowledgment was not obtained, is a frequent finding in OCR audits and investigations.
Omitting required rights
Every individual right listed in Section 164.520(b)(1)(iv) must appear in the notice. Some organizations omit the right to an accounting of disclosures or the right to request confidential communications. Each omission is a separate compliance gap.
Confusing the NPP with a website privacy policy
A notice of privacy practices under HIPAA and a website privacy policy are different documents with different legal requirements. The NPP addresses PHI under HIPAA. A privacy policy addresses how a website collects and uses visitor data under laws such as the GDPR, CCPA, and state privacy statutes. Healthcare organizations with websites typically need both.
Notice of Privacy Practices vs. Website Privacy Policy
Because the terms are often confused, it is worth clarifying the distinction between a notice of privacy practices and a website privacy policy.
| Aspect | Notice of Privacy Practices (NPP) | Website Privacy Policy |
|---|---|---|
| Legal basis | HIPAA Privacy Rule (45 CFR 164.520) | GDPR, CCPA/CPRA, state privacy laws, CalOPPA |
| Applies to | HIPAA-covered entities | Any organization with a website collecting personal data |
| Information covered | Protected health information (PHI) | All personal information collected through the website |
| Distribution | Must be provided to patients/members directly | Published on the website, accessible to all visitors |
| Acknowledgment | Written acknowledgment required (providers) | Generally implied by continued use of the website |
| Penalties | HIPAA penalty tiers, up to $2.13M per violation category per year | Varies by law (GDPR: up to 20M EUR/4% turnover; CCPA: $2,500-$7,500 per violation) |
If your healthcare organization has a website that collects visitor data (contact forms, appointment scheduling, analytics, cookies), you need both documents. Your NPP handles HIPAA obligations, while your website privacy policy handles broader data collection practices. A privacy policy generator can help you create the website-facing document, while the NPP requires HIPAA-specific drafting.
State Laws That Affect Notice of Privacy Practices Requirements
While HIPAA sets the federal floor, several state laws impose additional privacy notice requirements that healthcare organizations should be aware of.
State health privacy laws
Some states have health privacy laws that are more protective than HIPAA. Under the HIPAA preemption rule (45 CFR Section 160.203), state laws that are more stringent than HIPAA are not preempted. Examples include:
- California (CMIA): The Confidentiality of Medical Information Act imposes stricter consent requirements for disclosure of medical information and provides a private right of action for patients
- Texas (THPA): The Texas Health Privacy Act requires covered entities to provide notice of privacy practices that meets both HIPAA and state-specific requirements, with penalties of up to $250,000 per violation
- New York: HIPAA-covered entities must comply with New York Public Health Law and Mental Hygiene Law, which add protections for HIV-related information and mental health records
State consumer privacy laws
If your healthcare organization's website collects data beyond what HIPAA covers (marketing analytics, cookies, contact form submissions), state consumer privacy laws may apply. The CCPA/CPRA (California), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and other state laws each require their own privacy disclosures.
Organizations operating across multiple states benefit from a comprehensive compliance approach. TermsBox provides document generators and a compliance scanner that can help identify gaps in your privacy documentation across multiple regulatory frameworks.
Enforcement and Penalties for Non-Compliance
The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule, including NPP requirements. Enforcement actions can result from complaints, compliance reviews, or breach investigations.
HIPAA penalty tiers
The HITECH Act established four penalty tiers, adjusted annually for inflation. As of 2024, the tiers are:
- Tier 1 (Did Not Know): The covered entity was unaware and could not have reasonably known of the violation. Penalties range from $141 to $35,581 per violation.
- Tier 2 (Reasonable Cause): The violation was due to reasonable cause and not willful neglect. Penalties range from $1,424 to $71,162 per violation.
- Tier 3 (Willful Neglect, Corrected): The violation resulted from willful neglect but was corrected within 30 days of discovery. Penalties range from $14,232 to $71,162 per violation.
- Tier 4 (Willful Neglect, Not Corrected): The violation resulted from willful neglect and was not corrected timely. Penalties range from $71,162 to $2,134,831 per violation.
An annual cap of $2,134,831 applies per violation category. However, multiple categories of violations in a single investigation can result in penalties well above this amount.
Notable enforcement actions
OCR has taken enforcement action for NPP-related violations as part of broader HIPAA investigations:
- Failure to provide patients with access to their records (which the NPP must describe) has been a priority enforcement area, with multiple settlements exceeding $100,000
- Organizations found without any NPP or with materially deficient notices face corrective action plans in addition to monetary penalties
- The OCR's Right of Access Initiative, launched in 2019, has resulted in over 45 enforcement actions, many involving NPP deficiencies
Practical risk
Even if a missing or deficient NPP does not result in a direct penalty, it increases risk in several ways. OCR investigators reviewing a breach or complaint will examine your NPP as part of the investigation. Deficiencies found during this review can compound the penalties for the underlying issue. A well-maintained, current notice of privacy practices demonstrates a culture of compliance.
Frequently Asked Questions
What is a notice of privacy practices?
A notice of privacy practices (NPP) is a document required under the HIPAA Privacy Rule that explains how a covered entity may use and disclose a patient's protected health information (PHI). It must describe the individual's rights regarding their PHI, the covered entity's legal duties, and who to contact with questions or complaints. Every HIPAA-covered entity must provide this notice to patients or health plan members.
Who is required to provide a notice of privacy practices?
Under HIPAA, all covered entities must provide a notice of privacy practices. This includes healthcare providers who transmit health information electronically in connection with standard transactions, health plans (including employer-sponsored plans, health insurers, and government programs like Medicare and Medicaid), and healthcare clearinghouses. Business associates are not required to provide their own NPP but must follow the terms of their business associate agreements.
How often must a notice of privacy practices be updated?
HIPAA does not set a specific update schedule, but covered entities must revise their notice of privacy practices whenever there is a material change to their privacy practices, their legal duties, or the individual rights described in the notice. The revised notice must be made available upon request and, for health plans, distributed to members within 60 days of a material revision. Healthcare providers must post the revised notice in their facilities and on their websites.
What is the penalty for not having a notice of privacy practices?
Failing to provide a notice of privacy practices is a violation of the HIPAA Privacy Rule. The HHS Office for Civil Rights (OCR) enforces penalties in four tiers based on the level of culpability: Tier 1 (did not know) ranges from $141 to $35,581 per violation, Tier 2 (reasonable cause) from $1,424 to $71,162, Tier 3 (willful neglect, corrected) from $14,232 to $71,162, and Tier 4 (willful neglect, not corrected) from $71,162 to $2,134,831 per violation. Annual caps apply per violation category.