HIPAA: Notice of Privacy Practices

Notice of Privacy Practices [45 CFR § 164.520]

Rule: Covered entities must provide individuals with a notice explaining how their PHI may be used and disclosed, their rights, and the entity’s legal duties regarding PHI.

Purpose of Notice

The Notice of Privacy Practices (NPP) provides transparency by informing individuals about:

• How covered entity may use/disclose their PHI
• Individual’s rights regarding their PHI
• Covered entity’s legal obligations
• How to complain about privacy violations

Goal: Enable individuals to make informed decisions about their health care and privacy

Requirements by Entity Type

HIPAA distinguishes between direct treatment providers and other covered entities:

Entity Type	Distribution Requirements	Acknowledgment Required?	Citation
Health plans	At enrollment, on request, when materially revised	Not required	§ 164.520(c)
Health care providers with direct treatment relationship	First service delivery, on request, when materially revised, post availability	Yes - good faith effort	§ 164.520(c)(1)
Health care providers without direct treatment relationship	On request only	Not required	§ 164.520(c)(2)

Notice Content Requirements [§ 164.520(b)]

Section 164.520(b)(1): Required Content Elements

The notice must contain the following in plain language:

(i) Header

Must include this specific statement as header or first page:

“THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

Format requirements:

• Prominently displayed
• Large, bold font recommended
• First thing individual sees

(ii) Uses and Disclosures

Description of uses/disclosures must include:

Category	Requirement	Details
Treatment, payment, operations	Describe and give examples	Most common uses - explain with examples
Authorization required	State that other uses require written authorization	Individuals control these uses
Revocation right	State individual may revoke authorization	Except to extent action already taken
Marketing	If applicable, that authorization required	Except face-to-face or promotional gift of nominal value
Sale of PHI	If applicable, that authorization required	Remuneration for disclosure requires authorization
Fundraising	If applicable, right to opt out	How to opt out must be described
Psychotherapy notes	If applicable, most uses require authorization	Except for certain treatment, payment, or operations

Examples required: Notice must provide sufficient examples so individual can understand how entity will use/disclose PHI

Example language:

“We may use and disclose your health information for treatment purposes. For example, we may disclose your health information to a specialist to whom you’ve been referred to ensure the specialist has the necessary information to diagnose or treat you.”

(iii) Separate Statements for Certain Disclosures

Required separate statements for each of these uses/disclosures (if applicable):

Disclosure Type	Required Statement	Citation
Facility directories	Individual may restrict or prohibit some/all disclosures	§ 164.520(b)(1)(iii)(A)
Family/friends involvement	Individual may restrict or prohibit some/all disclosures	§ 164.520(b)(1)(iii)(B)
Disaster relief	For notification purposes	§ 164.520(b)(1)(iii)(C)

(iv) Individual Rights

Must describe each right and how to exercise it:

Right	Description Required	Citation
Access	Right to inspect and copy PHI	Art 15 GDPR equivalent
Amendment	Right to request amendment of PHI	Corrections
Accounting	Right to receive accounting of disclosures	Disclosure tracking
Restrictions	Right to request restrictions on uses/disclosures	Individual can request limits
Confidential communications	Right to request communications by alternative means/locations	Privacy protection
Paper copy of notice	Right to obtain paper copy of notice	Even if agreed to electronic

For each right, notice must explain:

• What the right is
• How to exercise the right
• Any limitations on the right
• How entity will respond

Example for access right:

“You have the right to inspect and copy your health information. To inspect and copy your health information, you must submit a written request to our Privacy Officer. We may deny your request in certain limited circumstances. If we deny your request, we will provide you with a written explanation and information about your right to have the denial reviewed.”

(v) Covered Entity’s Duties

Must describe entity’s legal duties:

Duty	Description	Citation
Maintain privacy	Required by law to maintain privacy of PHI	§ 164.530(i)
Provide notice	Required to provide notice of privacy practices	§ 164.520
Follow notice	Required to abide by terms of current notice	Binding commitment
Reserve right to change	Right to change terms and make new notice effective for all PHI	Must notify if material revision

Example language:

“We are required by law to maintain the privacy of your health information, to provide you with this Notice of our legal duties and privacy practices, and to follow the terms of the Notice currently in effect.”

(vi) Complaints

Must include:

• Statement that individual may complain to covered entity and to HHS
• Brief description of how to file complaint with covered entity
• Statement that individual will not be retaliated against for filing complaint

Required information:

• Name or title of contact person/office
• Telephone number
• Email or mailing address
• How to file complaint with HHS Office for Civil Rights

Example language:

“If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer at (555) 123-4567 or privacy@example.com. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. You will not be penalized or retaliated against for filing a complaint.”

(vii) Contact Information

Must include:

• Person or office contact for further information
• Telephone number (and email if available)

(viii) Effective Date

Must include:

• Date notice first goes into effect
• Cannot be later than date first produced

Section 164.520(b)(2): Optional Elements

Covered entity may include additional information:

Permitted optional content:

• Additional examples of uses/disclosures
• Additional description of duties or practices
• Applicable state or other law provisions
• Contact information for questions
• Logo, tagline, or other branding

Restrictions:

• Cannot contradict required content
• Cannot render required content confusing
• Must still be in plain language

Section 164.520(b)(3): Revisions

When revising notice:

Type of Change	Requirements	Citation
Material change	Must promptly revise and redistribute notice	§ 164.520(b)(3)(i)
Non-material change	May revise at any time, redistribute as required	§ 164.520(b)(3)(ii)

Material change includes:

• New or different uses/disclosures
• Changes to individual rights
• Changes to duties
• Changes to complaint procedures

Distribution after material revision:

• Health plans: Within 60 days to all then-covered individuals
• Providers: Post prominently, provide on request
• If applicable: Post revised notice on website

Effective date of revised notice:

• May not be earlier than date printed on notice
• May be effective for all PHI (even created before revision)

Health Care Providers [§ 164.520(c)(1)]

Providers with Direct Treatment Relationship

“Direct treatment relationship” means:

• Treatment provider rendering health care to individual
• Individual presents for treatment in person, by telephone, electronically, or otherwise

Does NOT include:

• Indirect providers (labs, imaging centers without direct patient contact)
• Consulting physicians who don’t treat patient directly

Distribution Requirements

First Service Delivery [§ 164.520(c)(1)(i)]

Timing: No later than first service delivery

First service delivery includes:

• First office visit
• First admission to hospital/facility
• First telehealth encounter
• First home health visit

Methods of delivery:

Setting	Delivery Method	Citation
In person	Provide paper copy	§ 164.520(c)(1)(i)(A)
Electronic (if agreed)	Email or web portal	§ 164.520(c)(1)(i)(B)
Emergency treatment	Provide ASAP after emergency	§ 164.520(c)(1)(i)(C)

Emergency treatment circumstances:

• Good faith attempt to provide ASAP after emergency resolves
• No later than next service encounter if feasible
• Obtain acknowledgment when practicable

Posting Requirement [§ 164.520(c)(1)(ii)]

Physical location:

• Post current notice in clear and prominent location
• Where reasonable to expect individuals seeking service to see it

Examples of appropriate locations:

• Reception area
• Waiting room
• Registration desk
• Patient check-in area

Not acceptable:

• Break room
• Staff-only areas
• Storage rooms
• Hallways with no patient traffic

Electronic Posting [§ 164.520(c)(1)(iii)]

If provider maintains website with information about services:

Must post notice on website:

• Prominently displayed
• Easily accessible
• Current version
• Available for download

“Prominently” means:

• On homepage, or
• Clearly linked from homepage
• No more than 1-2 clicks away
• Labeled clearly (e.g., “Privacy Practices”, “HIPAA Notice”)

Upon Request [§ 164.520(c)(1)(iv)]

Must provide copy on request:

• Individual request
• Promptly (as soon as reasonably practicable)
• Even if previously provided
• Even if individual has electronic copy

Format:

• Paper copy if requested
• Electronic if individual agrees

Acknowledgment of Receipt [§ 164.520(c)(2)]

Requirement: Covered health care provider must make good faith effort to obtain written acknowledgment of receipt.

“Good faith effort” means:

Step	Requirement	Citation
Request acknowledgment	Ask individual to sign acknowledgment	§ 164.520(c)(2)(i)
Document if refused	If individual refuses, document efforts and refusal	§ 164.520(c)(2)(ii)
Document if unable	If unable to obtain due to emergency or other barrier, document	§ 164.520(c)(2)(ii)

Acknowledgment form requirements:

• Statement that individual received notice
• Signature and date
• May be combined with other forms (consent, registration, etc.)

Example acknowledgment language:

“I acknowledge that I have received a copy of [Provider Name]‘s Notice of Privacy Practices.”

Signature: _________________ Date: _________

Documenting inability to obtain:

• State reason (refused, emergency, language barrier, etc.)
• Date and time of attempt
• Who made attempt
• Retain in medical record

Example documentation:

“Attempted to obtain acknowledgment on 1/15/2026 at 10:30 AM. Patient refused to sign, stating ‘I don’t sign anything.’ Provided notice and explained importance. Patient still declined. Documented by J. Smith, RN.”

Important: Failure to obtain acknowledgment does NOT affect individual’s rights or provider’s obligations

Providers WITHOUT Direct Treatment Relationship [§ 164.520(c)(2)(iii)]

Providers who do not have direct treatment relationship (e.g., labs, pathologists, radiologists reading films remotely):

Must provide notice:

• Upon request only
• No required first delivery
• No acknowledgment required
• No posting requirement

Health Plans [§ 164.520(c)(3)]

Distribution Requirements

At Enrollment [§ 164.520(c)(3)(i)]

Timing: No later than date of enrollment

“Enrollment” means:

• First date coverage begins
• Applies to new enrollees only
• Not renewals (unless plan requests individuals to re-enroll)

Delivery methods:

• Mail (paper)
• Electronic (if individual agrees)
• Hand-delivery
• Posted on website with email notification

Within 60 Days of Material Revision [§ 164.520(c)(3)(iii)]

If material revision to notice:

• Must provide revised notice to all then-covered individuals
• Within 60 days of revision effective date
• By mail, electronically, or through posting

Upon Request [§ 164.520(c)(3)(iv)]

Must provide copy on request:

• As soon as reasonably practicable
• To any individual (even if not member)
• Paper or electronic per individual preference

Website Posting [§ 164.520(c)(3)(ii)]

If health plan maintains website with information about plan:

Must post notice on website:

• Current version
• Prominently displayed
• Available for download/printing

No Acknowledgment Required

Health plans not required to obtain acknowledgment of receipt.

Rationale: Enrollment process already establishes relationship

Documentation Requirements [§ 164.520(d)]

Retention Period

Must retain:

• Current notice
• All previous versions for 6 years from date last in effect
• All acknowledgments (or documentation of good faith efforts)
• Documentation of distributions

6-year retention from:

• Date notice last in effect (for each version)
• Date of acknowledgment (for acknowledgments)

Example:

• Notice effective 2020-2024
• Must retain until 2030

Practical Compliance

Creating Your Notice

Checklist:

1. ✅ Include required header in large, bold font
2. ✅ Describe treatment, payment, operations with examples
3. ✅ Explain uses requiring authorization
4. ✅ Add separate statements for facility directory, family involvement
5. ✅ Describe all six individual rights with exercise instructions
6. ✅ State legal duties (privacy, provide notice, follow notice, reserve right to change)
7. ✅ Include complaint information (internal contact and HHS OCR)
8. ✅ Provide contact information
9. ✅ Include effective date
10. ✅ Use plain language throughout
11. ✅ Review for completeness and accuracy

Plain language tips:

• Use short sentences
• Avoid legal jargon
• Define technical terms
• Use active voice
• Provide examples
• Organize logically
• Use headings and bullets
• Test with non-expert readers

Distributing Your Notice

For providers with direct treatment relationship:

1. ✅ Provide at first service delivery
2. ✅ Post prominently in facility
3. ✅ Post on website (if you have one)
4. ✅ Obtain acknowledgment (good faith effort)
5. ✅ Document if unable to obtain acknowledgment
6. ✅ Provide on request anytime
7. ✅ Provide after material revision

For health plans:

1. ✅ Provide at enrollment
2. ✅ Post on website (if you have one)
3. ✅ Provide within 60 days of material revision
4. ✅ Provide on request anytime

Acknowledgment Forms

Best practices:

• Separate from consent for treatment
• Separate from authorization to disclose
• Clear, simple language
• Signature and date line
• Can be part of registration packet
• Keep copy in medical record

What acknowledgment is NOT:

• Not consent for treatment
• Not authorization to disclose PHI
• Not agreement with policies
• Not waiver of rights

Individual refuses to sign:

• Document refusal
• Note date, time, who attempted
• Note reason if provided
• Keep documentation
• Still provide services (refusal doesn’t affect treatment)

Handling Revisions

When to revise:

• New uses or disclosures
• Changes to individual rights
• Changes to complaint procedures
• Contact information changes

Process:

1. ✅ Draft revised notice
2. ✅ Review for accuracy and completeness
3. ✅ Determine effective date
4. ✅ Distribute per requirements
5. ✅ Post new version on website
6. ✅ Post new version at facility
7. ✅ Retain old version for 6 years

Common Mistakes

Using template without customization:

• Must accurately reflect YOUR practices
• Generic templates may not match your operations
• Examples should be YOUR examples

Obtaining “consent” instead of acknowledgment:

• HIPAA requires acknowledgment of receipt
• Not consent or agreement
• Refusal doesn’t affect treatment rights

Not posting prominently:

• “In office somewhere” insufficient
• Must be where patients will see it
• Test visibility with new patients

Not providing on request:

• Must provide copy whenever requested
• Even if already provided
• Even if posted on website
• Promptly

Not documenting distribution:

• Must document good faith effort
• Must document refusals
• Must document emergencies
• Retain for 6 years

Using old notice after revision:

• Must use current version
• Update all postings
• Remove old versions from circulation
• But retain old versions for records

Citation

45 CFR § 164.520 - Notice of privacy practices for protected health information

Sources

• HHS Notice of Privacy Practices Guidance
• HHS Model Notice of Privacy Practices

Related

• HIPAA Privacy Rule fundamentals
• Patient rights
• Administrative requirements
• Back to HIPAA overview