Fundamentals
What Is an NPP Under HIPAA?
The patient-facing document every covered entity must provide under 45 CFR § 164.520.
Read more →Blog
Plain-language guides on HIPAA Notices of Privacy Practices — requirements, Part 2 SUD integration, state-law overlays, and OCR enforcement trends.
New to HIPAA? Find out whether your practice actually needs a Notice of Privacy Practices.
Check now →
February 16, 2026 deadline coverage
The HHS deadline passed Feb 16, 2026. Most practices haven't updated yet. These are the most-requested resources for practices catching up.
Did You Miss the Feb 16, 2026 Deadline?
What happens now, what OCR is doing, and how to catch up in 5 minutes.
Start hereCatch-Up Plan for Late Adopters
30-minute action plan: what to skip, what to prioritize, audit-ready by week's end.
OCR Penalties for the Missed Deadline
$137–$68,928 per violation, four-tier culpability structure, when CMP vs. resolution agreement.
OCR Is Auditing NPP Compliance Now
What auditors look for, what triggers an audit, six-question audit-readiness self-check.
Retroactive NPP Update: Effective Dates
Why backdating is the wrong move; how to dating effective and supersede correctly post-deadline.
NPP Redistribution When Updating Late
Direct-treatment vs. health plan distribution rules, acknowledgment forms, Section 1557 taglines.
Recent NPP Violation Settlements
2024–2025 OCR resolution agreements: settlement patterns, prompt-remediation evidence.
42 CFR Part 2 SUD Deadline Was Feb 16
Part 2 programs faced a dual deadline. Combined HIPAA + Part 2 integrated notice path.
NPP fundamentals
Start here. What an NPP is, what HHS requires in 2026, and how it differs from related documents.
2026 Compliance
HIPAA NPP Requirements in 2026
What a HIPAA Notice of Privacy Practices must contain in 2026, end to end.
Read more →HHS Model
HHS Model NPP 2026: Section-by-Section Walkthrough
Every section of the revised model, with what changed in 2024.
Read more →Comparison
NPP vs. BAA: What's the Difference?
Two HIPAA documents, two different purposes. When you need each.
Read more →State Law
When State Law Is Stricter Than Federal
CA, NY, MA, WA: state-law overlays on top of HIPAA's federal floor.
Read more →Part 2 / SUD
NPP Part 2 SUD Language
Integrating 42 CFR Part 2 substance use disorder language into your NPP.
Read more →Distribution & operations
Practical guides to distributing, posting, and maintaining your NPP day to day.
How-To
How to Post Your NPP on Your Website
Where to link, HTML vs. PDF, and how to keep it current after revisions.
Read more →How-To
Distribute Your NPP at First Patient Visit
In-person, telehealth, digital intake. How to provide and document delivery correctly.
Read more →Compliance
NPP Website Posting Requirements
What 45 CFR § 164.520 requires on your public site.
Read more →Compliance
NPP Acknowledgment of Receipt
What the "good-faith attempt" rule actually requires you to do.
Read more →How-To
When a Patient Refuses to Sign the Acknowledgment
You can't deny treatment. What HIPAA requires and how to document the refusal.
Read more →Lifecycle
Effective Date vs. Supersede Date
How to handle dates correctly during material-change redistributions.
Read more →Lifecycle
When to Update Your NPP
The six material-change triggers under § 164.520(b)(3) plus redistribution rules.
Read more →How-To
Issue a Material Change Notice
What counts as material, when redistribution is required, how to notify patients.
Read more →M&A
NPP After a Merger or Acquisition
Asset vs. stock purchase, when to issue a new NPP, due diligence checklist.
Read more →By practice type
Specialty-specific NPP guidance covering the practice types HIPAA covered entities most often need.
Therapists
NPP for Therapists & Mental Health
Psychotherapy notes, minor consent, and Part 2 considerations for mental health practices.
Read more →Dental
NPP for Dental Practices
Solo dentists, group practices, and DSO-affiliated offices.
Read more →Telehealth
NPP for Telehealth Practices
Distribution and acknowledgment for fully-virtual or hybrid practices.
Read more →Small Practice
NPP for Small Medical Practices
Solo and small group physician practices. Lean compliance approach.
Read more →FQHC
NPP for FQHCs
Federally Qualified Health Centers, Section 1557, sliding-fee context.
Read more →Pharmacy
NPP for Pharmacies
Retail and specialty pharmacy NPP requirements under HIPAA.
Read more →Pediatric
NPP for Pediatric Practices
Parents as personal representatives, minors' rights, and what changes at 18.
Read more →Cash-Pay
Does a Cash-Pay Practice Need an NPP?
Why most cash-only practices are still covered entities. The narrow exemption.
Read more →Multi-Site
NPP for Multi-Location Practices
One NPP for all sites or per-location. The affiliated covered entity option.
Read more →By state
State-specific NPP guidance for states with stricter-than-federal privacy laws.
California
NPP in California (CMIA + CCPA)
CMIA's stricter confidentiality plus CCPA personal-information overlay.
Read more →New York
NPP in New York (SHIELD Act)
SHIELD Act requirements for any practice serving NY residents.
Read more →Massachusetts
NPP in Massachusetts (201 CMR 17)
WISP requirements, encryption rules, and breach-notification overlap.
Read more →Texas
NPP in Texas
Texas Medical Records Privacy Act and state-specific provisions.
Read more →Florida
NPP in Florida
FIPA's 30-day breach window and how it interacts with HIPAA.
Read more →Washington
NPP in Washington (My Health My Data)
Washington's My Health My Data Act and consumer health data scope.
Read more →By EHR & vendor
Does your EHR or platform produce your NPP? Short answer: usually not. Here's what they do and don't include.
EHR & Vendor
Does Epic Provide an NPP?
Epic signs a BAA and provides infrastructure but does not produce your practice's NPP.
Read more →EHR & Vendor
Does Athenahealth Provide an NPP?
athenaOne signs a BAA. The HIPAA NPP remains your practice's obligation.
Read more →EHR & Vendor
Does SimplePractice Provide an NPP?
No. What SimplePractice does and does not include for HIPAA compliance.
Read more →EHR & Vendor
Does TherapyNotes Provide an NPP?
TherapyNotes signs a BAA but does not produce your practice's NPP.
Read more →EHR & Vendor
Does eClinicalWorks Provide an NPP?
eCW signs a BAA. HIE participation adds extra disclosure requirements.
Read more →EHR & Vendor
Does Jane App Provide an NPP?
Jane App is Canadian-built. US customers get a BAA but the NPP is on you.
Read more →Cerner / Oracle DrChrono Kareo / Tebra Tebra CharmHealth Elation Health Greenway Health MEDITECH NextGen Practice Fusion TheraNest Valant Veradigm / Allscripts
Enforcement & penalties
What OCR enforces against, what the penalties look like, and how to stay clear.
Penalties
NPP Compliance Penalties Under OCR
Civil monetary penalty ranges, common triggers, and tier breakdowns.
Read more →OCR Cases
OCR Case Studies, 2024–2025
Real OCR enforcement actions and what each settlement teaches us.
Read more →Violations
When Missing Web Posting Becomes a Violation
How OCR investigates web-posting failures and the documentation that helps.
Read more →Violations
When First-Visit Distribution Fails
OCR's view on first-visit distribution and acknowledgment-of-receipt.
Read more →M&A Cases
Acquisition NPP Cases
When buyers inherit a non-compliant NPP and what OCR has done about it.
Read more →All specialty guides
Every practice-type vertical we cover.
Therapists
Mental Health
Dental Practices
Telehealth
Small Medical
FQHCs
Pharmacy
Optometry
Chiropractors
Home Health
Hospice
Nurse Practitioners
Occupational Therapy
Physical Therapy
Speech-Language Pathology
Urgent Care
Addiction Treatment
ABA Therapy
Pediatric Practices
Cash-Pay Practices
Multi-Location
Dialysis Centers
Direct Primary Care
Employer Clinics
Rural Health Clinics
School-Based Health
Specialty Pharmacy