Does CharmHealth Provide a Notice of Privacy Practices?
By NPP Generator Research Team · Published Apr 24, 2026 · Last reviewed Apr 28, 2026 · 3 min read
Key Takeaways
- ✓ CharmHealth does not produce a HIPAA Notice of Privacy Practices for your practice
- ✓ CharmHealth does sign a BAA — a vendor contract, not a patient-facing HIPAA notice
- ✓ CharmHealth offers a free EHR tier (up to 50 encounters/month) — but free EHR doesn't mean free compliance
- ✓ Small practices often assume free EHRs include all required compliance documents — they don't
- ✓ The NPP obligation belongs to your practice regardless of EHR cost
CharmHealth (also marketed as CharmEHR) is a cloud-based EHR popular with small independent practices because of its free tier — practices with fewer than 50 encounters per month can use the platform at no cost. It's widely used by family medicine, internal medicine, and specialty practices looking to minimize overhead. Despite the cost savings, using a free EHR does not reduce or eliminate your HIPAA compliance obligations as a covered entity.
The "Free EHR ≠ Free Compliance" Problem
Small practices on budget EHRs often assume that the software handles everything related to HIPAA. It doesn't. Here's the breakdown of what CharmHealth does and doesn't handle:
| Compliance Item | CharmHealth | Your Practice |
|---|---|---|
| BAA (vendor contract) | ✓ Provides | — |
| Encrypted PHI storage | ✓ Provides | — |
| Audit logs & access controls | ✓ Provides | — |
| Notice of Privacy Practices (NPP) | ✗ Does not provide | Must produce |
| NPP website posting | ✗ Does not handle | Must post |
| Patient acknowledgment of NPP | Can collect electronically (you supply the document) | Must obtain |
What CharmHealth Provides
- Business Associate Agreement. CharmHealth executes a BAA with covered entity practices.
- Free EHR tier. Up to 50 patient encounters per month at no cost; paid plans for higher volume.
- HIPAA-compliant infrastructure. Encrypted data, audit logging, and secure patient portal.
- Intake forms and patient portal. Electronic intake delivery, but practices must supply the NPP content.
What You Still Need if You Use CharmHealth
- A compliant NPP aligned to the HHS February 2026 model (the February 16, 2026 compliance deadline has passed)
- Public website posting of the NPP
- Physical office posting
- An acknowledgment-of-receipt process for new patients (CharmHealth's portal can collect this)
See NPP requirements in 2026 for the full compliance checklist and what is a Notice of Privacy Practices for the content requirements.
Frequently Asked Questions
Does CharmHealth provide a Notice of Privacy Practices?▼
No. CharmHealth provides a BAA and a free HIPAA-compliant EHR but does not produce a Notice of Privacy Practices. The NPP is a covered-entity obligation under 45 CFR § 164.520.
Does CharmHealth sign a BAA?▼
Yes. CharmHealth executes a Business Associate Agreement with covered entity practices. The BAA covers CharmHealth's handling of PHI — it does not satisfy the NPP requirement.
Is CharmHealth the same as CharmEHR?▼
Yes. CharmEHR and CharmHealth are the same product — CharmHealth is the company and brand; CharmEHR is how the product is often referred to colloquially.
If I use CharmHealth's free plan, do I still need an NPP?▼
Yes. NPP requirements are determined by your status as a HIPAA covered entity, not by your EHR plan cost. Any practice that transmits health information electronically in standard transactions is a covered entity and must maintain a compliant Notice of Privacy Practices.
More EHR & vendor guides
Generate a compliant NPP in 5 minutes
HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.
No subscription · PDF + Word · Free watermarked preview · See sample →
Related: EHR & practice-management vendors