N NPP Generator
EHR & Vendor

Does Epic EHR Provide an NPP for Your Practice?

By NPP Generator Research Team  ·  Published Apr 25, 2026  ·  Last reviewed Apr 28, 2026  ·  3 min read

Need to update your NPP?

Update → Generate new →
Quick answer: No. Epic does not provide a HIPAA-compliant Notice of Privacy Practices for your practice. Epic provides HIPAA-compliant data hosting, audit logs, role-based access, and signs a BAA with covered-entity customers as part of standard enterprise contracts. The NPP — the patient-facing HIPAA document required by 45 CFR § 164.520 — is the covered entity's responsibility to produce and maintain.

Epic is the dominant enterprise EHR for hospitals and health systems. A common assumption among new Epic customers is that the platform's HIPAA-compliant infrastructure or BAA covers the NPP requirement. It does not. The NPP is a covered-entity-side document — your practice produces it, distributes it, and posts it.

What Epic does provide for HIPAA compliance

Epic provides HIPAA-compliant infrastructure and contractual protections, but none of them are an NPP:

Plan tiers and BAA availability

Epic licenses to enterprise customers (hospitals and large health systems). The BAA is part of the standard enterprise contract. Epic does not have a SaaS-tier or self-service onboarding; BAA execution happens during the implementation contract.

How to request the BAA from Epic

Epic's BAA is negotiated as part of the enterprise implementation contract. Healthcare-system legal teams handle this directly with Epic's legal team. There is no self-service BAA portal.

What the Epic BAA covers (and doesn't)

The Epic BAA binds Epic to HIPAA's safeguard obligations for PHI it handles on your behalf. It does not produce an NPP, fulfill your NPP-distribution obligation, or substitute for any patient-facing HIPAA documentation. The BAA covers vendor-side responsibilities; the NPP covers practice-side patient communications.

Alternatives if you need NPP support

Hospital systems using Epic typically have legal/compliance teams that produce the system's NPP. For smaller organizations or entities that haven't built their own NPP, NPP Generator's tool produces a HHS-Feb-2026-aligned NPP in 5 minutes for $49 — Epic-customizable: upload as a MyChart shared document or distribute via your existing patient-engagement workflow.

Setup after enabling Epic's HIPAA features

Once the NPP is produced, configure MyChart to surface it during patient onboarding and post it on the practice/system's public website. Distribute to existing patients on next encounter or via the portal.

Common patient-facing scenarios with Epic

In day-to-day operations using Epic, several scenarios commonly surface NPP-related questions:

Audit-readiness with Epic

When OCR or a state regulator audits a practice using Epic, expect the auditor to request:

What changed in the HHS February 2026 model

The HHS February 2026 final rule introduced several NPP content updates that affect every covered entity, including practices using Epic: clarified Right of Access language, updated breach-notification provisions, refined marketing-communication requirements, and explicit safeguards-against-AI language. Practices issuing or updating NPPs after February 16, 2026 should align to the new model. Epic's patient-portal infrastructure typically supports either model; the document content is the practice's responsibility.

More EHR & vendor guides

Athenahealth Provide AN Npp Cerner Oracle Provide AN Npp Charmhealth Provide AN Npp Drchrono Provide AN Npp Eclinicalworks Provide AN Npp Elation Health Provide AN Npp Greenway Health Provide AN Npp Jane App Provide AN Npp Kareo Provide AN Npp Meditech Provide AN Npp Nextgen Provide AN Npp Practice Fusion Provide AN Npp Simplepractice Provide AN Npp Tebra Provide AN Npp Theranest Provide AN Npp Therapynotes Provide AN Npp Valant Provide AN Npp Veradigm Allscripts Provide AN Npp

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Related: EHR & practice-management vendors

athenahealth Cerner / Oracle Health CharmHealth DrChrono eClinicalWorks Elation Health Greenway Health Jane App

Frequently Asked Questions

Does Epic provide a Notice of Privacy Practices?
No. Epic provides HIPAA-compliant infrastructure and signs a BAA on appropriate plans, but does not produce a HIPAA-compliant NPP. The NPP is the covered entity's responsibility under 45 CFR § 164.520.
Does Epic sign a BAA?
Yes, on appropriate enterprise/healthcare-tier plans. Epic licenses to enterprise customers (hospitals and large health systems). The BAA is part of the standard enterprise contract. Epic does not have a SaaS-tier or self-service onboarding; BAA execution happens during the implementation contract.
What's the cheapest way to get an NPP for my practice?
The HHS model notices are free and can be adapted manually, but they require you to fill in practice-specific fields (entity name, Privacy Officer, website, effective date) and add Part 2 SUD language if applicable. Tools like NPP Generator take the HHS model, capture practice information via a guided intake, and produce a formatted PDF and Word file for $49.
If I switch from Epic to another EHR, do I need to update my NPP?
Possibly. The NPP describes uses and disclosures; if changing EHR materially changes data flows or vendor relationships, the NPP may need updating. Re-distribute on material change.
Does HIPAA-compliant infrastructure satisfy the NPP requirement?
No. HIPAA-compliant data hosting, encryption, and audit logging are Security Rule safeguards. The NPP is a Privacy Rule requirement under § 164.520 — distinct and not satisfied by infrastructure.