Does SimplePractice Provide a Notice of Privacy Practices?

By NPP Generator Research Team  ·  Published Apr 23, 2026  ·  Last reviewed Apr 28, 2026  ·  6 min read

SimplePractice is the dominant EHR for solo and small-group mental health practices — therapists, LCSWs, psychologists, counselors. One of the most common assumptions among new SimplePractice users is that the platform's HIPAA-compliant infrastructure extends to the patient-facing HIPAA documents, including the Notice of Privacy Practices. It does not.

What SimplePractice Does Provide

SimplePractice provides a stack of HIPAA-compliant infrastructure and templates, but none of them are a Notice of Privacy Practices:

• Business Associate Agreement (BAA). On Professional and higher plans, SimplePractice executes a BAA during onboarding. This is a legal contract between SimplePractice and your practice governing how SimplePractice handles PHI.
• HIPAA-compliant infrastructure. Encrypted data at rest and in transit, audit logs, role-based access controls, secure messaging, and HIPAA-compliant telehealth video.
• Practice-policies and informed-consent templates. Generic templates for fees, cancellation policies, scope of practice, and therapist-client agreement. These can be included in client intake packets and signed electronically.
• Document upload for intake. You can upload your own NPP as a PDF and have it signed (acknowledged) electronically at intake — but SimplePractice does not generate the NPP for you.

Why SimplePractice's Templates Aren't an NPP

Practice-policies documents and Notices of Privacy Practices serve different purposes. A practice-policies document is a commercial/practice-management document covering things like:

• Session fees and payment policies
• Cancellation and no-show policies
• Scope of practice and boundaries
• Emergency contact procedures
• Between-session contact rules

An NPP is a regulatory document with prescribed mandatory content under 45 CFR § 164.520(b):

• The HHS-prescribed header statement ("THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED...")
• Permitted uses and disclosures of PHI with examples
• Uses requiring patient authorization (marketing, sale of PHI, psychotherapy notes)
• All individual rights under HIPAA (access, amendment, accounting, restriction, confidential communications, paper copy, breach notification)
• Entity duties to safeguard PHI
• Complaint procedures (internal and to HHS OCR)
• Privacy Officer contact information
• Effective date

Practice-policies and NPP cover different domains. You need both — and they are not interchangeable. See what is a Notice of Privacy Practices for the full content requirements.

Does the SimplePractice BAA Replace the NPP?

No. A BAA and an NPP are two different HIPAA instruments:

• A BAA is a vendor contract. It runs between your practice (the covered entity) and SimplePractice (the business associate). It binds SimplePractice to HIPAA obligations. Required by 45 CFR § 164.504(e).
• An NPP is a patient-facing notice. It runs from your practice to each patient. It describes how you use PHI and what rights patients have. Required by 45 CFR § 164.520.

You need both. SimplePractice provides the BAA; you provide the NPP. See NPP vs. BAA — what's the difference.

What You Still Need if You Use SimplePractice

Assuming you are a HIPAA covered entity (most SimplePractice users are — you're a covered entity any time you submit insurance claims electronically), you still need to produce and maintain:

• A Notice of Privacy Practices compliant with 45 CFR § 164.520 and aligned to the HHS February 2026 revised model
• An acknowledgment-of-receipt process for each new client (SimplePractice can collect this via its intake document system)
• A public posting of the NPP on your practice website (SimplePractice's client portal is not sufficient — you must post on your public practice site too)
• A physical posting of the NPP at your office (or on your sign if you're in a shared office)
• BAAs with every other business associate that handles PHI — email marketing tools, scheduling apps, cloud storage, billing services, telehealth platforms (SimplePractice's BAA only covers SimplePractice)
• A process to update the NPP when a material change occurs (new Privacy Officer, new uses, new federal regulation — like the February 2026 HHS model)

How to Add an NPP to Your SimplePractice Intake

Once you have a compliant NPP PDF, you can upload it to SimplePractice as a custom intake document and have new clients acknowledge receipt electronically before their first session. The steps are:

1. Generate your NPP PDF (SimplePractice does not offer this — use a tool like NPP Generator or draft from the HHS model)
2. In SimplePractice, go to Settings → Client Portal → Shared Documents and upload the PDF
3. Configure the intake packet to include the NPP as a required-view document with an acknowledgment checkbox
4. Post the same NPP on your public practice website (outside of SimplePractice's client portal)
5. Post a printed copy at your physical office

Frequently Asked Questions

Does TherapyNotes provide an NPP?

No. Like SimplePractice, TherapyNotes is an EHR — it signs a BAA and hosts PHI compliantly, but does not produce a HIPAA-compliant Notice of Privacy Practices. The NPP is the practice's responsibility regardless of which EHR you use.

Does the SimplePractice client portal count as "posting the NPP on my website"?

No. The HIPAA requirement is to post the NPP on the practice's public website — the site that prospective patients can find before becoming clients. SimplePractice's client portal is gated behind login and is not a substitute. See NPP website posting requirements.

What's the cheapest compliant way to get an NPP if I use SimplePractice?

The HHS model notices are free and can be adapted manually — but they require you to fill in practice-specific fields (entity name, Privacy Officer, website, effective date) and add Part 2 SUD language if applicable. Tools like NPP Generator take the HHS model, capture your practice information via a guided intake, and produce a formatted PDF and editable Word file for $49 — one-time, no subscription. Attorney-drafted NPPs typically run $500–$2,500.

If I use SimplePractice for psychotherapy notes, do I still need NPP language about them?

Yes. The NPP must disclose that psychotherapy notes receive extra protection and that most uses require a separate written authorization. See NPP for therapists for the psychotherapy-notes section specifics.