What does SimplePractice provide for HIPAA compliance?

SimplePractice provides a Business Associate Agreement (on Professional and higher plans), HIPAA-compliant data hosting and encryption, audit logs, role-based access controls, and the ability to include custom intake documents that clients sign electronically before their first session. It does not generate or provide an NPP, and the templates it offers are informed-consent and practice-policies documents, not a 45 CFR § 164.520-compliant Notice of Privacy Practices.

Is SimplePractice's practice-policies template the same as an NPP?

No. Practice-policies documents (sometimes called 'informed consent' or 'client agreement') cover topics like fees, cancellation policies, and scope of practice. An NPP is a distinct document with mandatory content prescribed by 45 CFR § 164.520(b): required header statement, permitted uses and disclosures, authorization-required uses, individual rights, entity duties, complaint procedures, and Privacy Officer contact information. The two documents serve different purposes and both are needed.

Does SimplePractice sign a BAA?

Yes. SimplePractice signs a Business Associate Agreement with covered entities on Professional and higher tier plans. The BAA is executed during onboarding and is separate from the patient-facing NPP. A signed BAA means SimplePractice is legally accountable for PHI it handles on your behalf; it does not exempt your practice from the NPP requirement.

What do I still need if I use SimplePractice?

If you use SimplePractice, you still need: (1) a HIPAA-compliant Notice of Privacy Practices under 45 CFR § 164.520, provided at first session, posted on your practice website, and posted at your physical location; (2) an acknowledgment-of-receipt process for each new client; (3) a signed BAA from every other business associate that handles PHI (telehealth platforms, billing services, cloud storage); (4) a process to update and re-distribute the NPP when material changes occur.

EHR & Vendor

Does SimplePractice Provide a Notice of Privacy Practices?

Q: Does SimplePractice provide a Notice of Privacy Practices?

No. SimplePractice does not provide a HIPAA-compliant Notice of Privacy Practices for your practice. SimplePractice offers a Business Associate Agreement on Professional and higher plans and provides generic practice-policies and informed-consent templates that can be added to an intake packet, but the NPP — the patient-facing HIPAA document required by 45 CFR § 164.520 — is the covered entity's responsibility to produce and maintain.

By NPP Generator Research Team · Published Apr 23, 2026 · Last reviewed Apr 23, 2026 · 5 min read

Key Takeaways

✓ SimplePractice does not produce a HIPAA-compliant Notice of Privacy Practices for your practice
✓ SimplePractice does sign a BAA on Professional and higher plans — but that is a vendor contract, not a patient-facing notice
✓ SimplePractice's practice-policies templates are informed-consent documents, not a 45 CFR § 164.520 NPP
✓ The NPP obligation is the covered entity's — regardless of which EHR you use
✓ You can upload your NPP to SimplePractice as a shared intake document, but you still have to produce the NPP yourself

Quick answer: No — SimplePractice does not provide a HIPAA Notice of Privacy Practices. It signs a BAA with your practice (Professional and higher plans) and provides informed-consent and practice-policies templates that can live in your client intake packet, but the NPP itself — the patient-facing document required by 45 CFR § 164.520 — is your practice's responsibility to create, distribute, post, and update.

SimplePractice is the dominant EHR for solo and small-group mental health practices — therapists, LCSWs, psychologists, counselors. One of the most common assumptions among new SimplePractice users is that the platform's HIPAA-compliant infrastructure extends to the patient-facing HIPAA documents, including the Notice of Privacy Practices. It does not.

What SimplePractice Does Provide

SimplePractice provides a stack of HIPAA-compliant infrastructure and templates, but none of them are a Notice of Privacy Practices:

Business Associate Agreement (BAA). On Professional and higher plans, SimplePractice executes a BAA during onboarding. This is a legal contract between SimplePractice and your practice governing how SimplePractice handles PHI.
HIPAA-compliant infrastructure. Encrypted data at rest and in transit, audit logs, role-based access controls, secure messaging, and HIPAA-compliant telehealth video.
Practice-policies and informed-consent templates. Generic templates for fees, cancellation policies, scope of practice, and therapist-client agreement. These can be included in client intake packets and signed electronically.
Document upload for intake. You can upload your own NPP as a PDF and have it signed (acknowledged) electronically at intake — but SimplePractice does not generate the NPP for you.

Why SimplePractice's Templates Aren't an NPP

Practice-policies documents and Notices of Privacy Practices serve different purposes. A practice-policies document is a commercial/practice-management document covering things like:

Session fees and payment policies
Cancellation and no-show policies
Scope of practice and boundaries
Emergency contact procedures
Between-session contact rules

An NPP is a regulatory document with prescribed mandatory content under 45 CFR § 164.520(b):

The HHS-prescribed header statement ("THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED...")
Permitted uses and disclosures of PHI with examples
Uses requiring patient authorization (marketing, sale of PHI, psychotherapy notes)
All individual rights under HIPAA (access, amendment, accounting, restriction, confidential communications, paper copy, breach notification)
Entity duties to safeguard PHI
Complaint procedures (internal and to HHS OCR)
Privacy Officer contact information
Effective date

Practice-policies and NPP cover different domains. You need both — and they are not interchangeable. See what is a Notice of Privacy Practices for the full content requirements.

Does the SimplePractice BAA Replace the NPP?

No. A BAA and an NPP are two different HIPAA instruments:

A BAA is a vendor contract. It runs between your practice (the covered entity) and SimplePractice (the business associate). It binds SimplePractice to HIPAA obligations. Required by 45 CFR § 164.504(e).
An NPP is a patient-facing notice. It runs from your practice to each patient. It describes how you use PHI and what rights patients have. Required by 45 CFR § 164.520.

You need both. SimplePractice provides the BAA; you provide the NPP. See NPP vs. BAA — what's the difference.

What You Still Need if You Use SimplePractice

Assuming you are a HIPAA covered entity (most SimplePractice users are — you're a covered entity any time you submit insurance claims electronically), you still need to produce and maintain:

A Notice of Privacy Practices compliant with 45 CFR § 164.520 and aligned to the HHS February 2026 revised model
An acknowledgment-of-receipt process for each new client (SimplePractice can collect this via its intake document system)
A public posting of the NPP on your practice website (SimplePractice's client portal is not sufficient — you must post on your public practice site too)
A physical posting of the NPP at your office (or on your sign if you're in a shared office)
BAAs with every other business associate that handles PHI — email marketing tools, scheduling apps, cloud storage, billing services, telehealth platforms (SimplePractice's BAA only covers SimplePractice)
A process to update the NPP when a material change occurs (new Privacy Officer, new uses, new federal regulation — like the February 2026 HHS model)

How to Add an NPP to Your SimplePractice Intake

Once you have a compliant NPP PDF, you can upload it to SimplePractice as a custom intake document and have new clients acknowledge receipt electronically before their first session. The steps are:

Generate your NPP PDF (SimplePractice does not offer this — use a tool like NPP Generator or draft from the HHS model)
In SimplePractice, go to Settings → Client Portal → Shared Documents and upload the PDF
Configure the intake packet to include the NPP as a required-view document with an acknowledgment checkbox
Post the same NPP on your public practice website (outside of SimplePractice's client portal)
Post a printed copy at your physical office

Frequently Asked Questions

Does TherapyNotes provide an NPP?

No. Like SimplePractice, TherapyNotes is an EHR — it signs a BAA and hosts PHI compliantly, but does not produce a HIPAA-compliant Notice of Privacy Practices. The NPP is the practice's responsibility regardless of which EHR you use.

Does the SimplePractice client portal count as "posting the NPP on my website"?

No. The HIPAA requirement is to post the NPP on the practice's public website — the site that prospective patients can find before becoming clients. SimplePractice's client portal is gated behind login and is not a substitute. See NPP website posting requirements.

What's the cheapest compliant way to get an NPP if I use SimplePractice?

The HHS model notices are free and can be adapted manually — but they require you to fill in practice-specific fields (entity name, Privacy Officer, website, effective date) and add Part 2 SUD language if applicable. Tools like NPP Generator take the HHS model, capture your practice information via a guided intake, and produce a formatted PDF and editable Word file for $49 — one-time, no subscription. Attorney-drafted NPPs typically run $500–$2,500.

If I use SimplePractice for psychotherapy notes, do I still need NPP language about them?

Yes. The NPP must disclose that psychotherapy notes receive extra protection and that most uses require a separate written authorization. See NPP for therapists for the psychotherapy-notes section specifics.

Generate your NPP in under 5 minutes.

Upload the PDF to SimplePractice, post it on your practice site, and you're covered. Built on the HHS February 2026 model. $49 one-time — no subscription.

Start your NPP — $49

Free watermarked preview available. See sample →