HHS Model NPP 2026 — Section-by-Section Walkthrough

A plain-language walkthrough of the HHS February 2026 revised model Notice of Privacy Practices, including the new Part 2 SUD language additions.

By NPP Generator Research Team  ·  Published Feb 20, 2026  ·  Last reviewed Apr 23, 2026

The two model notices

HHS publishes two model Notices of Privacy Practices: one for direct-treatment providers (hospitals, clinics, physicians, dentists, therapists) and one for health plans. The February 2026 revisions apply to both but differ in the specific clause content. This walkthrough covers the direct-treatment provider model in detail; health plan differences are noted at the end.

Section 1: Header

Contains the entity name, address, phone, website, effective date. Below, the verbatim warning: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." This exact language is required by § 164.520(b)(1)(i)(B).

Section 2: Uses and disclosures for TPO

Treatment, Payment, and Health Care Operations — the three core permitted uses under § 164.506. For each, the model includes a short description and examples so patients understand what is happening. No authorization is required for TPO uses.

Section 3: Permitted without authorization

The § 164.512 catalog: public health activities, victims of abuse, health oversight, judicial proceedings with court orders, law enforcement (narrow conditions), coroners and funeral directors, organ donation, research under IRB approval, serious threat to health or safety, military and veterans affairs, national security, workers compensation.

Section 4: Part 2 integration (if applicable)

New in the 2026 revision. For entities subject to 42 CFR Part 2, this section explains the additional written-consent requirement, redisclosure prohibition, and court-order protection. Permitted to be integrated into the HIPAA NPP per the 2024 Part 2 Final Rule.

Section 5: Authorization-required

Explicitly states that psychotherapy notes, marketing, sale of PHI, and all other uses not described require separate written authorization. Patients may revoke authorization in writing.

Section 6: Individual rights

Seven rights, each with a short description: restrictions, confidential communications, inspect and copy (including electronic copies), amendment, accounting of disclosures, paper copy of notice, breach notification.

Section 7: Our duties

Entitys legal duties — maintain privacy, provide notice, follow terms, notify of breach. Reserves the right to change the notice on material change with redistribution obligations.

Section 8: Complaints

Two complaint paths: (a) internal to the Privacy Officer; (b) external to HHS OCR (with full address and phone). Explicit non-retaliation statement required.

Section 9: Contact + acknowledgment

Privacy Officer contact information restated at the bottom. For direct-treatment providers only, an acknowledgment-of-receipt signature block.

Health plan differences

Health plan NPPs replace "treatment" TPO with enrollment/underwriting, and add an explicit genetic-information-nondiscrimination clause (GINA). No acknowledgment requirement. Distribution is at enrollment plus every-3-years reminder.

First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →