NPP Acknowledgment of Receipt — What the Rule Actually Requires
The HIPAA Privacy Rule requires a good-faith attempt to obtain written acknowledgment of receipt for direct-treatment providers. Here's what that means in practice.
By NPP Generator Research Team · Published Mar 1, 2026 · Last reviewed Apr 23, 2026
The good-faith-effort rule
45 CFR § 164.520(c)(2)(ii) applies to direct-treatment providers only. It requires the provider to make a "good-faith effort" to obtain from each new patient a written acknowledgment that the patient received a copy of the NPP. If the provider cannot obtain the acknowledgment, it must document the good-faith effort and the reason it was not obtained.
What "good-faith effort" means in practice
At intake, the front-desk presents the NPP and asks the patient to sign an acknowledgment that they received it. The acknowledgment is a short stand-alone form — usually one paragraph. The patient can:
- Sign it and return it — the most common path
- Refuse to sign — the provider documents the refusal and proceeds with treatment
- Be unable to sign (e.g., emergency) — the provider documents the circumstance and follows up later if possible
Who does NOT need to obtain acknowledgment
Health plans and healthcare clearinghouses are not subject to § 164.520(c)(2)(ii). They must distribute the NPP to enrollees but do not need individual signed acknowledgments. Part-2-only programs (without HIPAA status) also do not have a HIPAA acknowledgment requirement, though Part 2 has its own patient-notice rules.
Electronic acknowledgment
For telehealth-only practices and patient portals, an electronic acknowledgment (checkbox, e-signature) satisfies the requirement as long as the acknowledgment is attributable to the patient and captures the date. Many EHR systems build this into the intake workflow.
What counts as "failure to acknowledge"
Simple patient refusal does not prevent treatment and does not create a compliance problem — as long as you document the refusal. A pattern of never attempting acknowledgment, or missing acknowledgments without documented reason, does create a problem. OCR has cited practices where acknowledgments are missing with no documented good-faith effort.
Generate your NPP in under 5 minutes
Answer a few questions and download a HIPAA-compliant Notice of Privacy Practices based on the HHS February 2026 revised model.
Start your NPP — $49First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →