NPP Acknowledgment of Receipt: What the Rule Actually Requires

The HIPAA Privacy Rule requires a good-faith attempt to obtain written acknowledgment of receipt for direct-treatment providers. Here's what that means in practice.

Family resources. For the foundational privacy-rule context, see ComplyCreate's HIPAA Privacy/Security/Breach Rules guide.

By NPP Generator Research Team · Published Mar 1, 2026 · Last reviewed Apr 28, 2026 · 2 min read

Need to update your NPP?

Update → Generate new →

The good-faith-effort rule

45 CFR § 164.520(c)(2)(ii) applies to direct-treatment providers only. It requires the provider to make a "good-faith effort" to obtain from each new patient a written acknowledgment that the patient received a copy of the NPP. If the provider cannot obtain the acknowledgment, it must document the good-faith effort and the reason it was not obtained.

What "good-faith effort" means in practice

At intake, the front-desk presents the NPP and asks the patient to sign an acknowledgment that they received it. The acknowledgment is a short stand-alone form — usually one paragraph. The patient can:

Sign it and return it — the most common path
Refuse to sign — the provider documents the refusal and proceeds with treatment
Be unable to sign (e.g., emergency) — the provider documents the circumstance and follows up later if possible

Who does NOT need to obtain acknowledgment

Health plans and healthcare clearinghouses are not subject to § 164.520(c)(2)(ii). They must distribute the NPP to enrollees but do not need individual signed acknowledgments. Part-2-only programs (without HIPAA status) also do not have a HIPAA acknowledgment requirement, though Part 2 has its own patient-notice rules.

Electronic acknowledgment

For telehealth-only practices and patient portals, an electronic acknowledgment (checkbox, e-signature) satisfies the requirement as long as the acknowledgment is attributable to the patient and captures the date. Many EHR systems build this into the intake workflow.

What counts as "failure to acknowledge"

Simple patient refusal does not prevent treatment and does not create a compliance problem — as long as you document the refusal. A pattern of never attempting acknowledgment, or missing acknowledgments without documented reason, does create a problem. OCR has cited practices where acknowledgments are missing with no documented good-faith effort.

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →

Related: NPP compliance & rules

2026 requirements HHS model walkthrough Website posting Effective vs supersede date When to update Material change notice State law overlays