How to Handle Your NPP After a Merger or Acquisition
NPP Generator Research Team · April 25, 2026 · 6 min read
Key Takeaways
- ✓ An acquisition almost always triggers a material change requiring a new NPP
- ✓ The new NPP should be effective on or near the closing date
- ✓ Existing patients must receive the revised NPP and it must be posted on the website
- ✓ In an asset purchase, the buyer issues its own NPP — the seller's NPP does not carry over
- ✓ Due diligence should include a review of the target practice's NPP compliance history
Practice acquisitions — whether an asset purchase, stock purchase, or merger — almost always trigger HIPAA Notice of Privacy Practices obligations. The identity of the covered entity changes, the Privacy Officer changes, and the privacy practices themselves may change. Each of these is a material change requiring an updated NPP.
Why acquisitions trigger NPP updates
A material change to your privacy practices or to the information in your NPP triggers the requirement to revise and redistribute. An acquisition almost always changes at least one of these:
- The covered entity's identity — a different legal entity now operates the practice
- The Privacy Officer — the acquiring entity appoints its own Privacy Officer with different contact information
- How PHI may be used — the acquiring entity may have different healthcare operations, may share PHI within a different affiliated covered entity arrangement, or may have different third-party vendors
- Complaint procedures — the HHS OCR contact for complaints may remain the same, but internal complaint routing will change
Even in a "clean" acquisition where nothing operationally changes, the legal entity name and Privacy Officer information on the NPP will need to be updated.
Asset purchase vs. stock purchase vs. merger
| Transaction type | Covered entity change? | NPP obligation |
|---|---|---|
| Asset purchase | Yes — buyer is a new covered entity | Buyer issues new NPP effective on closing date |
| Stock purchase (ownership change) | Often no — same legal entity, new owners | Update NPP if Privacy Officer, contact info, or practices change |
| Merger (entities combine) | Yes — new merged entity | New merged entity issues a single NPP for the combined operation |
| Affiliation (no ownership change) | No | Update NPP only if practices or Privacy Officer change |
Timing: when does the new NPP take effect?
Best practice is to have the new NPP ready to distribute on the closing date. The effective date on the NPP should be the closing date or the first date of integrated operations under the acquiring entity.
- Pre-closing: Prepare the draft NPP during due diligence so it's ready to issue on Day 1
- On closing: Begin distributing the new NPP to all new patients from the closing date forward
- Post-closing (existing patients): Provide the revised NPP to existing patients who have an ongoing treatment relationship — typically on their next visit or via patient portal/mail
- Website: Update the posted NPP on the website on the closing date or as soon as practicable
NPP due diligence checklist
When acquiring a practice, include NPP review in your HIPAA due diligence:
- Is the target's NPP based on the current HHS model (February 2026)?
- Was the NPP distributed to all patients at first service? Are acknowledgment records maintained?
- Is the NPP posted on the target's website prominently?
- Has the target issued any material change notices in recent years?
- Are there any pending patient complaints or OCR investigations related to the NPP?
Acquired NPP compliance gaps become the buyer's risk at closing. Identifying them pre-closing gives you time to assess the exposure and potentially negotiate representations and indemnification in the acquisition agreement.
What to include in the new NPP
The new NPP should include:
- The acquiring entity's legal name and address
- The new Privacy Officer's name and contact information
- If replacing a prior NPP: a supersede statement (e.g., "This Notice supersedes all prior versions effective [closing date]")
- All other required HIPAA NPP content per the HHS February 2026 model
Quick answer
In an asset purchase or merger, issue a new NPP effective on the closing date under the acquiring entity's name. Distribute to existing patients on or after closing. In a stock purchase where the legal entity doesn't change, update the NPP only if the Privacy Officer or practices change.
Generate a new NPP for your acquired practice.
NPP Generator produces an HHS February 2026 compliant NPP as a clean PDF and editable Word document — ready on Day 1 of your acquisition close. $49 one-time, no subscription.
Generate your NPP — $49Free watermarked preview available. See sample →
Frequently Asked Questions
Does a practice acquisition require issuing a new NPP?▼
In most cases yes. Asset purchases and mergers create a new covered entity that must issue its own NPP. Stock purchases that leave the legal entity intact may only require updating the NPP if the Privacy Officer or practices change.
Does the buyer need to notify existing patients after an acquisition?▼
Yes. The revised NPP must be provided to existing patients with an ongoing treatment relationship. This can be done at the next visit, by mail, or via patient portal. The revised NPP must also be posted on the website promptly.
Can the buyer use the seller's existing NPP after closing?▼
Only in a stock purchase where the legal entity is unchanged and no material terms of the NPP need to change. In an asset purchase, the buyer is a different covered entity and cannot rely on the seller's NPP.
What's the supersede statement in an NPP?▼
A supersede statement clarifies when the new NPP takes effect and that it replaces prior versions. Example: "This Notice of Privacy Practices supersedes all prior versions and is effective [closing date]." This helps avoid confusion if patients have an older NPP on file.