Do I need a separate Baker Act notice?

No, but if your practice handles Baker Act records, the NPP should explicitly reference Chapter 394 F.S. and note that mental-health records receive elevated state-law protection. Some Florida mental-health practices also distribute a separate confidentiality statement.

How does Florida treat minors' mental-health consent?

Florida Chapter 394 allows minors 13 and older to consent to outpatient mental-health treatment under specific conditions. The NPP should describe how parental access to those records is handled — generally, the parent's HIPAA-personal-representative right is restricted in those scenarios.

Is a Florida HIV-test authorization the same as a HIPAA authorization?

Functionally similar but separately required. A HIPAA authorization satisfying 45 CFR § 164.508 covers the disclosure under federal law; Florida § 381.004 has additional content requirements. Most practices use a single combined authorization document that satisfies both.

Does Florida law affect distribution timing for the NPP?

No. HIPAA's first-encounter delivery rule applies. Florida adds no additional timing requirement, but Florida's Patient's Bill of Rights notice (separate document) is also typically distributed at first encounter.

What about Florida's own data-breach notification?

Florida's Information Protection Act (§ 501.171 F.S.) requires notification to affected Floridians within 30 days of breach determination — stricter than HIPAA's 60-day window. Multi-state breaches require coordination of both federal HIPAA notification and Florida's specific obligations.

State-Specific

Florida NPP Requirements: What HIPAA Plus Florida Law Requires

By NPP Generator Research Team · Published Apr 25, 2026 · Last reviewed Apr 28, 2026 · 7 min read

Need to update your NPP?

Update → Generate new →

Quick answer: Florida HIPAA covered entities follow HIPAA's NPP rules plus Florida-specific provisions for mental-health records (Baker Act), substance use treatment (Marchman Act), and patient access. Florida law restricts disclosure of certain mental-health and SUD records beyond HIPAA's baseline. The NPP should reflect these Florida-specific restrictions and the practice's complaint procedures.

Florida doesn't have a single comprehensive medical-records privacy statute analogous to Texas's HB300, but it has a patchwork of provisions covering mental-health records (Baker Act), substance-use treatment (Marchman Act), HIV records, genetic testing, minor consent, and the Florida Patient's Bill of Rights. Florida's interaction with HIPAA shows up most often in the mental-health and SUD treatment context.

Family resources. For the canonical state-vs-federal overlay, see ComplyCreate's HIPAA vs state privacy laws guide.

Florida Baker Act: mental-health record disclosure

The Florida Mental Health Act (Baker Act, Chapter 394 F.S.) governs involuntary mental-health examinations and treatment. Records related to Baker Act actions receive elevated protection: disclosure typically requires the patient's written consent or a specific statutory exception (court order, qualified personnel, etc.).

Florida practices that handle Baker Act records — mental-health professionals, hospitals, crisis stabilization units — should reflect this in the NPP by noting that mental-health records covered by Chapter 394 receive additional state-law protection beyond HIPAA, and that disclosure typically requires authorization.

Marchman Act: substance use disclosure

The Hal S. Marchman Alcohol and Other Drug Services Act (Chapter 397 F.S.) governs substance-abuse treatment in Florida. Marchman Act records are subject to state confidentiality protections that pair with the federal 42 CFR Part 2 rules for substance-use treatment programs.

If your practice provides SUD treatment, the NPP must include 42 CFR Part 2 language (already required federally as of the February 2026 final rule) plus a reference to Florida's Chapter 397. Both regimes restrict re-disclosure and require specific authorization formats.

Florida HIV record protections

Section 381.004 F.S. establishes that HIV testing and test results receive elevated protection — disclosure generally requires written authorization unless an exception applies (treatment, public health, etc.). The NPP should disclose this elevated protection and reference the authorization requirement for HIV-related disclosures.

Florida Patient's Bill of Rights

Section 381.026 F.S. establishes the Patient's Bill of Rights and Responsibilities. While much of this overlaps with HIPAA's individual-rights provisions, two Florida-specific items belong in the NPP:

Patients have a right to access their medical records and a copy upon written request. HIPAA requires this; Florida echoes it. The NPP should state both the HIPAA Right of Access (within 30 days) and Florida's parallel right.
Patients have a right to know the identity and professional status of caregivers. This is a notice item that some Florida practices choose to highlight in the NPP, though it's not strictly mandated to be in the NPP.

Cross-state telehealth and snowbird patients

Florida's seasonal population means many practices serve patients who are residents of other states for part of the year. The general rule: the patient's state of residence controls which stricter law applies. A New York resident receiving care in a Florida practice is protected by NY SHIELD plus HIPAA plus any Florida rules that apply because the encounter is in Florida. Your NPP should describe how the practice handles cross-state patients without claiming a single state's law uniformly applies.

For telehealth providers serving Florida patients from out of state, the Florida statutes generally apply to the Florida-resident patient's records.

Putting it all together

A Florida-compliant NPP includes the standard HIPAA content plus elevated-protection callouts for mental-health, SUD, HIV, and genetic information. Distribution and posting follow HIPAA: first-visit delivery, public website posting, physical office posting. Update on material change and re-acknowledge.

How this fits with the HHS February 2026 revised model

The HHS February 2026 final rule revised the NPP model and clarified several content requirements. Practices issuing or updating an NPP after February 16, 2026 should align to the new model. Key changes that affect every NPP regardless of specialty include: the addition of mandatory language describing the practice's safeguards against unauthorized AI-driven uses of PHI; updated breach-notification language reflecting Cures Act information-blocking interactions; refined Right of Access language describing electronic-format options; and updated language around marketing communications.

For practices that updated to the HHS Feb 2026 model upon publication, no further regulatory NPP work is required until the next material change. Practices still on pre-February-2026 templates should update before their next material-change cycle to avoid drift.

Common implementation pitfalls

Across audits and routine compliance reviews, several specific implementation pitfalls recur:

Privacy Officer drift. The named Privacy Officer leaves or moves to a different role; the NPP isn't updated.
Acknowledgment-form mismatch. The acknowledgment form references an outdated NPP version. The form should always reference the current effective date.
Multi-site inconsistency. Multi-location practices inadvertently use slightly different NPPs at different sites. Standardize on a single document.
Translation drift. Practices providing Spanish or other-language NPPs sometimes update one language and not the other. Maintain version parity.
Vendor-relationship update lag. When the practice adds or removes a major vendor relationship, the NPP isn't updated to reflect the new data flow until much later.

Audit-readiness considerations

When OCR or a state regulator audits, the NPP review typically asks for:

Current NPP version with effective date
Sample acknowledgment forms from the past 12 months
Documentation of distribution process (front-desk procedure, telehealth workflow)
Evidence of website posting (URL of public-facing NPP page)
Evidence of physical posting (typically a photograph of the lobby posting)
Documentation of material changes and re-distribution events
Privacy Officer contact and complaint-log
Training records (HIPAA-required workforce training, plus any state-specific requirements)

Quick reference checklist

When producing or updating an NPP, work through this checklist:

Identify the legal covered entity. One NPP per legal entity. If you have multiple legal entities, you need multiple NPPs.
List all clinical locations covered by this entity, including any virtual-only telehealth presence
Confirm the Privacy Officer. Name, title, contact information. Update when this person changes.
Inventory uses and disclosures. What data flows happen in your practice? Each major flow should be reflected in the NPP's permitted-use section.
Confirm authorization-required disclosures. Marketing, sale of PHI, psychotherapy notes, and any state-specific authorization-required categories.
Verify HIPAA-required content. Header statement, all eight individual rights, entity duties, complaint procedures, breach notification rights, paper-copy availability.
Add state-law overlay. If your state has additional protection (mental health, HIV, genetic, biometric), reflect it in the NPP.
Set effective date and last-revised date. Both should be current and visible.
Distribution mechanics. First-encounter delivery, website posting, physical posting, electronic availability, multi-language versions if applicable.

How NPP Generator helps

Producing a HIPAA-compliant Notice of Privacy Practices from scratch — even with the HHS February 2026 model as a starting point — typically takes a few hours of attention to entity-specific details: practice name, locations, Privacy Officer, vendor relationships, state-specific overlays, sensitive-record categories, communication preferences, and effective-date management.

NPP Generator's tool walks through a guided intake, captures the practice-specific information, and produces a formatted PDF and editable Word document aligned to the HHS February 2026 model in about five minutes. The tool also handles state-specific overlay language for the major state-law regimes and produces a current-effective-date document ready for distribution. For practices that need state-specific overlay (Texas HB300, Illinois MHDDC, California CMIA/CCPA, etc.), the tool's state-handler ensures the right elevated-protection language appears in your final document.

About state-law and federal preemption

HIPAA establishes a federal floor for health-information privacy. State laws are not preempted where they are more protective of patient privacy than HIPAA — that's the basic preemption rule under 45 CFR § 160.203. The interaction can be subtle: a state law may be stricter on a specific topic (HIV records, mental-health records, genetic information) without being globally stricter than HIPAA. The NPP must reflect the stricter rule wherever it applies. Practices serving patients in multiple states often issue a single NPP that incorporates the strictest applicable rules across those states; multi-state organizations sometimes use state-specific NPP versions for clarity. For organizations subject to specific federal regimes beyond HIPAA — 42 CFR Part 2 for SUD, FERPA for educational records, Title X for federally-funded family-planning services — the NPP should describe how those regimes interact with HIPAA's framework.

More state-specific NPP guides

NPP for California NPP for Massachusetts NPP for New York NPP for Georgia NPP for Illinois NPP for New Jersey NPP for Pennsylvania NPP for Texas NPP for Washington

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Related: State-specific NPP guides

Georgia Illinois New Jersey Pennsylvania Texas Washington