N NPP Generator
Specialty Guide

NPP for Onsite Employer Clinics

By NPP Generator Research Team  ·  Published Apr 25, 2026  ·  Last reviewed Apr 28, 2026  ·  6 min read

Need to update your NPP?

Update → Generate new →
Quick answer: Onsite employer clinics may or may not be HIPAA covered entities depending on whether they bill insurance electronically. If they bill insurance electronically (most do), they're covered entities and need an NPP. The unique feature is the strict separation between the clinic-as-covered-entity and the employer-as-employer — even though the employer is the clinic's parent organization.

Onsite employer clinics — staffed by physicians, NPs, or RNs at company facilities — sit at an interesting HIPAA junction. They typically provide primary care, occupational-health services, and wellness programs. They're often operated by the employer (or a vendor on the employer's behalf), and the relationship to the employer-as-employer is what creates HIPAA complexity.

Family resources. For broader employer-side HIPAA context, see ComplyCreate's guide to covered entities.

Is the employer clinic a HIPAA covered entity?

Most onsite employer clinics provide healthcare services. The covered-entity question depends on the standard transaction — does the clinic electronically transmit information for billing, eligibility, or claims-status purposes?

Employer-employee data separation

The most important HIPAA concept for employer clinics: the clinic and the employer are separate entities for HIPAA purposes, even when the employer owns the clinic. The clinic's PHI cannot flow to the employer-as-employer without specific HIPAA authorization (or a narrow exception for de-identified or aggregate data).

ADA, FMLA, GINA: non-HIPAA overlay

Employer clinics also handle ADA accommodations, FMLA leave certifications, and GINA-protected genetic information. These are not HIPAA-protected but have their own confidentiality rules.

Mandatory NPP content for employer clinics

If the clinic is HIPAA-covered, the NPP needs:

Distribution at the employer clinic

Provide the NPP at first encounter (each new clinic patient acknowledges). Post on the clinic's public-facing materials and the employer's clinic-specific webpage. Post visibly at the clinic site.

How this fits with the HHS February 2026 revised model

The HHS February 2026 final rule revised the NPP model and clarified several content requirements. Practices issuing or updating an NPP after February 16, 2026 should align to the new model. Key changes that affect every NPP regardless of specialty include: the addition of mandatory language describing the practice's safeguards against unauthorized AI-driven uses of PHI; updated breach-notification language reflecting Cures Act information-blocking interactions; refined Right of Access language describing electronic-format options; and updated language around marketing communications.

For practices that updated to the HHS Feb 2026 model upon publication, no further regulatory NPP work is required until the next material change. Practices still on pre-February-2026 templates should update before their next material-change cycle to avoid drift.

Common implementation pitfalls

Across audits and routine compliance reviews, several specific implementation pitfalls recur:

Audit-readiness considerations

When OCR or a state regulator audits, the NPP review typically asks for:

Quick reference checklist

When producing or updating an NPP, work through this checklist:

How NPP Generator helps

Producing a HIPAA-compliant Notice of Privacy Practices from scratch — even with the HHS February 2026 model as a starting point — typically takes a few hours of attention to entity-specific details: practice name, locations, Privacy Officer, vendor relationships, state-specific overlays, sensitive-record categories, communication preferences, and effective-date management.

NPP Generator's tool walks through a guided intake, captures the practice-specific information, and produces a formatted PDF and editable Word document aligned to the HHS February 2026 model in about five minutes. The tool also handles state-specific overlay language for the major state-law regimes and produces a current-effective-date document ready for distribution. For practices that need state-specific overlay (Texas HB300, Illinois MHDDC, California CMIA/CCPA, etc.), the tool's state-handler ensures the right elevated-protection language appears in your final document.

About state-law and federal preemption

HIPAA establishes a federal floor for health-information privacy. State laws are not preempted where they are more protective of patient privacy than HIPAA — that's the basic preemption rule under 45 CFR § 160.203. The interaction can be subtle: a state law may be stricter on a specific topic (HIV records, mental-health records, genetic information) without being globally stricter than HIPAA. The NPP must reflect the stricter rule wherever it applies. Practices serving patients in multiple states often issue a single NPP that incorporates the strictest applicable rules across those states; multi-state organizations sometimes use state-specific NPP versions for clarity. For organizations subject to specific federal regimes beyond HIPAA — 42 CFR Part 2 for SUD, FERPA for educational records, Title X for federally-funded family-planning services — the NPP should describe how those regimes interact with HIPAA's framework.

Further reading

For more on the topics covered here:

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Related: Niche specialty guides

ABA therapy Cash-pay practices Dental practices guide Dialysis centers Direct primary care Pediatric Rural health clinics School-based health

Frequently Asked Questions

If the employer clinic doesn't bill insurance, is it still HIPAA-covered?
Possibly not. Without electronic standard transactions, the clinic may not meet HIPAA's covered-entity threshold. But the clinic is still bound by ADA, FMLA, GINA, OSHA, and state laws — all with their own confidentiality requirements.
Can the employer access the clinic's medical records?
Generally no — not without specific HIPAA authorization. The clinic and the employer are separate HIPAA entities even when the employer owns the clinic. Aggregate de-identified data is permissible; individual PHI is not.
What about the group-health-plan side?
If the employer self-funds a health plan, that plan is a separate HIPAA covered entity from the clinic. The plan has its own NPP. Information flows between plan and clinic require the standard treatment, payment, and operations exceptions or authorization.
How do worker's comp records fit?
Worker's comp generally has its own state-specific privacy framework that overlays or substitutes for HIPAA in occupational-injury contexts. The NPP should describe how worker's-comp records are handled.
Is a wellness program subject to HIPAA?
Depends on structure. If the wellness program is part of a HIPAA-covered group health plan, yes. If it's a standalone employer wellness program with no health-plan integration, generally no — but ADA and other rules apply.