NPP Incorrect After Mergers and Acquisitions

By NPP Generator Research Team  ·  Published Apr 25, 2026  ·  Last reviewed Apr 28, 2026  ·  7 min read

Healthcare M&A — practice acquisitions, hospital-system consolidations, PE rollups, MSO arrangements — creates NPP-update obligations that often slip through the cracks. The acquiring entity inherits NPP-update obligations on day one of the transaction.

When M&A triggers an NPP update

Several M&A scenarios materially affect the NPP and trigger update obligations:

• Asset acquisition. Acquiring practice continues operations under a new entity. The new entity's NPP applies — the old practice's NPP doesn't transfer.
• Stock/equity acquisition. The acquired entity continues, but with new ownership. Material changes in uses (new vendor relationships, new locations) require NPP update.
• Merger. Two entities combine. The combined entity's NPP must reflect the new structure.
• MSO/Management contract. Practice signs an MSO arrangement that materially changes data flows. NPP must reflect MSO data flows.
• Multi-location addition. Acquiring entity adds new locations. The single-entity NPP must list new locations or each location must have its own.

Common post-M&A NPP failures

OCR has cited:

• Outdated entity name. The post-merger NPP references the old practice name. The patient acknowledgment captures the old name. The website posting shows the old name. All of this is wrong on day one of the new entity.
• Missing acquired locations. The NPP lists pre-acquisition locations only. New locations from the acquisition aren't reflected.
• Missing acquired vendor relationships. Acquiring entity inherits vendor relationships (EHR, billing, telehealth) that the original NPP didn't describe. The combined data flows aren't covered.
• Outdated Privacy Officer contact. The Privacy Officer named in the NPP has left or been reassigned. Patient complaints can't reach the right person.
• Stale effective date. The NPP shows an effective date predating the acquisition, raising questions about whether it's been updated.

Day-one M&A obligations

Within 30-60 days of acquisition close, the new entity should:

1. Inventory and update the NPP — entity name, locations, Privacy Officer, vendor data flows
2. Post the updated NPP on the new entity's website
3. Re-distribute the updated NPP at all clinical locations (new patients during the transition period acknowledge the new NPP)
4. Re-establish or transfer all BAAs to the new entity (acquired BAAs may not automatically apply post-merger)
5. Update internal training and acknowledgment workflows

BAA inventory post-M&A

Acquired BAAs don't automatically apply to the new entity. Common scenarios:

• Original BAA with vendor X named the original practice as the covered entity
• Post-merger, the new entity is contracting with vendor X — but the original BAA may not cover the new entity
• Best practice: re-execute or amend the BAA naming the new covered entity
• Some BAAs include automatic-assignment clauses that handle this; many don't

Typical OCR findings in post-M&A settlements

When OCR investigates post-M&A practices, common findings:

• NPP not updated within reasonable time of acquisition (often 6+ months later)
• BAAs not transferred or re-executed (vendors operating without valid BAA in the new entity)
• Missing vendor relationships in the NPP
• Privacy Officer contact stale
• Acquisition documentation incomplete for HIPAA-related obligations

How this fits with the HHS February 2026 revised model

The HHS February 2026 final rule revised the NPP model and clarified several content requirements. Practices issuing or updating an NPP after February 16, 2026 should align to the new model. Key changes that affect every NPP regardless of specialty include: the addition of mandatory language describing the practice's safeguards against unauthorized AI-driven uses of PHI; updated breach-notification language reflecting Cures Act information-blocking interactions; refined Right of Access language describing electronic-format options; and updated language around marketing communications.

For practices that updated to the HHS Feb 2026 model upon publication, no further regulatory NPP work is required until the next material change. Practices still on pre-February-2026 templates should update before their next material-change cycle to avoid drift.

Common implementation pitfalls

Across audits and routine compliance reviews, several specific implementation pitfalls recur:

• Privacy Officer drift. The named Privacy Officer leaves or moves to a different role; the NPP isn't updated.
• Acknowledgment-form mismatch. The acknowledgment form references an outdated NPP version. The form should always reference the current effective date.
• Multi-site inconsistency. Multi-location practices inadvertently use slightly different NPPs at different sites. Standardize on a single document.
• Translation drift. Practices providing Spanish or other-language NPPs sometimes update one language and not the other. Maintain version parity.
• Vendor-relationship update lag. When the practice adds or removes a major vendor relationship, the NPP isn't updated to reflect the new data flow until much later.

Audit-readiness considerations

When OCR or a state regulator audits, the NPP review typically asks for:

• Current NPP version with effective date
• Sample acknowledgment forms from the past 12 months
• Documentation of distribution process (front-desk procedure, telehealth workflow)
• Evidence of website posting (URL of public-facing NPP page)
• Evidence of physical posting (typically a photograph of the lobby posting)
• Documentation of material changes and re-distribution events
• Privacy Officer contact and complaint-log
• Training records (HIPAA-required workforce training, plus any state-specific requirements)

Quick reference checklist

When producing or updating an NPP, work through this checklist:

• Identify the legal covered entity. One NPP per legal entity. If you have multiple legal entities, you need multiple NPPs.
• List all clinical locations covered by this entity, including any virtual-only telehealth presence
• Confirm the Privacy Officer. Name, title, contact information. Update when this person changes.
• Inventory uses and disclosures. What data flows happen in your practice? Each major flow should be reflected in the NPP's permitted-use section.
• Confirm authorization-required disclosures. Marketing, sale of PHI, psychotherapy notes, and any state-specific authorization-required categories.
• Verify HIPAA-required content. Header statement, all eight individual rights, entity duties, complaint procedures, breach notification rights, paper-copy availability.
• Add state-law overlay. If your state has additional protection (mental health, HIV, genetic, biometric), reflect it in the NPP.
• Set effective date and last-revised date. Both should be current and visible.
• Distribution mechanics. First-encounter delivery, website posting, physical posting, electronic availability, multi-language versions if applicable.

How NPP Generator helps

Producing a HIPAA-compliant Notice of Privacy Practices from scratch — even with the HHS February 2026 model as a starting point — typically takes a few hours of attention to entity-specific details: practice name, locations, Privacy Officer, vendor relationships, state-specific overlays, sensitive-record categories, communication preferences, and effective-date management.

NPP Generator's tool walks through a guided intake, captures the practice-specific information, and produces a formatted PDF and editable Word document aligned to the HHS February 2026 model in about five minutes. The tool also handles state-specific overlay language for the major state-law regimes and produces a current-effective-date document ready for distribution. For practices that need state-specific overlay (Texas HB300, Illinois MHDDC, California CMIA/CCPA, etc.), the tool's state-handler ensures the right elevated-protection language appears in your final document.

About state-law and federal preemption

HIPAA establishes a federal floor for health-information privacy. State laws are not preempted where they are more protective of patient privacy than HIPAA — that's the basic preemption rule under 45 CFR § 160.203. The interaction can be subtle: a state law may be stricter on a specific topic (HIV records, mental-health records, genetic information) without being globally stricter than HIPAA. The NPP must reflect the stricter rule wherever it applies. Practices serving patients in multiple states often issue a single NPP that incorporates the strictest applicable rules across those states; multi-state organizations sometimes use state-specific NPP versions for clarity. For organizations subject to specific federal regimes beyond HIPAA — 42 CFR Part 2 for SUD, FERPA for educational records, Title X for federally-funded family-planning services — the NPP should describe how those regimes interact with HIPAA's framework.

Further reading

For more on the topics covered here:

• What is a Notice of Privacy Practices? — foundational explanation
• NPP requirements in 2026 — current regulatory baseline
• HHS February 2026 model walkthrough — the current federal baseline
• When state law is stricter than federal — preemption framework
• ComplyCreate: HIPAA vs state privacy laws — full state-by-state comparison