N NPP Generator
State-Specific

Pennsylvania NPP Requirements: HIPAA + Pennsylvania Law

By NPP Generator Research Team  ·  Published Apr 25, 2026  ·  Last reviewed Apr 28, 2026  ·  6 min read

Need to update your NPP?

Update → Generate new →
Quick answer: Pennsylvania HIPAA covered entities follow HIPAA's NPP rules plus the Pennsylvania Mental Health Procedures Act (50 P.S. § 7101 et seq.) and the Confidentiality of HIV-Related Information Act (35 P.S. § 7601 et seq.). Both regimes restrict disclosure beyond HIPAA's defaults. The NPP should reflect this elevated protection.

Pennsylvania's medical privacy regime adds elevated protection to mental-health and HIV-related records over HIPAA's baseline. The Mental Health Procedures Act applies broadly to mental-health-treatment records; the HIV Act restricts disclosure of HIV-test results. PA practices that handle either category need to reflect that protection in the NPP.

Family resources. For broader state-law context, see ComplyCreate's HIPAA vs state privacy laws guide.

Mental Health Procedures Act (MHPA)

PA's MHPA (50 P.S. § 7101 et seq.) governs mental-health treatment records in Pennsylvania. § 7111 establishes confidentiality. Disclosure beyond treatment, payment, and certain narrow exceptions requires the patient's written consent — even where HIPAA might allow disclosure.

PA practices treating mental-health conditions should include in the NPP a reference to MHPA § 7111 and a statement that mental-health records receive elevated state-law protection.

Confidentiality of HIV-Related Information Act

35 P.S. § 7601 et seq. restricts disclosure of HIV-test results. Disclosure generally requires written consent meeting specific PA requirements. NPPs for PA practices that perform or store HIV-test results should describe this elevated protection.

Drug and Alcohol Abuse Control Act

71 P.S. § 1690.108 imposes specific confidentiality on drug-and-alcohol treatment records in Pennsylvania, layered on top of federal 42 CFR Part 2. NPPs for PA SUD treatment programs must reflect both regimes.

Pennsylvania abortion-related records

Pennsylvania has specific reporting requirements for abortion-related procedures under the Abortion Control Act (18 Pa.C.S. § 3201 et seq.). The NPP should address these reporting obligations distinctly — they're public-health reporting, not patient-care disclosure.

PA NPP structure

A complete PA NPP includes:

How this fits with the HHS February 2026 revised model

The HHS February 2026 final rule revised the NPP model and clarified several content requirements. Practices issuing or updating an NPP after February 16, 2026 should align to the new model. Key changes that affect every NPP regardless of specialty include: the addition of mandatory language describing the practice's safeguards against unauthorized AI-driven uses of PHI; updated breach-notification language reflecting Cures Act information-blocking interactions; refined Right of Access language describing electronic-format options; and updated language around marketing communications.

For practices that updated to the HHS Feb 2026 model upon publication, no further regulatory NPP work is required until the next material change. Practices still on pre-February-2026 templates should update before their next material-change cycle to avoid drift.

Common implementation pitfalls

Across audits and routine compliance reviews, several specific implementation pitfalls recur:

Audit-readiness considerations

When OCR or a state regulator audits, the NPP review typically asks for:

Quick reference checklist

When producing or updating an NPP, work through this checklist:

How NPP Generator helps

Producing a HIPAA-compliant Notice of Privacy Practices from scratch — even with the HHS February 2026 model as a starting point — typically takes a few hours of attention to entity-specific details: practice name, locations, Privacy Officer, vendor relationships, state-specific overlays, sensitive-record categories, communication preferences, and effective-date management.

NPP Generator's tool walks through a guided intake, captures the practice-specific information, and produces a formatted PDF and editable Word document aligned to the HHS February 2026 model in about five minutes. The tool also handles state-specific overlay language for the major state-law regimes and produces a current-effective-date document ready for distribution. For practices that need state-specific overlay (Texas HB300, Illinois MHDDC, California CMIA/CCPA, etc.), the tool's state-handler ensures the right elevated-protection language appears in your final document.

About state-law and federal preemption

HIPAA establishes a federal floor for health-information privacy. State laws are not preempted where they are more protective of patient privacy than HIPAA — that's the basic preemption rule under 45 CFR § 160.203. The interaction can be subtle: a state law may be stricter on a specific topic (HIV records, mental-health records, genetic information) without being globally stricter than HIPAA. The NPP must reflect the stricter rule wherever it applies. Practices serving patients in multiple states often issue a single NPP that incorporates the strictest applicable rules across those states; multi-state organizations sometimes use state-specific NPP versions for clarity. For organizations subject to specific federal regimes beyond HIPAA — 42 CFR Part 2 for SUD, FERPA for educational records, Title X for federally-funded family-planning services — the NPP should describe how those regimes interact with HIPAA's framework.

Further reading

For more on the topics covered here:

More state-specific NPP guides

NPP for California NPP for Massachusetts NPP for New York NPP for Florida NPP for Georgia NPP for Illinois NPP for New Jersey NPP for Texas NPP for Washington

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Related: State-specific NPP guides

Florida Georgia Illinois New Jersey Texas Washington

Frequently Asked Questions

Does the MHPA apply to outpatient therapy?
Yes. § 7111 covers mental-health treatment broadly, including outpatient therapy by licensed mental-health professionals. The elevated protection applies regardless of treatment setting.
Does PA require a separate consent for HIV disclosure?
Yes. 35 P.S. § 7607 requires a written consent for HIV-test result disclosure with specific content (purpose, recipient, expiration). A generic HIPAA authorization typically doesn't satisfy PA's specific requirements; many practices use a combined consent.
What about the Pennsylvania Patient Privacy Act (proposed)?
Pennsylvania has had several proposed comprehensive privacy bills similar to those in California and Washington. As of 2026, no comprehensive bill has been enacted. Monitor for changes; current obligations remain HIPAA + statute-specific protections above.
Pennsylvania abortion-record reporting changed after Dobbs — what's the current state?
PA's reporting requirements remain in place under the Abortion Control Act. Federal HHS reproductive-health rule (June 2024) restricts use of PHI in some interstate contexts but doesn't preempt state public-health reporting. The NPP should describe the practice's reporting obligations carefully.
How does PA treat minor consent for mental-health treatment?
PA's Minor Health Care Act allows minors 14 and older to consent to mental-health treatment in some circumstances. The NPP should describe how parental access to those records is handled — typically the parent's HIPAA-personal-representative right is restricted in those scenarios.