HIPAA NPP Requirements in 2026

By NPP Generator Research Team  ·  Published Feb 16, 2026  ·  Last reviewed Apr 23, 2026  ·  7 min read

45 CFR § 164.520 requires every HIPAA covered entity to provide a Notice of Privacy Practices describing how it uses and discloses PHI, the individual's right to access and amend PHI, the entity's legal duties, and how to file a complaint. That core requirement has been in place since 2003. What changed in 2026 is the model notice HHS publishes for covered entities to adopt.

What HHS Updated in February 2026

The February 2026 revised model notices — one for direct-treatment providers, one for health plans — incorporate three major developments:

• Part 2 SUD integration (2024 Final Rule). Entities subject to 42 CFR Part 2 may now publish a single integrated HIPAA/Part 2 notice instead of maintaining two separate documents. See our full NPP Part 2 SUD language guide.
• Reproductive-health privacy clarifications. Post-Dobbs, the revised notices clarify language around disclosures for investigations, law enforcement, and mandatory reporting involving reproductive healthcare.
• Individual-rights request language. Refinements to the description of patients' rights to access, amend, and request accountings, reflecting updates from the 2023 HIPAA Privacy Rule amendments.

The Compliance Deadline

The compliance deadline was February 16, 2026. Every covered entity was required to have an updated NPP in place by that date. As of now, the deadline has passed — yet many small practices have not updated. Operating with a pre-2026 NPP is a HIPAA Privacy Rule violation.

If your NPP still references older language (for example, missing Part 2 integration or using pre-2024 reproductive-health disclosure language), see our step-by-step guide to updating your existing NPP to the HHS February 2026 model.

Required Content Under 45 CFR § 164.520(b)

The eight mandatory NPP content elements have been stable since 2003. A compliant 2026 NPP must include:

• Header statement. The exact prescribed language: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
• Uses and disclosures for TPO. Treatment, payment, and health care operations — with at least one example of each.
• Authorization-required uses. Marketing, sale of PHI, and most uses of psychotherapy notes.
• Individual rights. Access and copy, amendment, accounting of disclosures, restriction requests, confidential communications, paper copy, breach notification.
• Covered-entity duties. The entity's obligation to maintain PHI confidentiality and abide by the current NPP.
• Complaint procedures. How to complain internally (Privacy Officer) and externally (HHS OCR), with assurance of no retaliation.
• Contact information. Privacy Officer name or title, phone, and mailing address.
• Effective date. Must appear on the face of the notice.

Entities subject to 42 CFR Part 2 must include integrated Part 2 language. Entities receiving federal financial assistance must include Section 1557 taglines in the top 15 non-English languages of their state. For the full content checklist, see the NPP template and the HHS model NPP 2026 walkthrough.

Distribution Requirements

Direct-treatment providers must:

• Provide the NPP to each patient at first service delivery (or first opportunity if an emergency prevents delivery at the first encounter)
• Make a good-faith effort to obtain a written acknowledgment of receipt
• Post the NPP prominently at each physical service location
• Post the NPP on the organization's website if one is maintained
• Provide a paper copy on any patient's request

Health plans must provide the NPP to new enrollees on enrollment and send a reminder of availability at least every three years to existing members. See NPP website posting requirements and NPP acknowledgment of receipt for the specific mechanics.

Redistribution After a Material Change

Under § 164.520(b)(3), a covered entity must revise and redistribute its NPP whenever a material change occurs. Material changes include new uses or disclosures of PHI, new Privacy Officer, change of location, significant changes in safeguard practices, changes to individual-rights procedures, and mergers or acquisitions. Adopting the HHS February 2026 revised model is itself a material change.

Direct-treatment providers must post the revised notice on their website and at physical service sites and provide it to patients at their next visit. Health plans must provide the revised notice to plan members within 60 days. For the distinction between effective date and supersede date, see NPP effective date vs. supersede date.

Penalties for Non-Compliance

The HHS Office for Civil Rights treats an absent or outdated NPP as a standalone HIPAA Privacy Rule violation, separate from any underlying data incident. Civil monetary penalties under the 2024 adjusted tiers are:

• Tier 1 (unknowing): $137 to $68,928 per violation
• Tier 2 (reasonable cause): $1,379 to $68,928 per violation
• Tier 3 (willful neglect, corrected): $13,785 to $68,928 per violation
• Tier 4 (willful neglect, uncorrected): $68,928 per violation, up to approximately $2 million per year for repeated violations of the same provision

OCR routinely discovers NPP deficiencies during breach investigations and routine audits. See NPP compliance penalties under HHS OCR for specific enforcement examples.

Frequently Asked Questions

Do I need a brand-new NPP or can I update my existing one?

Either works. If your existing NPP predates the February 2026 HHS model, you must either replace it entirely or update it to incorporate Part 2 integration, reproductive-health clarifications, and the 2023 individual-rights language. NPP Generator supports both paths in one flow — the output includes a "supersedes prior notice dated X" line when updating. See update your existing NPP.

Am I a HIPAA covered entity?

You are a covered entity if you transmit health information electronically in standard transactions — for example, submitting insurance claims, eligibility checks, or referral authorizations electronically. Solo therapists, dentists, physicians, and chiropractors who bill insurance electronically are covered entities. See our vertical guides for therapists, dental practices, mental health, telehealth providers, and small medical practices.

Do I need to integrate Part 2 SUD language?

Only if your practice is subject to 42 CFR Part 2 — that is, a federally-assisted program that holds itself out as providing substance use disorder diagnosis, treatment, or referral. General mental health practices are not automatically subject to Part 2. If you are subject to Part 2, the 2024 Final Rule allows a single integrated HIPAA/Part 2 NPP.

What's the difference between the NPP and a BAA?

The NPP is patient-facing — it notifies patients of privacy practices. A Business Associate Agreement (BAA) is vendor-facing — it binds outside vendors who handle PHI to HIPAA obligations. Covered entities need both. See NPP vs. BAA — what's the difference.

What if state law imposes stricter requirements than HIPAA?

HIPAA sets the federal floor. State laws stricter than HIPAA (California's CMIA, New York's SHIELD Act, Massachusetts' Chapter 93H) are preserved under § 160.203. You must comply with whichever is stricter, clause by clause. See NPP and state laws stricter than federal.