What are the HIPAA NPP requirements for 2026?

The 2026 HIPAA NPP requirements are the same eight mandatory content elements from 45 CFR § 164.520(b) — header statement, permitted uses and disclosures, authorization-required uses, individual rights, entity duties, complaint procedures, Privacy Officer contact information, and effective date — updated to match the HHS February 2026 revised model notices. The revisions incorporate 42 CFR Part 2 SUD integration, reproductive-health privacy clarifications, and refined individual-rights request language.

What changed in the HHS February 2026 NPP model?

Three changes: (1) integration of 42 CFR Part 2 substance use disorder protections under the 2024 Part 2 Final Rule, allowing a single combined HIPAA/Part 2 notice; (2) reproductive-health privacy clarifications under the 2024 HIPAA Privacy Rule amendment, post-Dobbs; (3) refined individual-rights request language reflecting 2023 Privacy Rule updates.

When was the NPP compliance deadline?

February 16, 2026. Covered entities were required to have an updated NPP using the HHS February 2026 revised model in place by that date. The deadline has passed. Covered entities using pre-2026 model language are currently in violation of the HIPAA Privacy Rule.

How must a covered entity distribute the NPP?

Direct-treatment providers must: (1) provide the NPP to each patient at first service delivery; (2) post it prominently at each physical service location; (3) post it on the organization's website if one is maintained; and (4) make a good-faith attempt to obtain written acknowledgment of receipt. Health plans must provide the NPP on enrollment and send a notice of availability at least every three years to existing members.

What are the penalties for a non-compliant NPP in 2026?

Civil monetary penalties under HHS OCR range from $137 to $68,928 per violation (2024 adjusted amounts), with annual caps approaching $2 million for repeated violations of the same provision. OCR treats an absent or outdated NPP as a standalone HIPAA Privacy Rule violation, separate from any other compliance deficiency.

Compliance Reference

HIPAA NPP Requirements in 2026

Q: Do I need to redistribute my NPP after updating to the 2026 model?

Yes. Adopting the HHS February 2026 revised model is a material change under § 164.520(b)(3). Direct-treatment providers must post the revised notice on their website and at physical sites and provide it to patients at their next visit. Health plans must send the revised notice to members within 60 days.

By NPP Generator Research Team · Published Feb 16, 2026 · Last reviewed Apr 28, 2026 · 6 min read

Need to update your NPP?

Update → Generate new →

Family resources. For the broader 2026 HIPAA changes roundup (Part 2 final rule, OCR enforcement, state-law overlays), see ComplyCreate's 2026 changes roundup.

Key Takeaways

✓ The eight mandatory NPP elements under 45 CFR § 164.520(b) are unchanged — the HHS model language is what changed
✓ Compliance deadline was February 16, 2026 — any NPP predating this is currently non-compliant
✓ Major revisions: Part 2 SUD integration, reproductive-health clarifications, updated individual-rights language
✓ Direct-treatment providers must re-post and re-distribute after adopting the 2026 model
✓ Civil penalties: $137 to $68,928 per violation (2024 adjusted amounts)

Quick answer: In 2026, every HIPAA covered entity must have a Notice of Privacy Practices built on the HHS February 2026 revised model. The NPP must include all eight content elements under 45 CFR § 164.520(b), integrate 42 CFR Part 2 SUD language where applicable, and be distributed to patients, posted on the entity's website, and displayed at each physical location. The compliance deadline was February 16, 2026.

45 CFR § 164.520 requires every HIPAA covered entity to provide a Notice of Privacy Practices describing how it uses and discloses PHI, the individual's right to access and amend PHI, the entity's legal duties, and how to file a complaint. That core requirement has been in place since 2003. What changed in 2026 is the model notice HHS publishes for covered entities to adopt.

What HHS Updated in February 2026

The February 2026 revised model notices — one for direct-treatment providers, one for health plans — incorporate three major developments:

Part 2 SUD integration (2024 Final Rule). Entities subject to 42 CFR Part 2 may now publish a single integrated HIPAA/Part 2 notice instead of maintaining two separate documents. See our full NPP Part 2 SUD language guide.
Reproductive-health privacy clarifications. Post-Dobbs, the revised notices clarify language around disclosures for investigations, law enforcement, and mandatory reporting involving reproductive healthcare.
Individual-rights request language. Refinements to the description of patients' rights to access, amend, and request accountings, reflecting updates from the 2023 HIPAA Privacy Rule amendments.

The Compliance Deadline

The compliance deadline was February 16, 2026. Every covered entity was required to have an updated NPP in place by that date. As of now, the deadline has passed — yet many small practices have not updated. Operating with a pre-2026 NPP is a HIPAA Privacy Rule violation.

If your NPP still references older language (for example, missing Part 2 integration or using pre-2024 reproductive-health disclosure language), see our step-by-step guide to updating your existing NPP to the HHS February 2026 model.

Required Content Under 45 CFR § 164.520(b)

The eight mandatory NPP content elements have been stable since 2003. A compliant 2026 NPP must include:

Header statement. The exact prescribed language: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
Uses and disclosures for TPO. Treatment, payment, and health care operations — with at least one example of each.
Authorization-required uses. Marketing, sale of PHI, and most uses of psychotherapy notes.
Individual rights. Access and copy, amendment, accounting of disclosures, restriction requests, confidential communications, paper copy, breach notification.
Covered-entity duties. The entity's obligation to maintain PHI confidentiality and abide by the current NPP.
Complaint procedures. How to complain internally (Privacy Officer) and externally (HHS OCR), with assurance of no retaliation.
Contact information. Privacy Officer name or title, phone, and mailing address.
Effective date. Must appear on the face of the notice.

Entities subject to 42 CFR Part 2 must include integrated Part 2 language. Entities receiving federal financial assistance must include Section 1557 taglines in the top 15 non-English languages of their state. For the full content checklist, see the NPP template and the HHS model NPP 2026 walkthrough.

Distribution Requirements

Direct-treatment providers must:

Provide the NPP to each patient at first service delivery (or first opportunity if an emergency prevents delivery at the first encounter)
Make a good-faith effort to obtain a written acknowledgment of receipt
Post the NPP prominently at each physical service location
Post the NPP on the organization's website if one is maintained
Provide a paper copy on any patient's request

Health plans must provide the NPP to new enrollees on enrollment and send a reminder of availability at least every three years to existing members. See NPP website posting requirements and NPP acknowledgment of receipt for the specific mechanics.

Redistribution After a Material Change

Under § 164.520(b)(3), a covered entity must revise and redistribute its NPP whenever a material change occurs. Material changes include new uses or disclosures of PHI, new Privacy Officer, change of location, significant changes in safeguard practices, changes to individual-rights procedures, and mergers or acquisitions. Adopting the HHS February 2026 revised model is itself a material change.

Direct-treatment providers must post the revised notice on their website and at physical service sites and provide it to patients at their next visit. Health plans must provide the revised notice to plan members within 60 days. For the distinction between effective date and supersede date, see NPP effective date vs. supersede date.

Penalties for Non-Compliance

The HHS Office for Civil Rights treats an absent or outdated NPP as a standalone HIPAA Privacy Rule violation, separate from any underlying data incident. Civil monetary penalties under the 2024 adjusted tiers are:

Tier 1 (unknowing): $137 to $68,928 per violation
Tier 2 (reasonable cause): $1,379 to $68,928 per violation
Tier 3 (willful neglect, corrected): $13,785 to $68,928 per violation
Tier 4 (willful neglect, uncorrected): $68,928 per violation, up to approximately $2 million per year for repeated violations of the same provision

OCR routinely discovers NPP deficiencies during breach investigations and routine audits. See NPP compliance penalties under HHS OCR for specific enforcement examples.

Frequently Asked Questions

Do I need a brand-new NPP or can I update my existing one?

Either works. If your existing NPP predates the February 2026 HHS model, you must either replace it entirely or update it to incorporate Part 2 integration, reproductive-health clarifications, and the 2023 individual-rights language. NPP Generator supports both paths in one flow — the output includes a "supersedes prior notice dated X" line when updating. See update your existing NPP.

Am I a HIPAA covered entity?

You are a covered entity if you transmit health information electronically in standard transactions — for example, submitting insurance claims, eligibility checks, or referral authorizations electronically. Solo therapists, dentists, physicians, and chiropractors who bill insurance electronically are covered entities. See our vertical guides for therapists, dental practices, mental health, telehealth providers, and small medical practices.

Do I need to integrate Part 2 SUD language?

Only if your practice is subject to 42 CFR Part 2 — that is, a federally-assisted program that holds itself out as providing substance use disorder diagnosis, treatment, or referral. General mental health practices are not automatically subject to Part 2. If you are subject to Part 2, the 2024 Final Rule allows a single integrated HIPAA/Part 2 NPP.

What's the difference between the NPP and a BAA?

The NPP is patient-facing — it notifies patients of privacy practices. A Business Associate Agreement (BAA) is vendor-facing — it binds outside vendors who handle PHI to HIPAA obligations. Covered entities need both. See NPP vs. BAA — what's the difference.

What if state law imposes stricter requirements than HIPAA?

HIPAA sets the federal floor. State laws stricter than HIPAA (California's CMIA, New York's SHIELD Act, Massachusetts' Chapter 93H) are preserved under § 160.203. You must comply with whichever is stricter, clause by clause. See NPP and state laws stricter than federal.

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Related: NPP compliance & rules

HHS model walkthrough Website posting Acknowledgment of receipt Effective vs supersede date When to update Material change notice State law overlays