Do covered entities need both an NPP and BAAs?

Yes. A covered entity needs one Notice of Privacy Practices for its patients and a separate Business Associate Agreement with every vendor that handles PHI on its behalf. The NPP is patient-facing under 45 CFR § 164.520; the BAA is vendor-facing under 45 CFR § 164.504(e). They serve different regulatory functions and cannot substitute for each other.

Is the NPP a contract?

No. The NPP is a notice — a one-way disclosure document that tells patients how the covered entity uses and discloses PHI and what rights patients have. The BAA is a two-way contract that binds a vendor to HIPAA safeguard obligations. A patient acknowledgment of the NPP is not a contract; the BAA between covered entity and vendor is.

Does signing a BAA replace the need for an NPP?

No. A BAA only binds a specific vendor. It does not address the covered entity's obligation to inform patients about uses and disclosures of their PHI — that obligation requires an NPP. Even a covered entity with zero vendors needs an NPP if it has direct treatment relationships with patients.

Can a vendor's NPP cover the covered entity's obligation?

No. NPPs are issued by the covered entity, in the covered entity's name, describing the covered entity's practices. A vendor (business associate) does not have an NPP — vendors sign BAAs that promise to follow the covered entity's NPP and HIPAA rules. A vendor's general privacy policy is not a HIPAA NPP.

Where does the full BAA-vs-NPP comparison live?

ComplyCreate publishes the full neutral side-by-side comparison at complycreate.com/compliance/baa-vs-npp. This page covers the NPP-side angle for covered entities considering both documents.

NPP vs BAA for Covered Entities: Do You Need Both?

If you're a covered entity asking whether your practice needs an NPP, BAAs with vendors, or both, the short answer is almost always both. This page covers the question from the NPP-author's view: which document handles which obligation, and how the two fit together. For the full neutral side-by-side comparison, see ComplyCreate's BAA vs NPP guide.

Quick answer for covered entities. Yes, you need both. The Notice of Privacy Practices is a patient-facing notice required under 45 CFR § 164.520. The Business Associate Agreement is a vendor-facing contract required under 45 CFR § 164.504(e). They sit on opposite sides of your practice — one toward the patients you serve, one toward the vendors who handle PHI for you — and one cannot substitute for the other.

By NPP Generator Research Team · Published Feb 28, 2026 · Last reviewed Apr 28, 2026 · 6 min read

Need to update your NPP?

Update → Generate new →

The covered-entity frame

Most readers landing on this question are HIPAA covered entities — providers, health plans, or healthcare clearinghouses — trying to figure out which compliance documents they actually own. The framing matters. As a covered entity you sit at the center of two distinct relationships:

Patient-facing (downstream): you collect, use, and disclose PHI for patient care. HIPAA requires you to tell those patients, in writing, how you handle their information. That document is the Notice of Privacy Practices. You issue one NPP per practice (or one per legally separate covered entity), update it when uses or disclosures materially change, and post it on your website plus distribute it at first patient encounter.
Vendor-facing (upstream): you engage third parties — EHR vendors, billing services, transcription, cloud storage, e-fax, secure messaging — that touch PHI on your behalf. HIPAA requires each of those relationships to be governed by a written contract that binds the vendor to HIPAA's safeguard rules. That contract is the Business Associate Agreement. You sign one BAA per vendor relationship.

Both directions need their own document. An NPP doesn't bind your vendors. A BAA doesn't tell your patients anything. Even a solo provider with zero vendors still needs an NPP — and even a covered entity with the most carefully written BAAs in the world is still out of compliance if no NPP exists.

Side-by-side comparison

	NPP	BAA
Regulation	45 CFR § 164.520	45 CFR § 164.504(e)
Audience	Patients	Vendors (business associates)
Document type	One-way notice	Two-way contract
Purpose	Notify patients of rights and uses	Bind vendor to HIPAA safeguards
How many you need	One per covered entity (updated on material change)	One per vendor relationship involving PHI
Signature	Good-faith acknowledgment from patient (direct treatment only)	Both parties sign
Distribution	Post on website, provide at first visit, post at clinical site	Exchanged between covered entity and vendor; not public
Required HHS model?	HHS publishes a model NPP (Feb 2026 revised version is current)	HHS publishes sample contract provisions; no full model contract

Common patient-facing scenarios

Here's how the two documents show up in practice for a typical covered entity:

Solo private practice, no outside billing. You need an NPP for your patients. You may not need any BAAs if you handle everything in-house — but the moment you start using an EHR, e-fax service, secure messaging tool, or cloud backup, those vendors need BAAs.
Group practice with outside billing and an EHR. One NPP for the whole practice (legally a single covered entity). At least two BAAs — one with the billing service, one with the EHR vendor. Probably more once you count e-fax, telehealth platform, and cloud storage.
Multi-location practice or DSO/MSO. If the locations are part of the same legal covered entity, one NPP suffices but it must list the locations. If locations are legally separate covered entities, each needs its own NPP. BAAs are signed by each legal covered entity with its own vendors.
FQHC or hospital system. One NPP per covered entity (often the system as a whole if it operates as an organized health care arrangement). BAAs scale with the vendor count — often dozens.
Behavioral-health or addiction-treatment program subject to 42 CFR Part 2. NPP must include the new Part 2 SUD language (post Feb 2026 final rule). BAAs with anyone touching SUD records must reflect Part 2 obligations as well as HIPAA.

Common confusion to avoid

"Can I just give patients my BAA?" No. The BAA is a B2B contract between you and a vendor. Patients don't sign BAAs; they acknowledge an NPP.
"My EHR vendor sent me an NPP — do I need my own?" Yes. Some vendors provide an NPP template, but the NPP must be issued in your covered entity's name describing your practices. A vendor's privacy policy or template is not your NPP.
"My vendor signed a BAA, so I don't need an NPP." No relationship — the BAA covers the vendor; the NPP covers patients.
"I'm a vendor — do I need an NPP?" Almost never. Business associates don't issue NPPs. You sign your covered-entity customers' BAAs and follow their NPP rules.

When the two documents overlap (and why they don't conflict)

Some readers worry that the NPP and the BAA cover the same ground from different angles and might contradict each other. They don't, because they're operating in different planes. The NPP describes what the covered entity will and won't do with PHI from the patient's point of view. The BAA describes what the vendor will and won't do with PHI from the covered entity's point of view. Both documents reference HIPAA's permitted uses and disclosures, but each frames them for its specific audience.

Where the two documents touch is in the chain of custody. Your NPP can promise patients that you "use HIPAA-compliant business associates" or similar phrasing — and your BAA inventory is what backs that promise up. If your NPP describes a use of PHI (e.g., "we share PHI with our billing service for claims submission"), your BAA with that billing service must permit that use. The audit-day question is: does the BAA scope match what the NPP told the patient would happen? Mismatches are a common HHS-OCR finding.

A practical example: a covered entity's NPP says it may disclose PHI to a "secure-messaging vendor for appointment reminders." The BAA with that vendor must permit appointment-reminder messaging using PHI. If the BAA only permits "platform support and outage notifications," the NPP and BAA disagree — and the practice is technically out of compliance with both.

Audit-day perspective

If HHS-OCR audits your practice, both documents will be asked for. The NPP audit checks whether the document is current (HHS Feb 2026 model is the current baseline), whether it's posted on your website, whether it's distributed at first visit, and whether the acknowledgment process exists. The BAA audit checks whether you have a BAA with every vendor that touches PHI, whether the BAAs cover the actual scope of vendor activity, and whether you re-execute or amend on material changes. The two audits are run in parallel; failing one doesn't excuse the other.

Which one do you build first?

Most covered entities build the NPP first — you can't see patients without one. BAAs follow your vendor relationships, which often onboard incrementally. A reasonable order:

Generate or update your NPP using the HHS Feb 2026 model. Post it on your website and distribute at first visit.
Inventory every third party that touches PHI. Sign a BAA with each before granting them PHI access.
Re-review your NPP whenever uses or disclosures materially change, and after any significant regulatory update.
Keep an audit log of vendor BAAs (signed copies, renewal dates, scope notes). HHS-OCR audits look at the BAA inventory directly.

Generate the document you need

You can produce both documents in a single afternoon.

Generate your NPP — $49 Generate a BAA at BAA Generator →

Still unsure? Check whether your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? → Or read the full neutral comparison at ComplyCreate's BAA vs NPP guide.

Related: NPP fundamentals

What is an NPP Part 2 SUD integration Missed Feb 2026 deadline? Catch-up guide Retroactive update Update to HHS Feb 2026 model