N NPP Generator

NPP Website Posting Requirements Under 45 CFR § 164.520

The HIPAA rule that requires a Notice of Privacy Practices on your public website — what has to be posted, where, and how it interacts with first-service-delivery distribution.

By NPP Generator Research Team  ·  Published Mar 3, 2026  ·  Last reviewed Apr 23, 2026

The regulation

45 CFR § 164.520(c)(3)(i) requires covered entities that maintain a website providing information about their services to prominently post their NPP on the site and make it available electronically through the site. This is a parallel requirement to the posting at physical service sites.

What "prominently" means

The regulation does not prescribe exact placement. Common practice: a link in the main navigation, in the footer, or both. The link text should be clear — e.g., "Notice of Privacy Practices" or "Privacy Notice" — not buried in generic language like "Legal." The link should go to the full NPP, either as an HTML page or a PDF download.

HTML or PDF?

Either works. HTML benefits: easier to update, no download required, accessible to screen readers by default. PDF benefits: authoritative single-file version that can be handed out, harder to accidentally mis-edit. Many practices post both — an HTML page with a "Download PDF" link alongside.

When the website NPP must be updated

Immediately upon any material change. If you adopt a revised NPP on a specific effective date, the website version must reflect the new notice as of that date. Leaving a stale pre-Feb-2026 notice on your website is a compliance risk even if you have the new version printed in the office.

Common website-posting mistakes

Generate your NPP in under 5 minutes

Answer a few questions and download a HIPAA-compliant Notice of Privacy Practices based on the HHS February 2026 revised model.

Start your NPP — $49

First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →