NPP Website Posting Requirements Under 45 CFR § 164.520
The HIPAA rule that requires a Notice of Privacy Practices on your public website — what has to be posted, where, and how it interacts with first-service-delivery distribution.
By NPP Generator Research Team · Published Mar 3, 2026 · Last reviewed Apr 23, 2026
The regulation
45 CFR § 164.520(c)(3)(i) requires covered entities that maintain a website providing information about their services to prominently post their NPP on the site and make it available electronically through the site. This is a parallel requirement to the posting at physical service sites.
What "prominently" means
The regulation does not prescribe exact placement. Common practice: a link in the main navigation, in the footer, or both. The link text should be clear — e.g., "Notice of Privacy Practices" or "Privacy Notice" — not buried in generic language like "Legal." The link should go to the full NPP, either as an HTML page or a PDF download.
HTML or PDF?
Either works. HTML benefits: easier to update, no download required, accessible to screen readers by default. PDF benefits: authoritative single-file version that can be handed out, harder to accidentally mis-edit. Many practices post both — an HTML page with a "Download PDF" link alongside.
When the website NPP must be updated
Immediately upon any material change. If you adopt a revised NPP on a specific effective date, the website version must reflect the new notice as of that date. Leaving a stale pre-Feb-2026 notice on your website is a compliance risk even if you have the new version printed in the office.
Common website-posting mistakes
- Link only appears in the footer in 8-point gray type
- Privacy Policy (the website cookie/data policy) is posted but labeled "NPP" — these are different documents
- NPP is posted but points to a 404 or an old PDF
- NPP effective date is a year in the past; the current posted document is stale
- Contact information on the NPP is out of date (old Privacy Officer, wrong phone)
Generate your NPP in under 5 minutes
Answer a few questions and download a HIPAA-compliant Notice of Privacy Practices based on the HHS February 2026 revised model.
Start your NPP — $49First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →