N NPP Generator
NPP Basics

What Is a Notice of Privacy Practices (NPP) Under HIPAA?

By NPP Generator Research Team  ·  Published Feb 15, 2026  ·  Last reviewed Apr 23, 2026  ·  6 min read

Key Takeaways

Quick answer: A Notice of Privacy Practices (NPP) is the patient-facing HIPAA document required by 45 CFR § 164.520. Every covered entity — physicians, dentists, therapists, health plans — must give it to patients, post it on their website, and display it at their physical location. It describes how the entity may use PHI, what rights patients have, and how to file a complaint with HHS OCR.

If you operate a healthcare practice, you've likely encountered the phrase "Notice of Privacy Practices" — or seen the form patients sign at intake. But what exactly does HIPAA require it to say, who must have one, and what happens when it's missing or out of date? This guide answers each question with citations to the controlling regulation.

What Is a Notice of Privacy Practices?

A Notice of Privacy Practices is a plain-language disclosure document that HIPAA requires every covered entity to produce and distribute. It tells patients three things: how their protected health information (PHI) may be used without their authorization, what uses require their explicit authorization, and what rights they hold over their own records.

The legal requirement lives at 45 CFR § 164.520. The document is sometimes called a "privacy notice," "HIPAA notice," or "patient privacy notice" — all refer to the same required instrument.

Who Is Required to Have an NPP?

Every HIPAA covered entity must maintain a current NPP. Covered entities include:

Business associates do not issue NPPs. Vendors who handle PHI on behalf of a covered entity — billing companies, EHR vendors, transcription services — are governed by a Business Associate Agreement, not an NPP.

If you're unsure whether your practice qualifies as a covered entity, the determining factor is electronic transmission of health information — for example, submitting insurance claims electronically makes a solo therapist a covered entity subject to 45 CFR § 164.520. See our guides for therapists, dental practices, and telehealth providers.

What Must a HIPAA NPP Contain?

Under 45 CFR § 164.520(b), a compliant NPP must include all of the following:

Practices treating substance use disorder (SUD) patients must also incorporate 42 CFR Part 2 protections. Federally funded practices and those receiving federal financial assistance must include Section 1557 language taglines in the top 15 languages spoken in the state. The full mandatory content checklist walks through each element.

When Does an NPP Need to Be Updated?

An NPP must be revised whenever a material change occurs to the entity's privacy practices. Material changes include:

HHS issued revised model NPP notices in February 2026 incorporating three regulatory changes: 42 CFR Part 2 SUD integration (effective February 16, 2026), reproductive health privacy protections under the 2024 HIPAA Privacy Rule amendment, and updated individual-rights language. Covered entities using pre-2026 model language are currently out of compliance with the February 16, 2026 deadline. For the full timeline, see HIPAA NPP Requirements in 2026 and our guide on updating your existing NPP.

What Happens If You Don't Have an NPP?

Operating without a current, distributed NPP is a standalone HIPAA violation. The HHS Office for Civil Rights (OCR) treats an absent or outdated NPP as a direct breach of 45 CFR § 164.520 — separate from any underlying data incident. Consequences include:

The February 16, 2026 deadline for the revised model notices has passed. Practices that have not updated their NPP are currently in violation. See NPP compliance penalties under HHS OCR for enforcement specifics.

Frequently Asked Questions

What is the difference between an NPP and a BAA?

An NPP is a patient-facing notice of privacy rights; it runs from the covered entity to patients. A Business Associate Agreement (BAA) is a vendor contract; it runs from the covered entity to outside vendors who handle PHI. Covered entities need both — one for patients, one for each business associate. See NPP vs. BAA — What's the Difference.

Do I need an NPP if I only see cash-pay patients?

Yes, if you transmit health information electronically in any form — including submitting claims to Medicare, Medicaid, or commercial insurers for any patient — you are a covered entity and 45 CFR § 164.520 applies to all patients, not only insured ones.

How do I distribute my NPP to patients?

For direct-treatment providers: provide a paper copy at first service delivery (or first opportunity if an emergency), make a good-faith effort to obtain a written acknowledgment of receipt, post the full notice on your website if you maintain one, and display it prominently at your physical location. See NPP website posting requirements and NPP acknowledgment of receipt.

Can I write my own NPP without an attorney?

Yes. HHS publishes model NPP notices that covered entities may use directly or adapt. The February 2026 model notices are available on the HHS website. A document generation tool like NPP Generator produces a customized notice based on the HHS model, incorporating practice-specific details (entity name, Privacy Officer contact, applicable SUD and Section 1557 language) without requiring attorney involvement for a standard single-state practice.

What is the HHS model NPP?

HHS publishes model Notices of Privacy Practices that covered entities may adopt. The February 2026 revision is the current version; earlier models lack Part 2 SUD language and 2024 reproductive health privacy provisions. Using the HHS model (or a notice built on it) does not guarantee compliance if practice-specific required fields are left blank or if state law imposes stricter requirements. See the HHS model NPP 2026 walkthrough.

Generate your compliant NPP in under 5 minutes.

Built on the HHS February 2026 model. Includes Part 2 SUD language and Section 1557 taglines where applicable. $49 one-time — no subscription.

Start your NPP — $49

Free watermarked preview available — no account required. See sample →