What Is a Notice of Privacy Practices (NPP) Under HIPAA?

By NPP Generator Research Team  ·  Published Feb 15, 2026  ·  Last reviewed Apr 23, 2026  ·  6 min read

If you operate a healthcare practice, you've likely encountered the phrase "Notice of Privacy Practices" — or seen the form patients sign at intake. But what exactly does HIPAA require it to say, who must have one, and what happens when it's missing or out of date? This guide answers each question with citations to the controlling regulation.

What Is a Notice of Privacy Practices?

A Notice of Privacy Practices is a plain-language disclosure document that HIPAA requires every covered entity to produce and distribute. It tells patients three things: how their protected health information (PHI) may be used without their authorization, what uses require their explicit authorization, and what rights they hold over their own records.

The legal requirement lives at 45 CFR § 164.520. The document is sometimes called a "privacy notice," "HIPAA notice," or "patient privacy notice" — all refer to the same required instrument.

Who Is Required to Have an NPP?

Every HIPAA covered entity must maintain a current NPP. Covered entities include:

• Direct-treatment providers — solo physicians, group practices, hospitals, pharmacies, dentists, therapists (LCSWs, psychologists, licensed counselors), chiropractors, nurse practitioners, physical therapists, and optometrists
• Health plans — commercial insurers, HMOs, Medicare and Medicaid managed care plans, and employer-sponsored health benefit plans (with limited exceptions for small self-insured plans)
• Healthcare clearinghouses — entities that translate health data between standard and non-standard formats

Business associates do not issue NPPs. Vendors who handle PHI on behalf of a covered entity — billing companies, EHR vendors, transcription services — are governed by a Business Associate Agreement, not an NPP.

If you're unsure whether your practice qualifies as a covered entity, the determining factor is electronic transmission of health information — for example, submitting insurance claims electronically makes a solo therapist a covered entity subject to 45 CFR § 164.520. See our guides for therapists, dental practices, and telehealth providers.

What Must a HIPAA NPP Contain?

Under 45 CFR § 164.520(b), a compliant NPP must include all of the following:

• Header statement — a prominent notice that the document describes the entity's legal duties and privacy practices (the HHS-prescribed "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED..." language)
• Permitted uses and disclosures — descriptions of TPO uses (treatment, payment, health care operations) with at least one example of each
• Uses requiring authorization — marketing, sale of PHI, and most uses of psychotherapy notes require explicit patient authorization
• Patient rights — access and copy, amendment, accounting of disclosures, restriction requests, confidential communications requests, paper copy on request, and breach notification
• Entity duties — the covered entity's obligation to maintain PHI confidentiality and abide by the current NPP
• Complaint procedures — how to complain to the Privacy Officer and how to file a complaint with HHS Office for Civil Rights
• Privacy Officer contact information — name or title, phone number, and mailing address
• Effective date — must appear on the face of the notice

Practices treating substance use disorder (SUD) patients must also incorporate 42 CFR Part 2 protections. Federally funded practices and those receiving federal financial assistance must include Section 1557 language taglines in the top 15 languages spoken in the state. The full mandatory content checklist walks through each element.

When Does an NPP Need to Be Updated?

An NPP must be revised whenever a material change occurs to the entity's privacy practices. Material changes include:

• New Privacy Officer (name, title, or contact information)
• Change in physical location
• New categories of PHI use or disclosure
• Organizational restructuring (merger, acquisition, new affiliated covered entity)
• Changes to individual rights under updated federal regulations

HHS issued revised model NPP notices in February 2026 incorporating three regulatory changes: 42 CFR Part 2 SUD integration (effective February 16, 2026), reproductive health privacy protections under the 2024 HIPAA Privacy Rule amendment, and updated individual-rights language. Covered entities using pre-2026 model language are currently out of compliance with the February 16, 2026 deadline. For the full timeline, see HIPAA NPP Requirements in 2026 and our guide on updating your existing NPP.

What Happens If You Don't Have an NPP?

Operating without a current, distributed NPP is a standalone HIPAA violation. The HHS Office for Civil Rights (OCR) treats an absent or outdated NPP as a direct breach of 45 CFR § 164.520 — separate from any underlying data incident. Consequences include:

• Civil monetary penalties of $137 to $68,928 per violation (2024 HHS-adjusted amounts), up to approximately $2 million per year for repeated violations of the same provision
• Corrective action plans — OCR routinely discovers missing NPPs during breach investigations and scheduled audits, and requires documented corrective action
• Reputational exposure — OCR publishes enforcement actions by name on its public website

The February 16, 2026 deadline for the revised model notices has passed. Practices that have not updated their NPP are currently in violation. See NPP compliance penalties under HHS OCR for enforcement specifics.

Frequently Asked Questions

What is the difference between an NPP and a BAA?

An NPP is a patient-facing notice of privacy rights; it runs from the covered entity to patients. A Business Associate Agreement (BAA) is a vendor contract; it runs from the covered entity to outside vendors who handle PHI. Covered entities need both — one for patients, one for each business associate. See NPP vs. BAA — What's the Difference.

Do I need an NPP if I only see cash-pay patients?

Yes, if you transmit health information electronically in any form — including submitting claims to Medicare, Medicaid, or commercial insurers for any patient — you are a covered entity and 45 CFR § 164.520 applies to all patients, not only insured ones.

How do I distribute my NPP to patients?

For direct-treatment providers: provide a paper copy at first service delivery (or first opportunity if an emergency), make a good-faith effort to obtain a written acknowledgment of receipt, post the full notice on your website if you maintain one, and display it prominently at your physical location. See NPP website posting requirements and NPP acknowledgment of receipt.

Can I write my own NPP without an attorney?

Yes. HHS publishes model NPP notices that covered entities may use directly or adapt. The February 2026 model notices are available on the HHS website. A document generation tool like NPP Generator produces a customized notice based on the HHS model, incorporating practice-specific details (entity name, Privacy Officer contact, applicable SUD and Section 1557 language) without requiring attorney involvement for a standard single-state practice.

What is the HHS model NPP?

HHS publishes model Notices of Privacy Practices that covered entities may adopt. The February 2026 revision is the current version; earlier models lack Part 2 SUD language and 2024 reproductive health privacy provisions. Using the HHS model (or a notice built on it) does not guarantee compliance if practice-specific required fields are left blank or if state law imposes stricter requirements. See the HHS model NPP 2026 walkthrough.