When do I need to update my Notice of Privacy Practices?

You must update your NPP whenever a material change occurs under 45 CFR § 164.520(b)(3). Material changes include: new uses or disclosures of PHI, new Privacy Officer, change of practice location, changes to individual-rights procedures, mergers or acquisitions, and adoption of new federal regulations (such as the HHS February 2026 revised model).

What counts as a material change to an NPP?

A material change is any change to the information the NPP must contain under § 164.520(b): new uses or disclosures, new Privacy Officer, new physical location, new or changed safeguard practices, changes to patient-rights procedures, or an organizational restructuring (merger, acquisition, affiliated covered entity). Non-material changes like typo corrections or a phone-number change do not trigger the update requirement.

How quickly must I distribute an updated NPP?

Direct-treatment providers must post the revised NPP on their website and at each physical site by the effective date, and provide the revised notice to patients at their next visit. Health plans must provide the revised NPP to members within 60 days of the material change — by first-class mail, email (if the member agreed to electronic delivery), or delivered with other enrollment materials.

Do I need to collect a new acknowledgment of receipt when the NPP changes?

The HIPAA rule requires a good-faith attempt to obtain acknowledgment at first service delivery only. However, OCR guidance recommends collecting acknowledgment when patients return after a material NPP change, so the practice can document awareness of the updated rights. For health plans, no acknowledgment is required on re-distribution.

Does adopting the HHS February 2026 model trigger an NPP update?

Yes. The February 2026 revised model notices integrate 42 CFR Part 2 SUD language, reproductive-health disclosure clarifications, and updated individual-rights language. Adopting the revised model is a material change under § 164.520(b)(3) and requires re-posting and re-distribution. The compliance deadline was February 16, 2026.

What is the supersede date and how does it differ from the effective date?

The effective date is when the revised NPP takes effect. The supersede date is the date the prior NPP was effective — included on the revised notice to make clear which version is being replaced. The format is typically: 'Effective [new date]. This notice supersedes our prior Notice of Privacy Practices dated [prior effective date].' This helps patients and regulators track which version is current.

NPP Lifecycle

When to Update Your HIPAA Notice of Privacy Practices

By NPP Generator Research Team · Published Apr 23, 2026 · Last reviewed Apr 23, 2026 · 5 min read

Key Takeaways

✓ NPP must be updated on any material change under 45 CFR § 164.520(b)(3)
✓ Six common triggers: new Privacy Officer, new location, new uses/disclosures, safeguard changes, merger/acquisition, new federal regulation
✓ Providers: re-post at the effective date; hand revised NPP to patients at next visit
✓ Health plans: re-distribute within 60 days of material change
✓ Adopting the HHS February 2026 revised model was itself a material change — deadline was Feb 16, 2026

Quick answer: You must update your Notice of Privacy Practices whenever a material change occurs to the information the NPP describes. The six common triggers are: new Privacy Officer, new physical location, new uses or disclosures of PHI, significant safeguard-practice changes, merger or acquisition, and adoption of a new federal regulation. After revision, direct-treatment providers re-post and hand out at the next patient visit; health plans re-distribute within 60 days.

The NPP is a living document. HIPAA does not require periodic refreshes on a fixed schedule — instead, it requires an update whenever a material change to the privacy practices described in the NPP occurs. This page walks through the six common triggers and the redistribution rules that follow.

The Legal Standard — 45 CFR § 164.520(b)(3)

The controlling regulation is 45 CFR § 164.520(b)(3), which requires a covered entity to revise its NPP "whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice." The revision must be prompt, and the effective date cannot precede the revision.

The Six Triggers That Require an Update

1. New Privacy Officer

The NPP must list the Privacy Officer's name or title, phone number, and mailing address. Any change to these fields is a material change. If your Privacy Officer leaves the practice, retires, or changes role, the NPP must be updated before patients are told to contact that person about privacy concerns.

2. Change of physical location

The NPP lists the contact address for privacy complaints and the location(s) where patients can request records. Moving to a new office, opening a second location, or closing a location is a material change. The updated NPP must be in place on or before the first day patients are seen at the new address.

3. New uses or disclosures of PHI

If your practice starts using PHI for a purpose the current NPP does not describe — for example, starting a fundraising program, starting marketing outreach, or joining a health information exchange — the NPP must be updated before the new use begins. Adding a new type of third-party vendor (like a new billing service or new telehealth platform) is generally covered by existing TPO language and does not require an update, but adding a category of disclosure (like fundraising, research, or HIE participation) does.

4. Significant safeguard-practice changes

Material changes to the practice's technical, administrative, or physical safeguards that affect the NPP's description of duties. Example: if your NPP currently says "we use locked paper records" and you transition to a fully electronic record system, the relevant section must be revised.

5. Merger, acquisition, or new affiliated covered entity

Organizational changes affect the legal entity behind the NPP. If your solo practice becomes part of a group, if your group acquires another practice, or if you form an "affiliated covered entity" arrangement under § 164.105, the NPP must be updated to reflect the new entity structure and Privacy Officer.

6. New federal regulation requiring changes to the NPP

When HHS issues new regulations that change the required NPP content, the NPP must be updated by the regulation's compliance date. The most recent example is the HHS February 2026 revised model, which integrated 42 CFR Part 2 SUD language, clarified reproductive-health disclosures under the 2024 HIPAA Privacy Rule amendment, and updated individual-rights language. The compliance deadline was February 16, 2026. See NPP requirements 2026 and HHS model NPP 2026 walkthrough.

What Does Not Require an Update

Minor changes that don't affect the information the NPP must contain do not trigger the update requirement:

Typo or grammar corrections
Visual rebranding (logo, colors, fonts) where the text is unchanged
Change of website URL (if the NPP itself is still posted in the new location)
Change of the website page the NPP is posted on, as long as the NPP remains accessible from the practice's website home page
Adding a new business associate that fits within existing TPO categories

Redistribution Requirements After Update

Direct-treatment providers

On the effective date of the revised NPP:

Post the revised NPP on the practice website
Post the revised NPP prominently at each physical service location
Provide the revised NPP to each patient at their next visit
Make a good-faith attempt to obtain acknowledgment at the next visit (OCR-recommended; not strictly required by rule)

You are not required to proactively mail the revised NPP to every existing patient — the rule is to make it available on the website, at the location, and to hand it out at the next encounter.

Health plans

Health plans have a stricter redistribution rule: the revised NPP must be provided to members within 60 days of a material change. Acceptable delivery methods include first-class mail, email (if the member has agreed to electronic delivery), or delivery with other routine enrollment or benefit materials. Members who have not seen a notice of availability in the past three years must also receive a reminder that the NPP is available on request.

The Effective Date and Supersede Date

Every revised NPP should state both its effective date (when the new notice takes effect) and the supersede date (when the prior notice was effective). Example formulation: "Effective April 1, 2026. This notice supersedes our prior Notice of Privacy Practices dated January 15, 2023." This helps patients and OCR auditors track which version is current. See NPP effective date vs. supersede date.

Record Retention

Under § 164.530(j), covered entities must retain each version of the NPP for six years from the date it was last in effect. If you revise your NPP, keep the prior version on file — both to satisfy the retention rule and to support any OCR investigation that looks at historical practices.

Frequently Asked Questions

My NPP was drafted in 2021 — do I need to update it?

Yes. Pre-2026 NPPs predate the HHS February 2026 revised model, which integrated Part 2 SUD language, reproductive-health clarifications, and updated individual-rights language. The compliance deadline was February 16, 2026. Any NPP effective before that date and still in use is materially non-compliant. See update your NPP for the update flow.

Do I need to email the updated NPP to every existing patient?

Direct-treatment providers: no. Post it on the website and at the physical location, and hand it out at the next patient visit. Health plans: yes, redistribute to members within 60 days by mail, email (if consented), or bundled with other benefit materials.

If I add a new business associate, do I have to update the NPP?

No — adding a new business associate that fits within existing permitted TPO uses does not require an NPP update. The NPP discloses categories of use, not individual vendor names. However, adding a new category of disclosure (like starting to use PHI for fundraising, research, or marketing) does require an update.

What happens if I don't update my NPP after a material change?

Operating with a stale NPP after a material change is a HIPAA Privacy Rule violation. OCR treats it as a standalone violation under 45 CFR § 164.520. Civil monetary penalties range from $137 to $68,928 per violation (2024 adjusted amounts), up to approximately $2 million per year for repeated violations. See NPP compliance penalties under HHS OCR.

How long do I need to keep old NPP versions?

Six years from the date each version was last in effect, under 45 CFR § 164.530(j). Keep a dated archive of every NPP you have ever used.

Need to update your NPP?

NPP Generator supports both updating an existing NPP and creating one from scratch in the same flow. Upload your current NPP and we'll pre-populate the wizard. The output includes a "supersedes prior notice dated X" line. $49 one-time.

Update your NPP — $49

New to NPPs? Create a new one instead →