Does My Practice Need a Notice of Privacy Practices?
The HIPAA NPP requirement applies to covered entities. Whether your practice is a covered entity depends on one technical question: do you electronically transmit any standard health care transaction? This page gives you a plain-language answer by practice type.
Quick answer
If your practice submits any insurance claim electronically — including Medicare, Medicaid, or commercial insurance — you are a HIPAA covered entity and you need a Notice of Privacy Practices under 45 CFR § 164.520. This is true for solo providers, multi-provider groups, and any practice type. Even if you only bill one payer, electronically, for one patient, once, you are a covered entity.
The legal test: covered-entity status under 45 CFR § 160.103
HIPAA defines a "covered entity" as a health care provider who transmits any health information in electronic form in connection with a standard transaction. Standard transactions include:
- Health care claims (submitting a bill to insurance)
- Eligibility verification (checking coverage before a visit)
- Referral certification and authorization
- Claim status inquiries
- Enrollment and disenrollment
- Premium payments and remittance advice
- Coordination of benefits
- Electronic prescribing (in some contexts)
If any of these transactions leaves your practice electronically — even through a billing service, clearinghouse, or EHR that acts on your behalf — you are a covered entity. The entity on the hook is you, not your billing service.
Answer by practice type
Solo therapist, LCSW, psychologist, or licensed counselor
Yes — you need an NPP if you submit insurance claims electronically. Most solo mental-health practices do, directly or through platforms like SimplePractice or TherapyNotes. See our guide for NPP for therapists.
Dental practice (solo, group, or DSO-affiliated)
Yes — you need an NPP if you file dental insurance claims electronically. Virtually all dental practices do, through practice management systems like Dentrix, Eaglesoft, or Open Dental. See NPP for dental practices.
Physical therapy, chiropractic, or occupational therapy practice
Yes — you need an NPP if you bill Medicare, Medicaid, or commercial insurance electronically. Nearly all rehab-focused practices do. See NPP for physical therapy.
Telehealth provider
Yes — you need an NPP, and it must describe how PHI flows through your telehealth platform, EHR, and remote monitoring tools. See NPP for telehealth.
Addiction treatment program (SUD / 42 CFR Part 2 program)
Yes — you need an NPP, and you are also subject to 42 CFR Part 2. The 2024 Part 2 Final Rule permits a single combined HIPAA/Part 2 notice. See NPP for addiction treatment centers.
Small medical practice — solo physician or nurse practitioner
Yes — you need an NPP. The vast majority of small medical practices are covered entities through Medicare/Medicaid participation or commercial insurance billing. See NPP for small medical practices.
Cash-only / direct-pay practice
Probably yes. A truly cash-only practice that never transmits any electronic transaction — no claims, no eligibility, no remittance, no e-prescribing, no EHR that integrates with any payer — may not be a covered entity. But the moment any of those flows happen electronically (including through a pharmacy, an HSA/FSA reader, or an EHR sending eligibility checks), you become a covered entity. In practice, most "cash-only" practices that use any modern health-tech platform are covered entities. When in doubt, maintain an NPP.
Business associate (billing company, EHR vendor, cloud storage, IT support)
No — business associates do not issue their own NPPs. Business associates are governed by a Business Associate Agreement (BAA) with each covered entity they serve. See NPP vs. BAA — what's the difference.
What happens if you should have an NPP and don't?
An absent NPP is treated by HHS OCR as a standalone HIPAA Privacy Rule violation, separate from any other deficiency. Civil monetary penalties range from $137 to $68,928 per violation (2024 adjusted amounts), up to approximately $2 million per year for repeated violations of the same provision. OCR routinely discovers missing NPPs during breach investigations and compliance audits. See NPP compliance penalties under HHS OCR.
Frequently Asked Questions
What is a HIPAA Notice of Privacy Practices?
An NPP is the patient-facing document required by 45 CFR § 164.520. It describes how your practice may use PHI, what rights patients have, and how to file a complaint with HHS OCR. See what is a notice of privacy practices.
If I'm brand new and haven't seen my first patient, do I need an NPP yet?
Yes — the NPP must be in place on or before the date of first service delivery. Most practices prepare the NPP before opening so the version is ready to provide to the first patient and to post on the practice website.
If my billing company submits claims on my behalf, am I still the covered entity?
Yes. The practice is the covered entity regardless of whether a third party executes the electronic transaction. Your billing company is a business associate, not a covered entity for your patients. The NPP obligation falls on you.
Does the NPP requirement apply in every state?
Yes. HIPAA is federal law and applies in all 50 states, the District of Columbia, and the U.S. territories. Some states (California, New York, Massachusetts) impose additional privacy requirements on top of HIPAA — see NPP and state laws stricter than federal.
If you need an NPP, generate one in under 5 minutes.
Built on the HHS February 2026 model. Part 2 SUD language and Section 1557 taglines when applicable. $49 one-time — no subscription.
Start your NPP — $49Free watermarked preview available. See sample →