HIPAA NPP Template — Mandatory Content Under 45 CFR § 164.520

A walkthrough of the mandatory content elements for a HIPAA Notice of Privacy Practices, with embedded HHS model language and 42 CFR Part 2 additions. Use this as a reference for what a compliant NPP must contain.

This page describes what a HIPAA Notice of Privacy Practices must contain under 45 CFR § 164.520. If you want the document generated for you — with your entity information inserted and formatted as PDF + Word — use our generator. If you want to understand the clauses and build one manually, this template walkthrough will help.

Mandatory content (from § 164.520(b)(1))

1. Header statement. Exact language required: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." Must be prominent at the top.
2. Uses and disclosures. Describe how PHI may be used for treatment, payment, and health care operations, and identify other permitted or required uses under § 164.502 and § 164.512.
3. Authorization-required uses. State that other uses and disclosures require the individual's written authorization and that authorizations may be revoked in writing.
4. Individual rights. Describe the seven rights: restriction, confidential communications, inspect and copy, amendment, accounting of disclosures, paper copy of notice, breach notification.
5. Covered entity duties. State the duty to maintain privacy, provide the notice, follow its terms, and notify of breaches.
6. Complaints. Provide contact information for internal complaints and HHS OCR complaints; state that no retaliation will occur.
7. Contact information. Privacy Officer name, title, phone number, mailing address.
8. Effective date. Prominently displayed.

Distribution requirements (§ 164.520(c))

• Direct-treatment providers: provide the NPP at first service delivery (for new patients) and upon request; post the notice at each clinical site where patients receive services; post a copy on the entity website.
• Health plans: provide the NPP to new enrollees at enrollment; remind existing enrollees at least once every three years that the notice is available on request.
• Good-faith acknowledgment: direct-treatment providers must make a good-faith effort to obtain written acknowledgment that the patient received the notice.

Part 2 integration (2024 Final Rule)

Entities that are also Part 2 programs (or that receive Part 2 records as recipients) must add language explaining: (a) that SUD records have additional protections under 42 CFR Part 2; (b) that most disclosures require written consent; (c) that re-disclosure by recipients is prohibited except as permitted by the original consent or federal law; (d) breach notification obligations for Part 2 records under the 2024 rule. A single combined HIPAA/Part 2 notice is permitted.

Material change and redistribution (§ 164.520(b)(3))

When you make a material change — new uses/disclosures, change of Privacy Officer, merger, relocation, revised patient-rights procedures — you must revise the NPP and redistribute. Direct-treatment providers must post the revised notice and provide it to any individual who asks. Health plans must provide the revised notice within 60 days of a material change affecting plan members.

Section 1557 taglines (if receiving federal financial assistance)

Most healthcare programs that receive federal financial assistance — including participation in Medicare or Medicaid — must include Section 1557 taglines in the top 15 non-English languages of the service area, plus notices of availability of auxiliary aids and services. Our generator produces a standard 15-language appendix when enabled.

Not sure if your practice needs an NPP? Find out in 30 seconds →