Sample HIPAA Notice of Privacy Practices — Annotated

A complete sample Notice of Privacy Practices for a fictional direct-treatment provider, annotated with plain-language explanations of what each section does and which HIPAA provision requires it.

About this sample

This illustrates what a complete § 164.520 notice looks like when rendered by our generator for a fictional practice, Acme Family Medical Group, P.C., based in Austin, Texas. Each section below includes a short note on what it accomplishes and which HIPAA provision requires it.

Header block

Why it's here: § 164.520(b)(1)(i) requires every NPP to show the effective date prominently. Contact information supports the complaint and individual-rights provisions later in the document.

The header warning

Why it's here: § 164.520(b)(1)(i)(B) requires this exact language — a verbatim header warning that must appear at the top of every notice, in prominent type.

Uses and disclosures for TPO

Required by: § 164.520(b)(1)(ii)(A)–(C).

Describes how PHI will be used for treatment, payment, and health care operations — the three core permitted uses that don't require separate authorization. For a direct-treatment provider, this is usually the longest section. For a health plan, the "treatment" portion is typically shorter and "payment" and "enrollment/underwriting" sections are expanded.

Permitted-without-authorization disclosures

Required by: § 164.520(b)(1)(ii)(D) + § 164.512.

Lists the categories of disclosures that § 164.512 permits without written authorization: public health activities, law enforcement under specific conditions, oversight of the health system, judicial proceedings with valid court orders, research under IRB approval, and similar public-interest categories.

Part 2 SUD language (if applicable)

Required by: 42 CFR Part 2 (2024 Final Rule) — only for Part 2 programs or combined HIPAA+Part 2 entities.

For Part 2 programs, this section explains that SUD records are protected by an additional framework requiring written consent for most disclosures, prohibiting re-disclosure by recipients, and limiting subpoenas. The 2024 Final Rule permits a single combined HIPAA/Part 2 notice where an entity is subject to both.

Authorization-required uses

Required by: § 164.520(b)(1)(ii)(E).

States that any use or disclosure not described elsewhere requires written authorization. Specifically calls out psychotherapy notes, most marketing, sale of PHI, and fundraising (with opt-out rights).

Individual rights

Required by: § 164.520(b)(1)(iv).

The individual-rights section is the most patient-facing part of the document. Seven rights are required: restrictions, confidential communications, inspect and copy, amendment, accounting of disclosures, paper copy of notice, and breach notification.

Our duties and complaints contact

Required by: § 164.520(b)(1)(v)–(vii).

States the entity's legal duties (maintain privacy, notify on breach, follow the current notice, reserve the right to change), and provides two complaint paths: internal (Privacy Officer) and external (HHS Office for Civil Rights, with full address and phone).

Acknowledgment of receipt

Required by: § 164.520(c)(2)(ii) — direct-treatment providers only.

Direct-treatment providers must make a good-faith effort to obtain written acknowledgment that the patient received the notice. If the patient declines or cannot acknowledge, the provider documents the attempt. Omitted for health plans and Part-2-only programs.

Section 1557 taglines (optional appendix)

Required by: 45 CFR § 92.11 — for programs receiving federal financial assistance.

If the entity receives federal financial assistance (Medicare/Medicaid participation qualifies), it must include taglines in the top 15 non-English languages of the service area, plus a notice of availability of auxiliary aids. Our generator adds a standard 15-language appendix when you check the Section 1557 box.

Not sure if your practice needs an NPP? Find out in 30 seconds →