Sample HIPAA Notice of Privacy Practices — Annotated
A complete sample Notice of Privacy Practices for a fictional direct-treatment provider, annotated with plain-language explanations of what each section does and which HIPAA provision requires it.
About this sample
This illustrates what a complete § 164.520 notice looks like when rendered by our generator for a fictional practice, Acme Family Medical Group, P.C., based in Austin, Texas. Each section below includes a short note on what it accomplishes and which HIPAA provision requires it.
Header block
123 Main Street, Suite 400, Austin, TX 78701
Phone: (555) 123-4567 · Web: acmefamilymed.example.com
Effective Date: April 23, 2026
Why it's here: § 164.520(b)(1)(i) requires every NPP to show the effective date prominently. Contact information supports the complaint and individual-rights provisions later in the document.
The header warning
Why it's here: § 164.520(b)(1)(i)(B) requires this exact language — a verbatim header warning that must appear at the top of every notice, in prominent type.
Uses and disclosures for TPO
Required by: § 164.520(b)(1)(ii)(A)–(C).
Describes how PHI will be used for treatment, payment, and health care operations — the three core permitted uses that don't require separate authorization. For a direct-treatment provider, this is usually the longest section. For a health plan, the "treatment" portion is typically shorter and "payment" and "enrollment/underwriting" sections are expanded.
Permitted-without-authorization disclosures
Required by: § 164.520(b)(1)(ii)(D) + § 164.512.
Lists the categories of disclosures that § 164.512 permits without written authorization: public health activities, law enforcement under specific conditions, oversight of the health system, judicial proceedings with valid court orders, research under IRB approval, and similar public-interest categories.
Part 2 SUD language (if applicable)
Required by: 42 CFR Part 2 (2024 Final Rule) — only for Part 2 programs or combined HIPAA+Part 2 entities.
For Part 2 programs, this section explains that SUD records are protected by an additional framework requiring written consent for most disclosures, prohibiting re-disclosure by recipients, and limiting subpoenas. The 2024 Final Rule permits a single combined HIPAA/Part 2 notice where an entity is subject to both.
Authorization-required uses
Required by: § 164.520(b)(1)(ii)(E).
States that any use or disclosure not described elsewhere requires written authorization. Specifically calls out psychotherapy notes, most marketing, sale of PHI, and fundraising (with opt-out rights).
Individual rights
Required by: § 164.520(b)(1)(iv).
The individual-rights section is the most patient-facing part of the document. Seven rights are required: restrictions, confidential communications, inspect and copy, amendment, accounting of disclosures, paper copy of notice, and breach notification.
Our duties and complaints contact
Required by: § 164.520(b)(1)(v)–(vii).
States the entity's legal duties (maintain privacy, notify on breach, follow the current notice, reserve the right to change), and provides two complaint paths: internal (Privacy Officer) and external (HHS Office for Civil Rights, with full address and phone).
Acknowledgment of receipt
Required by: § 164.520(c)(2)(ii) — direct-treatment providers only.
Direct-treatment providers must make a good-faith effort to obtain written acknowledgment that the patient received the notice. If the patient declines or cannot acknowledge, the provider documents the attempt. Omitted for health plans and Part-2-only programs.
Section 1557 taglines (optional appendix)
Required by: 45 CFR § 92.11 — for programs receiving federal financial assistance.
If the entity receives federal financial assistance (Medicare/Medicaid participation qualifies), it must include taglines in the top 15 non-English languages of the service area, plus a notice of availability of auxiliary aids. Our generator adds a standard 15-language appendix when you check the Section 1557 box.
See your own NPP
Enter your entity information and the generator produces a complete, formatted NPP adapted to your entity type. $49 one-time.
Generate your NPP — $49Not sure if your practice needs an NPP? Find out in 30 seconds →