HIPAA Notice of Privacy Practices: What is an NPP and How Do I Create One?


As a Health Insurance Portability and Accountability Act (HIPAA)-covered provider, you are required to distribute a Notice of Privacy Practices (NPP) document to your patients.

This notice fulfills a three-fold purpose:

  1. Describe to the patient the uses and disclosures your organization can make of their protected health information (PHI)
  2. Explain your organization’s legal responsibilities and privacy practices designed to protect PHI
  3. Inform patients of their individual rights to their PHI and how they can exercise those rights

If you want to ensure HIPAA compliance, there are a few critical things your NPP must contain, plus the considerations of formatting and distribution. That’s why today we’re sharing all the details about NPPs, including everything you need to know to keep your patients informed—and your organization HIPAA compliant.

Ready to learn more? Let’s dive in.

What Goes in a Notice of Privacy Practices?

When composing your NPP, there are a few elements that are essential to include. The first is a header, which should be prominently displayed, stating:


In the body of the notice, you must include many statements about your organization’s responsibilities and the patient’s rights, including the following:

The Covered Entity’s Responsibilities

  • Your organization is required by law to maintain the privacy of PHI
  • Your organization must get patient authorization for uses and disclosures of psychotherapy notes, PHI for marketing purposes, and the sale of PHI
  • Your organization must get patient authorization to use or disclose PHI for purposes not described in the NPP or permitted under the Privacy Rule
  • [If applicable] Your organization intends to contact patients for appointment reminders, information about treatment alternatives, or other health-related benefits or services
  • [If applicable] Your organization intends to contact patients for fundraising purposes

The Individual’s Rights

  • The right to request restrictions on certain uses and disclosures of PHI
  • The right to receive confidential communications of PHI
  • The right to inspect and copy PHI
  • The right to amend PHI
  • The right to receive an accounting of disclosures
  • The right to revoke an authorization
  • The right to opt out of communications and fundraising from your organization
  • The right to file a complaint to your organization or to the secretary of the Department of Health and Human Services (HHS)
  • The right to be notified of a breach of unsecured PHI

See CFR 45, §164.520b(1) for a complete list of statements that you must include in your NPP.

In the notice, you should also include the information of someone whom patients can contact to learn more about your organization’s policies, and the notice’s effective date. Keep in mind that your NPP shouldn’t predate September 2013, which was the compliance date for the HIPAA Omnibus Rule.

How Should You Design a Notice of Privacy Practices?

HHS provides NPP templates you can customize for your organization. There are three standard formats:

  1. Booklet (folded and stapled). HHS found that patients preferred this format, as booklets are approachable and portable.
  2. Layered design (first page summary of key rights, uses, and disclosures, followed by detailed description). A layered design is easier for patients to skim for key information.
  3. Full page (printed on 8 ½ X 11” paper). This is easier to assemble than a booklet.

When choosing a format and design, remember the purpose of the NPP is to make patients aware of their rights to their health information and your organization’s privacy practices. So, the notice should be user-friendly, accessible, and easy to understand. Consider some accessibility best practices:

  • Use plain language that anyone can understand
  • Translate the notice into frequently encountered languages, such as Spanish
  • Provide alternate formats for patients with disabilities, such as large print, audio, or Braille
  • Use high-contrast color to highlight key information and make the document easier to read

How Should You Distribute a Notice of Privacy Practices?

As a healthcare organization, you are legally required to provide a copy of your NPP to patients with whom you have a direct treatment relationship, as well as to anyone who requests a copy.

When a patient first presents for care, you must give them a copy of the NPP. You must also make a good faith effort to get a signature from the patient acknowledging they have received a copy of the NPP. In an emergency treatment situation, supply the NPP and get their signature reasonably soon after the emergency is over. If the patient refuses to sign the acknowledgment, you must initial and date the acknowledgement and note why the patient refused to sign.

Additionally, if your organization has a website that provides information to customers, you must keep a copy of your NPP prominently on the website.

Some other great ways to distribute your NPP include:

  • Hang larger laminated copies of the NPP in examination rooms and waiting room, allowing patients to read it while waiting for their doctor
  • Set a stack of printed copies of the NPP at point-of-service locations
  • Email the NPP to patients who have agreed to electronic communications

When you change or revise your NPP, you must make the new copies available upon request and update your website to provide the revised NPP or information about how to obtain it. You do not need to redistribute the revised NPP to patients who have received a copy of the previous version.

In Summary

The HIPAA Privacy Rule requires you to distribute a Notice of Privacy Practices (NPP) to every patient under your care. This NPP document makes patients aware of their rights to their health information, how they can exercise those rights, and your organization’s responsibilities and practices designed to keep their information private.

Make sure you include all required statements, design the NPP for patients’ ease of use, and distribute it appropriately. Supply your staff members with copies of the NPP and make sure they understand their responsibilities.

Are you up to date with HIPAA?

Check out our cheat sheet for staying up to date with changing regulations!

Please seek legal consul when creating your notice of privacy practices to ensure HIPAA compliance for your organization.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Is the Telehealth you’ve adopted secure?

Many patients and providers who would not have normally considered telehealth as a regular way to access healthcare are now utilizing the services. Many patients are afraid to go the hospital or doctor office in fear of exposing themselves and loved ones to Covid-19. Luckily, doctors can still reach their patients and provide medical care online. After this pandemic is over, many suspect that telehealth will still be sticking around. Now may be a good time to consider how to make your telehealth services more secure.

Read More »