HIPAA Notice of Privacy Practices

What is a Notice of Privacy Practices?

A Notice of Privacy Practices (NPP) is a document that informs patients about how a healthcare provider uses and protects their protected health information (PHI). It's a mandatory requirement under the HIPAA Privacy Rule for all covered entities (healthcare providers, health plans, healthcare clearinghouses) and business associates handling PHI.

The NPP explains:

• What information is collected and how it's used
• Patient rights regarding their medical information
• How patients can access and control their records
• How to file complaints about privacy violations
• How the organization protects patient privacy

Legal Requirements (45 CFR § 164.520)

Who Must Provide an NPP?

Covered Entities Required to Provide NPP:

• Healthcare providers (physicians, dentists, hospitals, clinics)
• Health plans (insurance companies, HMOs, PPOs)
• Healthcare clearinghouses
• Business associates handling PHI on behalf of covered entities

Exceptions:

• Military medical facilities (use different notice)
• Veterans Administration facilities
• Federal Indian tribes
• Certain federal agencies

Timing of Notice Delivery

At or Before First Service:

• Original NPP must be provided at first healthcare contact
• Before providing any services (except emergencies)
• Obtain written acknowledgment of receipt

Ongoing Availability:

• Keep copy posted in public areas
• Make available upon request at any time
• Provide updated version when changes occur

Electronic Providers:

• Must make NPP accessible on website
• Must allow download/print capability
• Must provide in writing if requested

Required Content (45 CFR § 164.520(b))

1. Uses and Disclosures for Treatment, Payment, Operations

Treatment: Information needed to provide medical care

Example: "We may use your health information to provide
treatment, coordinate care with specialists, and maintain
medical records necessary for your care."

Payment: Billing, insurance claims, payment collection

Example: "We use your information to bill your insurance
company, process claims, and collect payment for services."

Healthcare Operations: Administrative and management functions

Example: "We may use your information for quality improvement,
staff training, compliance monitoring, and business planning."

2. Other Uses and Disclosures

Must describe legally permissible uses not requiring authorization:

Legally Required Disclosures:

• Public health activities (disease reporting)
• Law enforcement (with warrant or subpoena)
• Court orders and legal proceedings
• Child abuse/neglect reporting
• Health oversight (Medicare, state agencies)

Permitted Disclosures:

• Organ donation coordination
• Funeral arrangements
• Business associates
• Disaster relief efforts
• International activities (foreign governments)

3. Patient Rights

Must clearly explain patient's rights including:

Right to Access (45 CFR § 164.524)

"You have the right to request and receive a copy of your
medical records. We must provide this within 30 days.
We may charge reasonable copying fees."

Right to Request Amendment (45 CFR § 164.526)

"You can request that we correct information you believe
is inaccurate or incomplete. We must respond within 30 days."

Right to Request Restrictions (45 CFR § 164.522)

"You can request limitations on how we use or disclose your
information, though we are not required to agree."

Right to Request Confidential Communications (45 CFR § 164.522)

"You can request that we send information to an alternate
address or via secure method."

Right to Breach Notification (45 CFR § 164.404)

"You will be notified without unreasonable delay if your
unsecured information is breached."

Right to Accounting of Disclosures (45 CFR § 164.528)

"You can request a list of how we have disclosed your
information for the past six years."

Right to Revoke Authorization (45 CFR § 164.508)

"You can revoke authorization for use/disclosure at any time
by notifying us in writing. This does not apply to information
already disclosed."

Right to Paper Copy

"You can request a paper copy of this notice at any time,
even if you previously received one electronically."

4. Complaint Procedure

Must include:

• How to file complaint with covered entity
• Contact information (name, address, phone, email)
• Process and timeline for addressing complaints

To file a complaint with [Organization Name]:
Contact: [Name], Privacy Officer
Address: [Address]
Phone: [Phone Number]
Email: [Email Address]

We will respond to your complaint within 10 business days.

You may also file a complaint with the U.S. Department of
Health and Human Services Office for Civil Rights:

HHS Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Telephone: 1-877-696-6775
Email: OCRComplaint@hhs.gov
Website: www.hhs.gov/ocr

5. Effective Date and Changes

Effective Date: [Date]
Last Updated: [Date]

This Notice of Privacy Practices is effective as of the date
above and will remain in effect until revised. We reserve the
right to change this notice and will notify you of any changes
by posting an updated version and providing notice of material
changes within 60 days.

6. Specific Policy Details

The NPP must specify:

• Organization's privacy officer contact information
• History of information uses (past 6 years)
• Special handling for sensitive information
  • Substance abuse treatment (42 CFR Part 2)
  • Mental health records
  • HIV-related information
  • Genetic information

Complete NPP Template

SAMPLE NOTICE OF PRIVACY PRACTICES

[HEALTHCARE ORGANIZATION NAME]

Effective Date: [Date]

Your privacy is important to us. This notice explains how [Organization Name] uses and protects your health information in accordance with HIPAA regulations.

---

HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION

For Treatment We use your health information to provide medical care and services. This includes diagnosis, treatment planning, medical records, prescription management, and coordination with other providers.

For Payment We use your information to bill insurance companies, process payment claims, and collect outstanding balances. This includes sharing information with your insurance company.

For Healthcare Operations We may use your information to:

• Improve quality of care and safety
• Train staff and medical students
• Conduct compliance audits
• Manage business operations
• Contact you about appointments and treatment alternatives
• Determine eligibility for benefits

Business Associates We may share your information with business associates who provide services on our behalf, such as billing companies, lawyers, and consultants. These entities are contractually obligated to protect your information.

Family and Friends We may disclose information to family members or others involved in your care if you authorize us or if it's in your best interest and you do not object.

When We May Disclose Without Authorization

We may disclose your information without your authorization for:

• Public health activities (disease/injury reporting)
• Health oversight (audits, investigations)
• Law enforcement (with proper legal process)
• Judicial proceedings (court orders, subpoenas)
• Child abuse/neglect reporting
• Infectious disease exposure notification
• Organ/tissue donation
• Funeral arrangements
• Disaster relief
• Correctional facilities (for inmates)

---

YOUR PRIVACY RIGHTS

Right to Access You have the right to request and receive a copy of your medical records within 30 days. We may charge $0.25-$1.00 per page for copies and actual postage.

Right to Request Amendment You may request corrections to information you believe is inaccurate or incomplete. We have 30 days to respond. If we deny your request, you can appeal.

Right to Request Restrictions You can request limitations on how we use or disclose your information. We are not required to agree but will consider reasonable requests.

Right to Confidential Communications You can request that we send information to an alternate address or through a secure method (e.g., encrypted email).

Right to Breach Notification If your unsecured information is breached, you will be notified without unreasonable delay (typically within 60 days).

Right to Accounting of Disclosures You may request a list of disclosures we have made of your information for the past six years, excluding disclosures for treatment, payment, operations, and other exceptions.

Right to Revoke Authorization You may revoke authorization for use/disclosure by providing written notice. This does not apply to information already disclosed or used.

Right to Paper Copy You may request a paper copy of this notice at any time, even if you agreed to receive it electronically.

---

HOW WE PROTECT YOUR INFORMATION

We maintain administrative, physical, and technical safeguards to protect your information:

• Access controls and authentication
• Secure facilities with limited access
• Encryption of electronic data
• Regular security audits
• Employee privacy training
• Secure destruction of records
• Incident response procedures

---

HOW TO EXERCISE YOUR RIGHTS

To Exercise Any Right Contact our Privacy Officer:

Name: [Privacy Officer Name] Address: [Address] Phone: [Phone Number] Email: [Email Address]

We will provide forms and assist you in exercising your rights. We cannot penalize you for exercising any of these rights.

---

TO FILE A COMPLAINT

If you believe your privacy has been violated, you may file a complaint with:

[Organization Name] Privacy Officer [Contact Information above]

U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Telephone: 1-877-696-6775 Email: OCRComplaint@hhs.gov

We will not retaliate against you for filing a complaint.

---

ACKNOWLEDGMENT OF RECEIPT

I acknowledge that I have received a copy of the Notice of Privacy Practices dated [Date].

Patient Name (print): _______________________________

Patient/Guardian Signature: _________________________ Date: _______

Staff Witness: _________________________ Date: _______

---

Distribution Requirements

Initial Distribution

• Before or at first service: Obtain written acknowledgment
• Exceptions: Emergency situations (provide as soon as possible)
• Document: Keep signed acknowledgments for at least 6 years

Ongoing Availability

• Public posting: Conspicuous location in waiting areas
• Website: For electronic providers, prominently posted
• Request basis: Provide copy within 10 days of any request
• Updates: Distribute changed notice within 60 days of material change

Special Circumstances

• Telehealth visits: Email or electronic copy acceptable
• Emergency services: Provide notice after emergency treatment
• Hospitalizations: Can provide at admission or within 24 hours
• Non-English speakers: Provide in patient's primary language

Common Elements to Include

Privacy Officer Information

Designated Privacy Officer responsible for implementing
NPP and receiving privacy complaints

Substance Abuse Program Notice

If your organization operates a substance abuse treatment
program: "Federal law and regulations require special
protections for substance abuse treatment information..."

Mental Health Notice

If your organization maintains mental health records:
"Your psychotherapy notes and mental health records may
have additional protections..."

Special Authorizations

Disclosure for marketing, fundraising, or sale of
information requires separate written authorization

Business Associate Clause

"We may share your information with outside companies
that assist us with billing, transcription, consulting,
or other functions required to serve you."

Updates and Changes

When to Update NPP

• Material changes: Any significant change to practices
• New uses/disclosures: Adding new authorized uses
• New contact information: Privacy officer change
• New safeguards: Enhanced security measures
• Regulatory changes: Changes in law or regulation

Notifying Patients of Changes

For current patients:

• Post updated NPP on website
• Mail notice of material changes
• Provide at next visit
• Post in public areas

Compliance Audit Checklist

• NPP provided before first service or at admission
• Written acknowledgment of receipt obtained
• NPP includes all required elements per 45 CFR 164.520(b)
• Effective date and last updated date clearly stated
• Privacy officer contact information accurate and current
• Complaint procedures clearly explained
• Patient rights described in plain language
• Posted in public areas and website
• Available in alternative formats upon request
• Updated within 60 days of material changes
• Available in patients' primary language if applicable
• Business associate provisions included

FAQ

Q: How often should we update the NPP? A: Annually at minimum, or whenever there's a material change in practices.

Q: Must we provide NPP in multiple languages? A: For patients with limited English proficiency and significant need, yes. At minimum, provide written notice in primary language.

Q: What if we forget to give NPP at first visit? A: Provide it immediately and obtain acknowledgment. Document the delay.

Q: Can we provide NPP electronically only? A: If patient agrees to electronic receipt and can readily access it. Otherwise, provide paper copy.

Q: How long must we keep acknowledgment of receipt? A: At least 6 years per HIPAA minimum documentation requirement.

Q: If we modify NPP, do we need to notify all past patients? A: Material changes should be communicated to current patients; historical patients don't need notification for past records.

Q: What's considered a "material change"? A: Changes to patient rights, new uses/disclosures, privacy officer contact information, or significant security enhancements.