In 2011, Cignet Health of Prince George's County, Maryland received a $4.3 million civil money penalty — the first CMP ever issued under the HIPAA Privacy Rule. The core violation: denying 41 patients access to their medical records, a right that every notice of privacy practices is required to explain. Cignet then refused to cooperate with OCR's investigation, compounding the penalty from $1.3 million to $4.3 million.
Your notice of privacy practices (NPP) is not a formality. It is a federal requirement under 45 CFR 164.520 that tells every patient exactly how their protected health information (PHI) will be used, what rights they have over it, and what to do if those rights are violated. Get it wrong — or fail to distribute it — and OCR has grounds for enforcement before a single breach occurs.
This guide covers what the HIPAA notice of privacy practices must contain, who must provide one, how to distribute it, common mistakes, and a checklist you can use to verify your NPP meets current requirements.
What Is a Notice of Privacy Practices?
A notice of privacy practices (NPP) is a written document that explains to patients how a covered entity may use and disclose their PHI, what rights they have regarding that information, and how they can file a complaint if they believe their rights have been violated.
Under the HIPAA Privacy Rule, every covered entity — healthcare providers who conduct electronic transactions, health plans, and healthcare clearinghouses — must develop, maintain, and distribute an NPP. The requirement is codified in 45 CFR 164.520.
The NPP is not a consent form. It is a unilateral notice from the covered entity to the patient. The patient does not sign the NPP; instead, the covered entity must make a good faith effort to obtain a written acknowledgment of receipt. If the patient refuses to sign the acknowledgment, the covered entity documents the attempt and proceeds with treatment.
Business associates do not issue their own NPP. Their obligations are governed by the business associate agreement (BAA), not the notice requirement. For more on that distinction, see our guide to business associate agreements.
Who Must Provide a Notice of Privacy Practices?
Three categories of covered entities must provide an NPP:
- Healthcare providers who transmit health information electronically in connection with a HIPAA-covered transaction (claims, eligibility checks, referral authorizations). This includes physicians, dentists, chiropractors, pharmacies, hospitals, nursing facilities, and most clinical practices.
- Health plans, including group health plans, health insurance issuers, HMOs, Medicare, and Medicaid programs.
- Healthcare clearinghouses that process health information received from another entity into a standard format.
If your practice bills electronically — and virtually all do — you are a covered entity and you need an NPP. There is no small practice exemption.
Required Content Under 45 CFR 164.520
The Privacy Rule specifies exactly what a HIPAA notice of privacy practices must contain. Missing any required element means your NPP is non-compliant, regardless of how polished it looks.
1. Header Requirement
The notice must begin with the following header or one substantially similar: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
This is not optional language. The regulation specifies the header text. Many practices bury it or rephrase it beyond recognition, which creates a compliance gap.
2. Uses and Disclosures of PHI
The NPP must describe, with at least one example for each, how the covered entity may use or disclose PHI for:
- Treatment — sharing records with referring physicians, specialists, or labs
- Payment — submitting claims to insurers, verifying coverage
- Healthcare operations — quality assessments, training, audits, compliance activities
The notice must also describe other permissible uses and disclosures that do not require patient authorization, including disclosures for public health activities, law enforcement, judicial proceedings, and certain research activities.
If the covered entity intends to use PHI for fundraising or marketing — or reserves the right to do so — the NPP must include a specific statement about that use and the patient's right to opt out.
3. Individual Rights
The NPP must inform patients of every right they hold under the Privacy Rule:
- Right to access their PHI and obtain copies (45 CFR 164.524)
- Right to request amendments to their records (45 CFR 164.526)
- Right to an accounting of disclosures (45 CFR 164.528)
- Right to request restrictions on uses and disclosures
- Right to request confidential communications (e.g., calling a different phone number)
- Right to receive a paper copy of the NPP upon request
- Right to be notified of a breach of unsecured PHI
Each right must be described in sufficient detail for the patient to understand what it means and how to exercise it. A one-sentence mention is not sufficient.
4. Covered Entity Duties
The NPP must contain a statement that the covered entity is required by law to:
- Maintain the privacy of PHI
- Provide the notice of its privacy practices
- Abide by the terms of the notice currently in effect
- Notify affected individuals following a breach of unsecured PHI
The notice must also state that the covered entity reserves the right to change its privacy practices and, if it does, to make the new notice available upon request.
5. Contact Information and Complaints
The NPP must include:
- The name (or title) and phone number of a contact person or office for further information or to file complaints with the covered entity
- A statement that the individual may file a complaint with the Secretary of HHS and instructions on how to do so
- A statement that the individual will not be retaliated against for filing a complaint
The contact person is typically the HIPAA compliance officer or privacy officer.
6. Effective Date
Every NPP must include the date on which the notice is effective. This is not the date the patient received the notice — it is the date the notice's terms became operative. When you revise your NPP, the effective date must be updated.
NPP vs. HIPAA Authorization Form
Practices frequently confuse the NPP with the HIPAA authorization form. They serve entirely different purposes:
| Document | Purpose | Patient Signature Required? | Legal Basis |
|---|---|---|---|
| Notice of Privacy Practices (NPP) | Informs patient how PHI will be used; describes patient rights | No — only acknowledgment of receipt | 45 CFR 164.520 |
| HIPAA Authorization Form | Grants permission for a specific use or disclosure of PHI not otherwise permitted | Yes — patient must sign to authorize | 45 CFR 164.508 |
The NPP is a one-way notice: "here is what we do with your data." The authorization is a two-way agreement: "we need your specific permission to do this particular thing." Combining them into a single form creates confusion and may render both documents deficient.
For full authorization requirements, see our guide to HIPAA authorization form requirements.
When and How to Distribute the NPP
Healthcare Providers
Healthcare providers with a direct treatment relationship must:
- Provide the NPP to every patient no later than the first date of service delivery, including service delivered electronically
- Make a good faith effort to obtain written acknowledgment that the patient received the notice
- Have the NPP available at the service delivery site for patients to take with them
- Post the NPP in a clear and prominent location at the facility
- Post the NPP on the practice's website, if the practice has one
If the first service is provided in an emergency, the provider must provide the NPP as soon as reasonably practicable after the emergency ends.
Health Plans
Health plans must:
- Provide the NPP to enrollees at the time of enrollment
- Redistribute the NPP within 60 days of a material revision
- Provide the NPP to enrolled individuals at least once every three years, along with notice of availability and instructions for obtaining the full notice
Electronic Notice Rules
Covered entities may provide the NPP electronically if the individual agrees to electronic notice. For healthcare providers, email delivery satisfies the requirement if the provider obtains the patient's email address and the patient has not revoked consent to electronic communication. The provider must still have paper copies available for anyone who requests one.
Common NPP Mistakes
After reviewing NPPs across hundreds of small practices, these are the mistakes we see most often:
1. Using a template without customization. HHS provides model NPP language, but a model is a starting point — not a finished document. Your NPP must reflect your specific practices, including any uses for fundraising, research, or marketing. A generic template that omits your actual practices creates a gap between what the notice says and what you do.
2. Failing to update after regulatory changes. The February 2026 updates to 42 CFR Part 2 now require covered entities that receive substance use disorder (SUD) records to include specific provisions in their NPP regarding how SUD information is handled. If your NPP has not been revised since early 2026, it is likely non-compliant.
3. Not obtaining the acknowledgment. You do not need the patient's signature to treat them, but you must document a good faith attempt. Many practices skip the acknowledgment entirely, leaving no record that the notice was offered. In an OCR investigation, that gap is difficult to explain.
4. Omitting the breach notification right. The HITECH Act added the right to breach notification. NPPs drafted before 2009 and never updated are missing this required element. We still find pre-HITECH NPPs in active use.
5. Treating the NPP as a consent form. Asking patients to "sign the HIPAA form" conflates the NPP with an authorization or consent. The patient is acknowledging receipt, not consenting to anything. Staff should be trained to explain the distinction.
6. Posting only online. A website posting alone does not satisfy the distribution requirement for providers. The NPP must be available in physical form at the service delivery site and provided to patients at the first service encounter.
Enforcement: What Happens When NPPs Are Wrong
NPP-related violations typically surface during OCR investigations triggered by patient complaints — not random audits. The most common complaint: a patient tried to exercise a right described in (or missing from) the NPP and was denied.
Cignet Health — $4.3 Million (2011)
The first civil money penalty in HIPAA history. Cignet denied 41 patients access to their medical records — a right the NPP is required to describe — and then refused to cooperate with OCR's investigation. The penalty: $1.3 million for the access violations, plus $3 million for willful neglect in refusing to cooperate with OCR.
Right of Access Initiative — 50+ Settlements (2019–2026)
OCR's Right of Access Initiative has resulted in more than 50 settlements, with penalties ranging from $3,500 to $240,000. Every one of these cases involved a patient right that the NPP is required to explain. When a patient reads their NPP, understands they have a right to access their records, requests those records, and is denied — that is when complaints are filed and investigations begin.
Pattern: NPP Is the Trigger
In most patient-initiated OCR complaints, the NPP is either the mechanism by which the patient learned about their right (and found it was violated) or the document whose inadequacy made the violation worse. An incomplete NPP that fails to describe the right to access, the right to amend, or the right to an accounting of disclosures leaves the organization exposed when those rights are exercised.
Notice of Privacy Practices Checklist
Use this checklist to verify your NPP meets current HIPAA requirements:
| Requirement | Citation | Present? |
|---|---|---|
| Required header ("THIS NOTICE DESCRIBES...") | §164.520(b)(1)(i) | ☠|
| Description of uses/disclosures for treatment, payment, operations (with examples) | §164.520(b)(1)(ii)(A) | ☠|
| Description of other permissible uses/disclosures (public health, law enforcement, etc.) | §164.520(b)(1)(ii)(B-D) | ☠|
| Statement about fundraising and opt-out right (if applicable) | §164.520(b)(1)(iii)(A) | ☠|
| Right to access and obtain copies of PHI | §164.520(b)(1)(iv) | ☠|
| Right to request amendment of records | §164.520(b)(1)(iv) | ☠|
| Right to accounting of disclosures | §164.520(b)(1)(iv) | ☠|
| Right to request restrictions | §164.520(b)(1)(iv) | ☠|
| Right to confidential communications | §164.520(b)(1)(iv) | ☠|
| Right to a paper copy of the NPP | §164.520(b)(1)(iv) | ☠|
| Right to breach notification | §164.520(b)(1)(iv) | ☠|
| Statement of covered entity's duties | §164.520(b)(1)(v) | ☠|
| Right to change privacy practices with notice | §164.520(b)(1)(v)(C) | ☠|
| Contact person name/title and phone number | §164.520(b)(1)(vi) | ☠|
| Right to file complaint with covered entity | §164.520(b)(1)(vi) | ☠|
| Right to file complaint with HHS Secretary | §164.520(b)(1)(vi) | ☠|
| No retaliation statement | §164.520(b)(1)(vi) | ☠|
| Effective date | §164.520(b)(1)(vii) | ☠|
| Substance use disorder (SUD) provisions (if applicable, per 2026 42 CFR Part 2 update) | 42 CFR Part 2 | ☠|
If any box is unchecked, your NPP needs revision before your next patient encounter.
When to Update Your NPP
The Privacy Rule requires that covered entities promptly revise and distribute their NPP when a material change occurs. Triggers include:
- Regulatory changes — the February 2026 42 CFR Part 2 alignment is the most recent example
- New uses of PHI — adding telehealth services, a patient portal, or marketing communications
- Organizational changes — merging with another practice, joining an Organized Health Care Arrangement (OHCA), or changing business associates
- Privacy practice changes — modifying how you handle access requests, amending your directory policy, or changing breach notification procedures
When you revise the NPP, you must make the revised notice available at your facility, post it on your website, and provide it to anyone who requests it. Healthcare providers do not need to re-distribute to every existing patient — only to new patients and anyone who asks. Health plans must redistribute within 60 days of a material change or notify enrollees and explain how to obtain the revised version.
Frequently Asked Questions
What is a notice of privacy practices?
A notice of privacy practices (NPP) is a document required by 45 CFR 164.520 that informs patients how a covered entity uses and discloses their protected health information, what rights patients have over their data, and how to file a complaint if those rights are violated.
What is the purpose of a notice of privacy practices?
The purpose is to ensure transparency. Patients must know how their PHI will be used before they receive care, what rights they can exercise (access, amendment, accounting of disclosures, restrictions, confidential communications), and who to contact if something goes wrong.
Does a patient have to sign the notice of privacy practices?
No. The NPP is not a consent form. Patients are asked to sign an acknowledgment of receipt, not the notice itself. If a patient refuses to sign the acknowledgment, document the attempt and proceed. Treatment cannot be conditioned on signing the acknowledgment.
Is the notice of privacy practices the same as a HIPAA consent form?
No. The NPP is a unilateral notice from the covered entity to the patient. A HIPAA authorization form is a patient-signed document granting permission for a specific disclosure. The NPP informs; the authorization permits.
How often must the notice of privacy practices be updated?
There is no fixed schedule. The NPP must be revised whenever a material change occurs to the covered entity's privacy practices. For health plans, revised notices must be distributed within 60 days of a material revision. Healthcare providers must make the revised NPP available at the facility and on their website.
Do I need to update my NPP for the 2026 42 CFR Part 2 changes?
If your practice receives substance use disorder (SUD) records from a Part 2 program, yes. The February 2026 regulatory alignment requires that your NPP address how SUD information is handled. If you do not receive Part 2 records, this specific update does not apply, but you should still review your NPP for other required elements that may have been missed in prior versions.
Sources
- 45 CFR 164.520 — Notice of Privacy Practices for Protected Health Information
- HHS OCR — Cignet Health Civil Money Penalty
- HHS OCR — Enforcement Highlights
- 45 CFR 164.508 — Uses and Disclosures Requiring Authorization
- 45 CFR 164.524 — Access of Individuals to Protected Health Information
- 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records
Conclusion
Your notice of privacy practices is the single document every patient receives. It defines their rights, sets your obligations, and becomes the reference point for every complaint and every OCR investigation. Use the checklist above to verify yours meets every requirement under 45 CFR 164.520 — then make sure your staff knows how to distribute it and obtain the acknowledgment.
One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. Learn more.