Compliance Foundations

Notice of Privacy Practices (NPP) Template — 2026

9 min read · Last reviewed May 23, 2026

A Notice of Privacy Practices (NPP) is the written notice that a HIPAA covered entity must provide to patients describing how the practice uses and discloses protected health information and what rights the patient has. The requirement lives at 45 CFR § 164.520 and applies to every direct-treatment provider that maintains PHI.

What HHS actually requires

The Notice of Privacy Practices is a Privacy Rule construct, not a Security Rule construct, and the full requirement set lives at 45 CFR § 164.520. The section runs roughly 1,800 words in the eCFR and prescribes content, distribution, acknowledgement, posting, and revision behavior. The HHS Office for Civil Rights publishes model NPPs — useful as starting points, but the model notices have not been refreshed to reflect the 2024 Reproductive Health Privacy final rule, so a practice that ships an HHS model NPP without overlay risks publishing a notice that is materially out of date.

The 2024 Reproductive Health Privacy Final Rule added a prohibition at 45 CFR § 164.509 on use and disclosure of PHI for certain investigations or proceedings against a person who sought or obtained reproductive health care. The compliance date for NPP changes was February 16, 2026. Every NPP refreshed after that date must reference the change.

The federal NPP requirement is enforced by OCR. Most state Attorneys General can also bring enforcement actions under their concurrent HIPAA authority under 42 USC § 1320d-5(d). California and Texas have stricter state-law overlays — see the carve-outs section below.

Template — section by section

The headers below are the mandatory headers from § 164.520(b)(1) plus the post-Dobbs reproductive-health update. Verbatim header text is mandatory at the top; the body language under each header is the practice's to customize, but the substance must cover what the rule lists.

``` NOTICE OF PRIVACY PRACTICES [Practice Name] Effective Date: [DATE]

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. ```

The all-caps header above is required verbatim by § 164.520(b)(1)(i). Do not paraphrase it.

Section 1 — Uses and disclosures that do not require authorization

```

  1. USES AND DISCLOSURES WE MAY MAKE WITHOUT YOUR AUTHORIZATION

For Treatment. We use and disclose your health information to provide treatment and coordinate care with other providers.

For Payment. We use and disclose your health information to bill and receive payment from you, an insurer, or a third party responsible for payment.

For Health Care Operations. We use and disclose your health information to operate the practice, including quality assessment, training, licensing, and business management.

Required by Law. We disclose your health information when required by federal, state, or local law.

Public Health. We may disclose your health information for public health activities such as reporting disease, injury, vital events, and adverse events to public health authorities.

Health Oversight. We may disclose to health oversight agencies for audits, investigations, inspections, and licensure activities.

Judicial and Administrative Proceedings. We may disclose in response to a court order, subpoena, or discovery request as permitted by 45 CFR § 164.512(e).

Law Enforcement. We may disclose to law enforcement under the conditions set forth in 45 CFR § 164.512(f).

[Continue with: research, decedents, organ donation, workers' compensation, serious threats to health or safety, specialized government functions.] ```

Section 2 — Uses and disclosures that require authorization

```

  1. USES AND DISCLOSURES THAT REQUIRE YOUR WRITTEN AUTHORIZATION

The following uses and disclosures require your prior written authorization, and you may revoke an authorization at any time in writing:

  • Most uses and disclosures of psychotherapy notes
  • Uses and disclosures for marketing purposes
  • Sales of protected health information
  • Other uses and disclosures not described in this notice

```

Section 3 — Reproductive health information protections (effective Feb 16, 2026)

```

  1. SPECIAL PROTECTIONS FOR REPRODUCTIVE HEALTH INFORMATION

Under 45 CFR § 164.509, we will not use or disclose your protected health information for the purposes of:

  • A criminal, civil, or administrative investigation into a person

for seeking, obtaining, providing, or facilitating reproductive health care that was lawful under the circumstances; or

  • Imposing criminal, civil, or administrative liability on such

a person; or

  • Identifying such a person for either of the above purposes,

where the reproductive health care was lawful under the circumstances in which it was provided.

When we receive a request for protected health information that could relate to reproductive health care, we will require the requester to sign an attestation that the use or disclosure is not for a prohibited purpose. ```

Section 4 — Your rights

```

  1. YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION

Right of Access (45 CFR § 164.524). You have the right to inspect and obtain a copy of your designated record set, generally within 30 days of request.

Right to Amend (45 CFR § 164.526). You may request an amendment to your health information if you believe it is inaccurate or incomplete.

Right to an Accounting of Disclosures (45 CFR § 164.528). You have the right to receive a list of certain disclosures of your health information made by us in the six years preceding the request.

Right to Request Restrictions (45 CFR § 164.522(a)). You may request a restriction on certain uses and disclosures; we are not required to agree except where you have paid in full out of pocket for the service and request restriction from your health plan.

Right to Confidential Communications (45 CFR § 164.522(b)). You may request to receive communications by alternative means or at alternative locations.

Right to Notification of Breach (45 CFR §§ 164.404, 164.406). You have the right to be notified following a breach of your unsecured PHI.

Right to a Paper Copy of This Notice (45 CFR § 164.520(c)(3)). You have the right to a paper copy of this Notice on request, even if you have agreed to receive it electronically. ```

Section 5 — Practice duties

```

  1. OUR DUTIES

We are required by law to maintain the privacy of your protected health information, to provide you with this Notice of our legal duties and privacy practices, and to notify affected individuals following a breach of unsecured protected health information. We are required to abide by the terms of this Notice currently in effect. ```

Section 6 — Complaints and contact

```

  1. COMPLAINTS AND CONTACT

If you believe your privacy rights have been violated, you may file a complaint with this practice or with the U.S. Department of Health and Human Services, Office for Civil Rights:

Office for Civil Rights U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Washington, D.C. 20201 1-877-696-6775 https://www.hhs.gov/ocr/complaints/index.html

We will not retaliate against you for filing a complaint.

Privacy Officer Contact: [Name], Privacy Officer [Practice Name] [Address] [Phone] / [Email] ```

Section 7 — Effective date and changes

```

  1. EFFECTIVE DATE AND CHANGES TO THIS NOTICE

This Notice is effective [DATE]. We reserve the right to change this Notice and to make the revised Notice effective for all protected health information we maintain. We will post the current Notice in our practice and on our website. ```

State preemption carve-outs

When state law is stricter than HIPAA, the stricter law controls under the preemption rule at 45 CFR § 160.203. The three high-volume overlays:

| State | Statute | NPP impact | | --- | --- | --- | | California | CMIA (Civil Code §§ 56–56.37) | Add a CMIA-specific disclosure-restriction paragraph; 15-business-day access response timeline; authorization required for many disclosures HIPAA would permit | | Texas | HB 300 (Tex. Health & Safety Code Chapter 181) | Stricter training and 15-business-day EHR access timeline; broader covered-entity scope | | New York | SHIELD Act (Gen. Bus. Law § 899-bb) | Information-security overlay; not an NPP rewrite but referenced where applicable |

How to deploy

The deployment sequence we file with clients: paste the template into the practice's letterhead format; fill in the four bracketed fields (practice name, effective date, Privacy Officer, contact); have the Privacy Officer review and sign the master copy; post the PDF in the patient waiting area; upload to the website footer with a prominent "Notice of Privacy Practices" link; load the patient-portal acknowledgement workflow so first-encounter acknowledgement is captured digitally; and file the acknowledgement evidence per encounter in the compliance binder.

For paper-acknowledgement practices, print the acknowledgement form on a separate page from the NPP itself so the patient can sign and return the acknowledgement without taking the entire NPP back to the front desk.

Common gaps

What we see fail in practice is small. The NPP has not been refreshed since 2013 (pre-Omnibus Rule); the website prominently links a PDF whose effective date is older than the receptionist's tenure; the Privacy Officer line names someone who left two years ago; the acknowledgement is being collected verbally but no signed evidence sits in the chart; the post-Dobbs reproductive-health section is missing entirely; or the practice has never reviewed whether CMIA or HB 300 applies.

OCR Phase 3 audits — the cycle CMS, OIG, and OCR are running into 2026 — open with a request for the current NPP and the acknowledgement evidence. A practice that produces a current, dated, complete NPP and three random acknowledgement samples on demand has passed the easiest audit element.

Maintenance cadence

Review the NPP at least annually. Reissue and re-post when there is any material change: a change in uses and disclosures, in patient rights, in the practice's duties, or in contact information. Track the change in a one-line changelog inside the binder. Re-distribute the NPP on the next encounter when a material change occurs; existing acknowledgements remain valid for prior versions per § 164.520(c)(2)(iv).

How d3rx fits

The d3rx compliance binder produces a Privacy Rule policy set including a current NPP with the reproductive-health overlay, state-law carve-outs for CA/TX/FL/NY, an acknowledgement workflow, and a Privacy Officer designation, with citations to the eCFR inline. The practice's Privacy Officer remains responsible for adopting, distributing, posting, and re-issuing the notice.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversNotice of Privacy Practices (NPP) Template — 2026. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Does the NPP need to be re-acknowledged annually by every existing patient?

No. Under [45 CFR § 164.520(c)(2)(ii)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520) a direct-treatment provider must make a good-faith effort to obtain written acknowledgement of receipt at first service delivery — not annually. The NPP itself must be revised whenever there is a material change and the revised notice given at the next encounter; existing acknowledgements remain on file.

What counts as a material change that triggers republication?

Any change to the uses and disclosures described in the NPP, to the patient's rights, to the practice's legal duties, or to the contact information. The HIPAA Privacy Rule modifications effective for reproductive-health information ([45 CFR § 164.509](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.509)) were a material change. A new fax number is not.

Can the NPP be posted on the website instead of handed to patients?

It must be both. Under [§ 164.520(c)(3)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520) a practice that maintains a website with information about its services must prominently post the NPP on the website. Direct-treatment providers must also provide it on first service delivery and make a paper copy available on request.

Does the NPP need to be translated for limited-English-proficient patients?

Section 1557 of the ACA and OCR's 2024 Section 1557 final rule effectively require language access for covered entities receiving federal financial assistance. The practical answer is yes — translate the NPP into the top languages spoken by your patient panel and post the translations. CMS recipient practices that ignore this have been cited.

Do dental and behavioral-health practices need a different NPP?

The federal NPP requirements at [§ 164.520](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520) apply identically. Behavioral health practices subject to 42 CFR Part 2 (substance-use-disorder records) need additional Part 2 consent and disclosure language, which is typically delivered as a separate Part 2 notice alongside the NPP.

What is the penalty for not having a current NPP?

OCR has settled NPP-only cases for low-five to mid-six figures historically. The 2016 Memorial Hermann resolution included an NPP element. Civil Monetary Penalties under [45 CFR § 160.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404) scale with the violation category. The bigger exposure is that the NPP gap signals broader program failure, which expands the audit scope.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR § 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
  2. model NPPshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html
  3. 45 CFR § 164.509https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.509
  4. 45 CFR § 160.203https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-B/section-160.203
  5. indexhttps://www.hhs.gov/ocr/complaints/index.html

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides