Notice of Privacy Practices (NPP) Template — 2026
9 min read · Last reviewed May 23, 2026
A Notice of Privacy Practices (NPP) is the written notice that a HIPAA covered entity must provide to patients describing how the practice uses and discloses protected health information and what rights the patient has. The requirement lives at 45 CFR § 164.520 and applies to every direct-treatment provider that maintains PHI.
What HHS actually requires
The Notice of Privacy Practices is a Privacy Rule construct, not a Security Rule construct, and the full requirement set lives at 45 CFR § 164.520. The section runs roughly 1,800 words in the eCFR and prescribes content, distribution, acknowledgement, posting, and revision behavior. The HHS Office for Civil Rights publishes model NPPs — useful as starting points, but the model notices have not been refreshed to reflect the 2024 Reproductive Health Privacy final rule, so a practice that ships an HHS model NPP without overlay risks publishing a notice that is materially out of date.
The 2024 Reproductive Health Privacy Final Rule added a prohibition at 45 CFR § 164.509 on use and disclosure of PHI for certain investigations or proceedings against a person who sought or obtained reproductive health care. The compliance date for NPP changes was February 16, 2026. Every NPP refreshed after that date must reference the change.
The federal NPP requirement is enforced by OCR. Most state Attorneys General can also bring enforcement actions under their concurrent HIPAA authority under 42 USC § 1320d-5(d). California and Texas have stricter state-law overlays — see the carve-outs section below.
Template — section by section
The headers below are the mandatory headers from § 164.520(b)(1) plus the post-Dobbs reproductive-health update. Verbatim header text is mandatory at the top; the body language under each header is the practice's to customize, but the substance must cover what the rule lists.
``` NOTICE OF PRIVACY PRACTICES [Practice Name] Effective Date: [DATE]
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. ```
The all-caps header above is required verbatim by § 164.520(b)(1)(i). Do not paraphrase it.
Section 1 — Uses and disclosures that do not require authorization
```
- USES AND DISCLOSURES WE MAY MAKE WITHOUT YOUR AUTHORIZATION
For Treatment. We use and disclose your health information to provide treatment and coordinate care with other providers.
For Payment. We use and disclose your health information to bill and receive payment from you, an insurer, or a third party responsible for payment.
For Health Care Operations. We use and disclose your health information to operate the practice, including quality assessment, training, licensing, and business management.
Required by Law. We disclose your health information when required by federal, state, or local law.
Public Health. We may disclose your health information for public health activities such as reporting disease, injury, vital events, and adverse events to public health authorities.
Health Oversight. We may disclose to health oversight agencies for audits, investigations, inspections, and licensure activities.
Judicial and Administrative Proceedings. We may disclose in response to a court order, subpoena, or discovery request as permitted by 45 CFR § 164.512(e).
Law Enforcement. We may disclose to law enforcement under the conditions set forth in 45 CFR § 164.512(f).
[Continue with: research, decedents, organ donation, workers' compensation, serious threats to health or safety, specialized government functions.] ```
Section 2 — Uses and disclosures that require authorization
```
- USES AND DISCLOSURES THAT REQUIRE YOUR WRITTEN AUTHORIZATION
The following uses and disclosures require your prior written authorization, and you may revoke an authorization at any time in writing:
- Most uses and disclosures of psychotherapy notes
- Uses and disclosures for marketing purposes
- Sales of protected health information
- Other uses and disclosures not described in this notice
```
Section 3 — Reproductive health information protections (effective Feb 16, 2026)
```
- SPECIAL PROTECTIONS FOR REPRODUCTIVE HEALTH INFORMATION
Under 45 CFR § 164.509, we will not use or disclose your protected health information for the purposes of:
- A criminal, civil, or administrative investigation into a person
for seeking, obtaining, providing, or facilitating reproductive health care that was lawful under the circumstances; or
- Imposing criminal, civil, or administrative liability on such
a person; or
- Identifying such a person for either of the above purposes,
where the reproductive health care was lawful under the circumstances in which it was provided.
When we receive a request for protected health information that could relate to reproductive health care, we will require the requester to sign an attestation that the use or disclosure is not for a prohibited purpose. ```
Section 4 — Your rights
```
- YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION
Right of Access (45 CFR § 164.524). You have the right to inspect and obtain a copy of your designated record set, generally within 30 days of request.
Right to Amend (45 CFR § 164.526). You may request an amendment to your health information if you believe it is inaccurate or incomplete.
Right to an Accounting of Disclosures (45 CFR § 164.528). You have the right to receive a list of certain disclosures of your health information made by us in the six years preceding the request.
Right to Request Restrictions (45 CFR § 164.522(a)). You may request a restriction on certain uses and disclosures; we are not required to agree except where you have paid in full out of pocket for the service and request restriction from your health plan.
Right to Confidential Communications (45 CFR § 164.522(b)). You may request to receive communications by alternative means or at alternative locations.
Right to Notification of Breach (45 CFR §§ 164.404, 164.406). You have the right to be notified following a breach of your unsecured PHI.
Right to a Paper Copy of This Notice (45 CFR § 164.520(c)(3)). You have the right to a paper copy of this Notice on request, even if you have agreed to receive it electronically. ```
Section 5 — Practice duties
```
- OUR DUTIES
We are required by law to maintain the privacy of your protected health information, to provide you with this Notice of our legal duties and privacy practices, and to notify affected individuals following a breach of unsecured protected health information. We are required to abide by the terms of this Notice currently in effect. ```
Section 6 — Complaints and contact
```
- COMPLAINTS AND CONTACT
If you believe your privacy rights have been violated, you may file a complaint with this practice or with the U.S. Department of Health and Human Services, Office for Civil Rights:
Office for Civil Rights U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Washington, D.C. 20201 1-877-696-6775 https://www.hhs.gov/ocr/complaints/index.html
We will not retaliate against you for filing a complaint.
Privacy Officer Contact: [Name], Privacy Officer [Practice Name] [Address] [Phone] / [Email] ```
Section 7 — Effective date and changes
```
- EFFECTIVE DATE AND CHANGES TO THIS NOTICE
This Notice is effective [DATE]. We reserve the right to change this Notice and to make the revised Notice effective for all protected health information we maintain. We will post the current Notice in our practice and on our website. ```
State preemption carve-outs
When state law is stricter than HIPAA, the stricter law controls under the preemption rule at 45 CFR § 160.203. The three high-volume overlays:
| State | Statute | NPP impact | | --- | --- | --- | | California | CMIA (Civil Code §§ 56–56.37) | Add a CMIA-specific disclosure-restriction paragraph; 15-business-day access response timeline; authorization required for many disclosures HIPAA would permit | | Texas | HB 300 (Tex. Health & Safety Code Chapter 181) | Stricter training and 15-business-day EHR access timeline; broader covered-entity scope | | New York | SHIELD Act (Gen. Bus. Law § 899-bb) | Information-security overlay; not an NPP rewrite but referenced where applicable |
How to deploy
The deployment sequence we file with clients: paste the template into the practice's letterhead format; fill in the four bracketed fields (practice name, effective date, Privacy Officer, contact); have the Privacy Officer review and sign the master copy; post the PDF in the patient waiting area; upload to the website footer with a prominent "Notice of Privacy Practices" link; load the patient-portal acknowledgement workflow so first-encounter acknowledgement is captured digitally; and file the acknowledgement evidence per encounter in the compliance binder.
For paper-acknowledgement practices, print the acknowledgement form on a separate page from the NPP itself so the patient can sign and return the acknowledgement without taking the entire NPP back to the front desk.
Common gaps
What we see fail in practice is small. The NPP has not been refreshed since 2013 (pre-Omnibus Rule); the website prominently links a PDF whose effective date is older than the receptionist's tenure; the Privacy Officer line names someone who left two years ago; the acknowledgement is being collected verbally but no signed evidence sits in the chart; the post-Dobbs reproductive-health section is missing entirely; or the practice has never reviewed whether CMIA or HB 300 applies.
OCR Phase 3 audits — the cycle CMS, OIG, and OCR are running into 2026 — open with a request for the current NPP and the acknowledgement evidence. A practice that produces a current, dated, complete NPP and three random acknowledgement samples on demand has passed the easiest audit element.
Maintenance cadence
Review the NPP at least annually. Reissue and re-post when there is any material change: a change in uses and disclosures, in patient rights, in the practice's duties, or in contact information. Track the change in a one-line changelog inside the binder. Re-distribute the NPP on the next encounter when a material change occurs; existing acknowledgements remain valid for prior versions per § 164.520(c)(2)(iv).
How d3rx fits
The d3rx compliance binder produces a Privacy Rule policy set including a current NPP with the reproductive-health overlay, state-law carve-outs for CA/TX/FL/NY, an acknowledgement workflow, and a Privacy Officer designation, with citations to the eCFR inline. The practice's Privacy Officer remains responsible for adopting, distributing, posting, and re-issuing the notice.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Notice of Privacy Practices (NPP) Template — 2026. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does the NPP need to be re-acknowledged annually by every existing patient?
No. Under [45 CFR § 164.520(c)(2)(ii)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520) a direct-treatment provider must make a good-faith effort to obtain written acknowledgement of receipt at first service delivery — not annually. The NPP itself must be revised whenever there is a material change and the revised notice given at the next encounter; existing acknowledgements remain on file.
What counts as a material change that triggers republication?
Any change to the uses and disclosures described in the NPP, to the patient's rights, to the practice's legal duties, or to the contact information. The HIPAA Privacy Rule modifications effective for reproductive-health information ([45 CFR § 164.509](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.509)) were a material change. A new fax number is not.
Can the NPP be posted on the website instead of handed to patients?
It must be both. Under [§ 164.520(c)(3)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520) a practice that maintains a website with information about its services must prominently post the NPP on the website. Direct-treatment providers must also provide it on first service delivery and make a paper copy available on request.
Does the NPP need to be translated for limited-English-proficient patients?
Section 1557 of the ACA and OCR's 2024 Section 1557 final rule effectively require language access for covered entities receiving federal financial assistance. The practical answer is yes — translate the NPP into the top languages spoken by your patient panel and post the translations. CMS recipient practices that ignore this have been cited.
Do dental and behavioral-health practices need a different NPP?
The federal NPP requirements at [§ 164.520](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520) apply identically. Behavioral health practices subject to 42 CFR Part 2 (substance-use-disorder records) need additional Part 2 consent and disclosure language, which is typically delivered as a separate Part 2 notice alongside the NPP.
What is the penalty for not having a current NPP?
OCR has settled NPP-only cases for low-five to mid-six figures historically. The 2016 Memorial Hermann resolution included an NPP element. Civil Monetary Penalties under [45 CFR § 160.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404) scale with the violation category. The bigger exposure is that the NPP gap signals broader program failure, which expands the audit scope.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
- model NPPshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html
- 45 CFR § 164.509https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.509
- 45 CFR § 160.203https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-B/section-160.203
- indexhttps://www.hhs.gov/ocr/complaints/index.html
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- ComplianceHIPAA Security Officer: Required Duties + Job Description TemplateRequired duties under 45 CFR 164.308(a)(2), a copy-ready 2026 HIPAA Security Officer job description, and what we see fail in practice.
- SRAHIPAA Patient Right of Access: A Small-Practice WalkthroughHow 45 CFR 164.524 governs patient access to their records, the 30-day rule and 30-day extension, the limited fees a practice may charge, and the OCR Right of Access Initiative.
- RegulationHIPAA Notice of Privacy Practices (45 CFR 164.520)Covered entities must provide a Notice of Privacy Practices describing how PHI may be used and disclosed and the individual's rights, with specific delivery and posting requirements.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- GlossaryJoint Notice (Privacy Practices)A single Notice of Privacy Practices used by multiple legally-separate covered entities operating as an Organized Health Care Arrangement.