What is a HIPAA Notice of Privacy Practices?

The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute Notices of Privacy Practices (NPPs). The Notice of Privacy Practices must be given to patients. The notice must describe how the covered entity (CE) may and may not use protected health information (PHI), and what the patient’s rights and obligations with respect to the PHI are. 

hipaa privacy notice

Covered entities that must develop a HIPAA Notice of Privacy Practices are defined as 1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with a HIPAA-related transaction. PHI is individually identifiable health information held or transmitted by a covered entity, in any form or medium, whether electronic, on paper, or oral.

Make Sure You’re HIPAA Compliant

Get Notice of Privacy Practices templates while achieving HIPAA compliance.

Become HIPAA Compliant

What Information Must the HIPAA Notice of Privacy Practices Contain?

Under HIPAA regulations, covered entities are required to provide individuals with a Notice of Privacy Practices in plain language that contains:   

  • The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
  • A description of how PHI can be used for treatment, payment, and health care operations.
  • A description of the types of PHI uses and disclosures requiring patient authorization.
  • A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
    •  A covered entity may use or disclose PHI without authorization for a number of purposes. Examples include public health and health oversight activities, and judicial proceedings.
  • The name, title, and phone number of a person or office to contact for further information or questions about the notice.
  • The date on which the notice is first in effect.
  • A statement that an individual may revoke an authorization.

Patient Rights Information

The notice of privacy practices form must also contain a statement of the patient’s rights with respect to PHI. These rights include:

  • The right to request restrictions on certain uses and disclosures of PHI.
  • The right to receive confidential communications of PHI, as permitted by law.
  • The right to inspect and copy PHI.
  • The right to amend PHI, as permitted by law.
  • The right to receive an accounting of disclosures of PHI.
  • The right of an individual to obtain a paper copy of the notice, upon request.
  • The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes his or her privacy rights have been violated. 

The notice must also contain a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint.