What is 45 CFR 164.520?

45 CFR 164.520 is the provision of the HIPAA Privacy Rule requiring covered entities to have Notices of Privacy Practices (NPPs). A 45 CFR 164.520 Notice of Privacy Practices is a written document that contains a clear, user-friendly explanation of individuals’ rights with respect to their protected health information (PHI). A 45 CFR 164.520 NPP also describes the general  privacy practices of health plans and healthcare providers. 45 CFR 164.520 is discussed in greater detail below.

What is 45 CFR 164.520 and Who Must Provide a Notice of Privacy Practices?

45 CFR 164.520

Healthcare providers must provide patients with a Notice of Privacy Practices explaining how the provider may use or disclose patient protected health information (PHI). Under 45 CFR 164.520, a healthcare provider that has a direct treatment relationship with a patient must provide the 45 CFR 164.520 Notice of Privacy Practices no later than the date of the first service delivery (including service delivered electronically). In case of an emergency treatment situation, the provider must furnish the notice as soon as reasonably practicable after the emergency treatment situation.

Health plans must provide the 164.520 notice to all enrollees covered by the plan. Health plans must provide new enrollees with the notice upon enrollment. In addition, individuals currently covered by a plan must be given a revised notice within 60 days after the plan makes the revision.

The health plan must also, no less frequently than once every three years, notify covered individuals that the notice is available, and how to obtain a copy.

45 CFR 164.520 and Notices of Privacy Practices on Websites

45 CFR 164.520 imposes special requirements for electronic notice. Covered entities that maintain a website that provides information about their customer services or benefits, must prominently post the notice on their website. These entities must also make the notice available electronically through the website.

If an individual agrees to receive the notice electronically, the covered entity may then provide the notice via email. As long as the agreement has not been withdrawn, the covered entity may provide revised notices through email as well. If a covered entity knows that an email transmission of the notice has failed, the covered entity must provide a paper notice. Entities providing electronic notice must do so no later than the date of the first in-person or telehealth service delivery. Patients who receive the electronic notice may also obtain a paper copy upon request. 

45 CFR 164.520 and What Must the Notice of Privacy Practices Contain?

45 CFR 164.520 outlines the notice content requirements. The notice must contain:

  • A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted to make for treatment, payment, and healthcare operations.
  • A description of each of the other purposes for which the covered entity is permitted or required under the Privacy Rule to use or disclose protected health information without the individual’s written authorization. These other purposes are outlined in 45 CFR 164.512, and include public health, health oversight, and law enforcement purposes.
  • A statement of the individual’s privacy rights, including the right to complain to HHS and to the covered entity if a patient believes his or her privacy rights have been violated. 
  • A description of how to contact the covered entity for more information and to make a complaint. 

45 CFR 164.520 and Additional Requirements

A covered entity must write its notice in plain language. The plain language requirement is satisfied as long as the covered entity makes a reasonable effort to organize material to serve the needs of the reader. This can be achieved, for example, by writing short sentences in the active voice, using “you” and other pronouns where appropriate, and using common, everyday words in sentences.

45 CFR 164.520 does not have any formatting requirements (i.e., page size, font size, or typeface). However, the notice must be capable of being understood by its recipients. The purpose of the notice is to inform individuals of their rights, and individuals who cannot understand those rights will be unable to exercise them. 

HHS encourages covered entities to be sensitive to the needs of individuals who are vision-impaired or hearing-impaired. For example, a member of the covered entity’s workforce can read the notice to visually-impaired individuals. The covered entity can provide hearing-impaired individuals with a video presentation that is played in the waiting area.

See How It Works