Medical Notice of Privacy Practice
The NPP is a document that tells your patients, employees, or clients how their health information may be used and shared and lists their health privacy rights related to Protected Health Information (PHI) Part of HIPAA Privacy Rule.

Regardless of industry, your NPP must contain user-friendly language and specific information:
  1. For all NPP requirements, reference HIPAA regulations in 45 CFR 164.520(b).
  2. Header: All NPPs must have the header: "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."
  3. Statement(s) of Usage, Disclosures:
    Describe the types of uses or disclosures of PHI that are permitted without authorization from the individual.
    Describe the types of uses or disclosures that require authorization or that the individual can elect to opt out:
    Psychotherapy notes.
    Use of PHI for marketing purposes.
    The sale of PHI.
    Other uses and disclosures that are not described in the NPP can be made only with the individual's authorization.
    Individuals that they can opt out of fundraising communications.
    (Provider Only) NPP must state that individuals have the ability to restrict certain disclosures of PHI to a health plan when the individual pays in full out-of-pocket for the health care item or service.
  4. Individual Rights: Specific individual rights under the Privacy Rule must be described. These rights include the right to request restrictions on uses or disclosures of PHI, the right to inspect, copy and amend PHI.
  5. Covered Entity's Responsibilities: The NPP must specify the covered entity's duties, which include the requirement, under the law, to maintain the privacy of individual's PHI.
  6. Additional considerations:
    The effective date of the NPP must be part of the notice. The date cannot be any earlier than the date of publication of either April 14, 2003, or 2004 for small health plans. The name or title and phone number of a person at the health plan or provider to whom questions can be directed must be included.
Information on how to file a complaint with the organization must be provided. Though the NPP must also inform people that complaints can be filed with HHS, the NPP does not need to detail how to do so.

The final Privacy Rule requires the NPP include a statement informing individuals of the right to be notified following a breach of unsecured PHI.

Distributing the Notice of Privacy Practices (NPP)

When distributing your NPP, there are general requirements that every industry should know:

Anyone who asks for a copy must be provided one.

Covered entities must prominently post its NPP within the physical location.

Post on their websites if the site provides information about customer services or benefits.

Reference the points below for industry-specific requirements regarding distributing the NPP:

Medical and Dental Providers:


Have one posted somewhere prominently in the office, on your website (if the practice has one), and documented that each patient has received one.

Insurance Agencies:


If the agency provides a group health plan within the organization, one must go to each employee.

The agency needs to distribute to individuals (only one copy per family no matter how many people are in the family coverage) and if it is a group plan, the agency must provide a copy to the company (as the client) and the company is responsible for distributing to each employee.

Employer Groups:


Distribute the NPP to employees who are part of the Group Health Plan offered.

Business Associates:


If the business associate provides a group health plan, one copy must go to each employee.

Acknowledgment of NPP


HIPAA law requires doctors, hospitals, or other healthcare providers to keep records that clients or employees have received the notice. You may do this by getting a signature acknowledging the individual received the NPP or keeping a dated log of NPP distribution.

A signature does not mean that the client/employee has agreed to any special uses or disclosures (sharing) of health records.

Refusing to sign an acknowledgment does not prevent a provider or plan from using or disclosing health information as HIPAA permits.

If your client or patient refuses to sign an acknowledgment, the provider must keep a record of this fact.

As a healthcare provider, you can have a first-time patient sign that they received an NPP and then scan the signed document into their personal file.

Have the individual review and sign an authorization to receive the NPP electronically when given the NPP for future notifications.

Updating and maintaining the NPP


You should update your NPP at least once every three years. Specifically:

A health care provider's patients must be reminded of the existence of the NPP and informed about how to obtain a copy if they want it.

Insurance carriers and agencies must send an NPP annually as long as the customer relationship lasts.

For more information on the Notice of Privacy Practices, you can reference the following:

HHS Notice of Privacy Practices FAQs

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html
https://www.totalhipaa.com/notice-of-privacy-practices-most-peoples-connection-to-hipaa/#:~:text=The%20NPP%20is%20a%20document,key%20requirement%20for%20your%20organization.