A document that covered entities must provide to patients explaining how their PHI may be used and disclosed, and their rights under HIPAA.
The Notice of Privacy Practices (NPP) is a document that every covered entity must develop, maintain, and distribute to patients and health plan members. The NPP serves as a transparent disclosure of how an organization handles protected health information, providing individuals with clear information about the ways their PHI may be used and disclosed, their rights with respect to that information, and the organization's legal obligations to protect it. The NPP is a cornerstone of HIPAA's approach to informed privacy, ensuring that individuals understand how the healthcare system handles their most sensitive personal data.
The NPP must include several specific elements: a description of how PHI may be used and disclosed for treatment, payment, and health care operations; a description of all other permitted uses and disclosures; a statement of individual rights including the right to access, amend, and request an accounting of disclosures; the organization's duties to protect PHI; complaint procedures; and the effective date of the notice. Health care providers with a direct treatment relationship must make a good-faith effort to obtain a written acknowledgment from patients that they received the NPP. The NPP must be posted prominently in facilities, available on the organization's website, and provided to anyone who requests it.
Organizations must update their NPP whenever there is a material change to their privacy practices, uses and disclosures of PHI, individual rights, legal duties, or other privacy practices stated in the notice. The revised NPP must be posted in facilities and on the website, and for health plans, must be distributed to members within 60 days of the material revision. Maintaining an accurate, current NPP is essential both for regulatory compliance and for building trust with patients. Organizations should review their NPP at least annually, even if no material changes have occurred, to ensure it accurately reflects current practices and any regulatory updates.