Review Your NPP and Patient-Rights Workflow

The Notice of Privacy Practices and patient-rights request processes are two of the most frequently cited compliance gaps in small clinics. They are also among the first things an OCR investigator will ask to see. A clinic that cannot produce a current NPP with a signed acknowledgment file, or cannot demonstrate a documented process for handling right-of-access requests, starts any investigation at a disadvantage.

What the NPP Must Contain

Under 45 CFR § 164.520, every covered healthcare provider must maintain a Notice of Privacy Practices that describes how the clinic uses and discloses PHI and what rights patients have with respect to their own health information. The regulation specifies required content elements. Missing any of them is a violation regardless of how close the document comes to the requirement.

Required content elements:

Element	What the NPP Must Say
Uses and disclosures	A description, with examples, of the types of uses and disclosures the clinic may make of PHI
Patient rights	A statement of each patient right with a brief description of how to exercise that right
Covered entity duties	A statement that the clinic is required to maintain the privacy of PHI, provide the NPP, and follow the terms of the current NPP
Complaint process	A statement that patients may complain to the clinic and to the HHS Secretary, with the name, title, and phone number of the clinic’s Privacy Officer
Effective date	The date on which the current NPP took effect, which must appear prominently on the document
Contact information	Name or title and phone number of the person responsible for receiving patient privacy complaints

The most common failure in small clinic NPPs is an outdated Privacy Officer name or phone number. If your practice manager left two years ago and their name is still on the NPP, you have a documentation gap. The second most common failure is a missing or incorrect effective date.

When the NPP Must Be Updated

Under 45 CFR § 164.520(b)(3), you must revise the NPP whenever there is a material change to your privacy practices or to the law governing those practices.

Triggers for an NPP revision:

• You enter a new business associate relationship that expands how PHI is disclosed (for example, adding a third-party billing service, a telehealth vendor, or a population health platform)
• You change how you use PHI internally — for example, beginning to use patient data for a new type of care coordination or quality program
• A change in state or federal law changes what you must or may do with PHI
• Your Privacy Officer changes — name, title, and contact information must be current
• You make any change to your internal authorization or minimum-necessary policies that is visible to patients

Adding a new EHR module is not automatically a material change, but adding an EHR vendor that processes PHI under a new or amended business associate agreement may be, depending on the scope of the new processing.

NPP Distribution Requirements

Under 45 CFR § 164.520(c), covered healthcare providers must distribute the NPP as follows:

At first service delivery: A paper copy of the NPP must be provided at the time of first service delivery, regardless of whether the service is in person or via telehealth. This applies to every new patient relationship.

Good-faith effort to obtain acknowledgment: The clinic must make a good-faith effort to obtain the patient’s written acknowledgment that they received the NPP. If the patient refuses to sign, document the refusal. The clinic must make the effort; it is not required to obtain the signature.

Posting requirements: Post the current NPP where patients will actually see it — the waiting room or check-in area, not on a bulletin board behind the reception desk.

Website: If your clinic maintains a website that provides information about your services, you must post the current NPP on that website. This applies to nearly all clinics today.

Electronic distribution: If the patient agrees, you may send the NPP electronically rather than on paper. If you offer electronic distribution, you must also offer a paper copy to any patient who requests one.

The Patient Rights Workflow

The NPP must describe four patient rights in enough detail that patients understand how to exercise them. The clinic must have a documented internal process for each.

Right of Access (45 CFR § 164.524)

Patients have the right to inspect and receive a copy of their PHI held in a designated record set — generally, the medical record and billing records. OCR has made right-of-access enforcement a sustained priority; fines in this area have reached six figures for small covered entities, including settlements under the agency’s 2019 right-of-access initiative.

Response timeline:

• Standard: 30 calendar days from receipt of the request
• Extension: one 30-day extension is permitted, but you must send a written notice to the patient before the original deadline explaining the reason for the delay and the new deadline

Format: Patients may request records in a specific format (paper, electronic, PDF, a specific file format). The clinic must provide records in the requested format if readily producible. If the format is not readily producible, you must offer the patient a choice of alternatives.

Fees: You may charge a reasonable cost-based fee under 45 CFR § 164.524(c)(4). Flat per-page fees that exceed actual cost are impermissible. The fee must reflect actual labor for copying and any actual postage.

Denials: There are a small number of permissible grounds for denial — for example, psychotherapy notes, information compiled for legal proceedings, and certain other categories defined at 45 CFR § 164.524(a)(2). Any denial must be in writing, must state the basis for the denial, and must inform the patient of their right to request a review of the denial.

Documentation requirement: Every right-of-access request must be logged with the date received, the date of your response, the format of records provided, and any fee charged. Retain this documentation for six years.

Right to Amend (45 CFR § 164.526)

Patients have the right to request an amendment to their PHI if they believe it is inaccurate or incomplete. The clinic has 60 days to act on the request, with one 30-day extension permitted under the same written-notice requirement as access requests.

Clinics may deny an amendment request if the PHI was not created by the clinic, if the PHI is accurate and complete, if the PHI would not be available for inspection under the access right, or if the PHI is not part of a designated record set. Every denial must be in writing with the basis for denial stated.

If you accept an amendment, you must make the amendment in the record and notify the patient. You must also notify other persons you know have the PHI and who may need the amendment.

Right to Restrict (45 CFR § 164.522)

Patients may request that the clinic restrict certain uses or disclosures of their PHI. In most cases, the clinic is not required to agree — the regulation says you “may” agree or deny. However, there is one mandatory restriction: if the patient pays out of pocket in full for a service and requests that the information not be disclosed to their health plan, you must honor that restriction. This applies even if the item or service would normally be billed to insurance.

Document every restriction request and your response. If you agree to a restriction, document how the restriction is applied in your EHR and who is responsible for enforcing it.

Right to an Accounting of Disclosures (45 CFR § 164.528)

Patients have the right to receive an accounting of certain disclosures of their PHI made in the six years prior to the request. Disclosures for treatment, payment, and healthcare operations are excluded from this requirement, as are disclosures the patient authorized. Disclosures that must be tracked and reported include those made for public health purposes, law enforcement, and most other disclosures outside of routine clinical care.

Most small clinics have no process here. A clinic that does not log disclosures outside of treatment, payment, and operations cannot respond to an accounting request — and cannot demonstrate it would have caught a disclosable disclosure if it occurred.

Documenting NPP Acknowledgments and Patient-Rights Requests

A compliant NPP process requires a paper trail. At minimum, your documentation system must capture:

For NPP acknowledgments:

• Patient name and date of birth
• Date NPP was offered
• Date signed (or date of documented refusal if patient declined to sign)
• Version of the NPP provided (tie it to the effective date)

For patient-rights requests:

• Type of request (access, amendment, restriction, accounting)
• Date received
• Date of response
• Outcome (fulfilled, denied with basis, extension granted)
• Copy of written response to patient

These records must be retained for six years from the date of creation or the date the record was last in effect, whichever is later. This means a signed NPP acknowledgment from a patient who last visited six years ago must still be retrievable.

Where to start if your NPP is overdue for review

If you have not reviewed your NPP in more than a year, work through this checklist:

1. Pull your current NPP and verify the effective date is present and accurate.
2. Confirm the Privacy Officer name and contact phone number match your current staff.
3. Verify all four patient rights are described with enough detail for a patient to understand how to exercise them.
4. Check whether any new vendor relationships or practice changes since the last effective date constitute a material change.
5. If you have a website, confirm the posted NPP matches your in-office version.
6. Pull a sample of acknowledgment files — can you locate signed NPP acknowledgments for patients seen in the past 12 months?
7. Check your patient-rights request log — do you have documentation for every access, amendment, restriction, and accounting request received in the past six years?

Most small clinics find at least one gap in steps 1 through 4 on the first pass. A single morning spent on this review will tell you where you stand.