Notice of Privacy Practices: HIPAA Definition for Small Clinics

The Notice of Privacy Practices (NPP) is one of the most visible compliance documents your clinic produces - and one of the most frequently neglected. Patients receive it, sign an acknowledgment, and rarely read it. Clinics post it on the waiting room wall and forget to update it for years. That combination - high visibility, low operational attention - is exactly the profile that surfaces in OCR investigations.

45 CFR § 164.520 defines the NPP requirement and specifies its content. Understanding what your NPP must say, when you must provide it, and what happens when it drifts out of compliance is essential knowledge for any practice administrator responsible for HIPAA.

What the Notice of Privacy Practices Is

Under 45 CFR § 164.520, every covered entity must provide individuals with a notice of its privacy practices. The NPP is a patient-facing document that explains:

• How the covered entity may use and disclose protected health information (PHI)
• The individual’s rights with respect to their PHI
• The covered entity’s duties to protect that PHI
• How to file a complaint if the patient believes their privacy rights have been violated

The NPP is not a formality. It is the mechanism by which HIPAA creates an informed patient. A patient who never received a proper NPP has not been told what their rights are - and that failure belongs to your clinic.

For a complete understanding of what qualifies as PHI that the NPP governs, see what is PHI.

What the NPP Must Contain

45 CFR § 164.520(b)(1) specifies the required content in precise detail. A compliant NPP must include:

Required Content Elements

Header. The NPP must include a header that reads: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

Description of uses and disclosures. The NPP must describe, with at least one example, the types of uses and disclosures the covered entity is permitted to make for treatment, payment, and healthcare operations (TPO). It must separately describe any other uses or disclosures the covered entity intends to make that require authorization, and any uses or disclosures for which the individual has an opportunity to agree or object.

Separate statements for certain uses. If the covered entity intends to contact patients for appointment reminders, fundraising, or to market services, the NPP must include separate statements explaining those uses.

Individual rights. The NPP must inform patients of their rights under the Privacy Rule, including:

• The right to request restrictions on uses and disclosures (45 CFR § 164.522)
• The right to receive confidential communications (45 CFR § 164.522(b))
• The right to inspect and copy their PHI (45 CFR § 164.524)
• The right to amend their PHI (45 CFR § 164.526)
• The right to receive an accounting of disclosures (45 CFR § 164.528)
• The right to receive a paper copy of the notice on request

Covered entity’s duties. The NPP must state that the covered entity is required to maintain the privacy of PHI, to provide the notice, and to abide by the terms of the current notice.

Complaint process. The NPP must tell patients how to complain to the covered entity’s Privacy Officer and to the HHS Office for Civil Rights, including the address and telephone number of the person designated to receive complaints.

Effective date. The NPP must include the effective date, which cannot be earlier than the date the notice is first in use.

When You Must Provide the NPP

45 CFR § 164.520(c) governs distribution timing:

Direct treatment providers must provide the NPP no later than the date of first service delivery. The patient should receive the NPP before or at the time of their first visit, not weeks later. For electronic delivery of health care, the notice must be provided automatically and contemporaneously.

After a good-faith attempt, your clinic must obtain the patient’s written acknowledgment of receipt. If the patient refuses to sign or is unavailable, document the attempt. The acknowledgment requirement is separate from the obligation to provide the notice - a patient does not have to sign to receive care, but you must make the attempt and document it.

Posting requirements. A covered entity with a physical service delivery site must post the NPP in a clear and prominent location where patients can reasonably be expected to read it. Any clinic that maintains a website providing information about services must prominently post the NPP on that website.

What the NPP Must NOT Do

A common mistake in small clinic NPPs is using the document to promise restrictions the clinic does not actually maintain. The NPP cannot commit to practices that do not reflect reality. If your NPP states the clinic will never disclose records to law enforcement without a court order, that statement is now binding - and you may be required to honor a more stringent standard than HIPAA would otherwise require.

Review your NPP against your actual practices before publishing it. Overpromising in the NPP creates a separate violation when practice does not match the document.

The NPP Review Cycle

Your NPP must be revised whenever there is a material change to privacy practices, legal requirements, or individual rights that affects the notice content. A “material change” includes:

• Changes to how PHI is used or disclosed for TPO purposes
• Changes in the types of disclosures made for other purposes
• Changes in patient rights
• Changes in the covered entity’s legal duties
• Changes in the designated Privacy Officer or contact information

After a material change, your clinic must:

1. Make the revised NPP available to anyone who requests it
2. Post the revised NPP on any physical service location and website
3. Make the revised NPP available to existing patients upon request

Re-distribution to all current patients is not required after a non-material update, but immediate availability is. For material changes, proactive redistribution is best practice.

Review cadence for small clinics. Even without material changes, review your NPP annually against:

• Changes to state privacy laws that may be more stringent than HIPAA (see HIPAA preemption)
• Any new vendors who have received PHI under a business associate agreement
• Any new services the clinic has added that involve new disclosure types
• OCR guidance or enforcement actions that interpret existing requirements differently

What Happens When the NPP Is Out of Date

An outdated NPP is not a technical paperwork violation - it is evidence that your clinic’s privacy program lacks active management. OCR investigators look for it specifically because it correlates with other deficiencies.

Concrete consequences for NPP failures include:

Investigation trigger. Patient complaints about undisclosed uses of PHI often begin with the patient noting they were never given a proper NPP. OCR accepts these complaints and investigates.

Corrective action plans. OCR has required covered entities to revise NPPs, retrain workforce members on NPP content, and implement monitoring procedures as part of resolution agreements.

Penalties. While OCR does not impose penalties for a first-time NPP deficiency in isolation, a pattern of NPP failures combined with other Privacy Rule violations contributes to higher penalty calculations. Civil penalties run on a four-tier structure under 45 CFR 160.404, with per-violation statutory bases from $100 to $50,000 and identical-violation annual caps ranging from $25,000 (Tier 1) to $1,500,000 (Tier 4); HHS adjusts each amount annually for inflation under 45 CFR 102.3. See HIPAA violations examples for case studies.

Loss of patient trust. For small clinics where the practice administrator knows patients personally, an NPP-related breach investigation damages community trust in ways that are hard to repair.

Practical Management for Small Clinics

Your 10-person clinic does not need a compliance department to maintain a compliant NPP. It needs a process:

1. Designate the reviewer. Your HIPAA Privacy Officer is responsible for maintaining the NPP. In small clinics, this is often the practice administrator or office manager.

2. Calendar the review. Set an annual date for NPP review regardless of whether there have been material changes. January works well - it aligns with the start of the year and any state law updates that took effect on January 1.

3. Check for triggering events. Whenever your clinic adds a new service, signs a new business associate agreement, or receives guidance about a regulatory change, check whether the NPP needs updating.

4. Document the review. Even when no changes are made, document that the review occurred, who conducted it, and what was considered. This documentation is valuable if OCR ever audits your practice.

5. Keep acknowledgment records. Maintain the signed (or attempted) acknowledgment forms in a system that confirms a specific patient received the NPP on a specific date. Six-year retention applies.

PHIGuard’s HIPAA compliance platform helps small clinics track NPP version history, schedule reviews, and maintain acknowledgment records in one audit-ready location. Learn more at PHIGuard’s HIPAA compliance page.