How do I write a notice of privacy practice

How Do I Write A Notice Of Privacy Practice? HIPAA 101

Hey there! Just a quick note from your partners at Done Desk — we’ve included information in this article that comes straight from www.hhs.gov. This is for educational purposes and all credit goes to the original authors. Although every effort has been made to ensure the accuracy of this information, Done Desk is not responsible for any errors and omissions, or anyone’s interpretations, applications, and changes of regulations described. This ain’t a substitute for review of the applicable regulations and standards, and should not be construed as legal advice, okay?


The HIPAA Privacy Rule is that pain in the rear that makes all medical practices post a notice of privacy practices for every patient under their care. The NPP should make patients aware of their rights to their health information, how they can exercise those rights, and your practices’ responsibility to keep their information private.

What is an NPP?


The Notice Of Privacy Practices (NPP) is a requirement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The NPP is a document that you as a HIPAA-covered provider must distribute to your patients.


“The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user-friendly explanation of individuals’ rights with respect to their personal health information and the privacy practices of health plans and health care providers.”

— via www.hhs.gov 

What’s in the Notice?


How the Privacy Rule allows providers to use and disclose protected health information. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason.

The organization’s duties to protect health information privacy.

Your privacy rights, including the right to complain to HHS and to the organization if you believe your privacy rights have been violated.

How to contact the organization for more information and to make a complaint.


How Do I Create One?

Good question! First of all, you notice has to have at the top (or as a header) this statement:


“This Notice Describes How Medical Information About You May Be Used And Disclosed And How You Can Get Access To This Information. Please Review It Carefully.”


Then, you’ll need A) a description of how PHI can be used for treatment, payment, and health care operations. B) a description of the types of PHI uses and disclosures requiring patient authorization. C) a description of the circumstances in which the covered entity may use or disclose PHI without written authorization. This is because a covered entity may use or disclose PHI without authorization for a number of purposes. (Including public health and health oversight activities, and judicial proceedings.)


After that, you should include the name, title, and phone number of a person or office to contact for further information or questions about the notice; the date on which the notice is first in effect; and a statement that the individual may revoke authorization.


The notice must also contain a statement of the patient’s rights with respect to PHI. 

These rights include:

  1. The right to request restrictions on certain uses and disclosures of PHI.
  2. The right to receive confidential communications of PHI, as permitted by law.
  3. The right to inspect and copy PHI.
  4. The right to amend PHI, as permitted by law.
  5. The right to receive an accounting of disclosures of PHI.
  6. The right of an individual to obtain a paper copy of the notice, upon request.
  7. The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes his or her privacy rights have been violated. 


The notice has to contain a brief description of how the individual could file a complaint if they need to, and a statement that the individual will not be retaliated against for filing a complaint. (Knock on wood this never has to happen!)


Finally, the notice must contain information regarding the covered entity’s duties with respect to PHI.


The required information includes:

  1. A statement that the covered entity is required by law to maintain the privacy of PHI.
  2. A statement that the covered entity must provide individuals with notice of its legal duties and privacy practices with respect to PHI.
  3. A statement that the covered entity must notify affected individuals following a breach of unsecured PHI.
  4. A statement that the covered entity must abide by the conditions of the notice currently in effect.


Good, that’s it! Now, give that nice little notice of privacy practice to your patients at their first appointment and/or when they ask for it directly. You should also post your notice on your website in an easy-to-find location where your patients are able to see it. We recommend sticking it in your footer and making sure that the link is always working right.


Need extra help with your HIPAA tasks in 2022? Done Desk breaks it down into bite-sized pieces and spread out the work so you can focus on one thing at a time. See a Demo today or get a personalized coaching session with a Done Desk expert to go through your HIPAA Risk Assessment.


Don't want to Write A Notice Of Privacy Practice from scratch? Done Desk has this template — plus, much more for you to make your own