Notice of privacy practices

Notices of Privacy Practices (NPPs) informs patients of how to use and disclose PHI, your legal duties to protect their PHI, their rights to their PHI, how they can exercise these rights, how to file complaints, a point of contact for more information and how to file complaints with your practice. Practices must provide NPPs to patients and obtain a written acknowledgment of receipt.

Sample NPPs can be found at:

Notice of privacy practices

When must you provide NPP?

  • At the beginning of the treatment relationship
    The NPPs must be provided by the date that a service is first provided. In an emergency situation, notice should be provided as soon as possible after the emergency treatment. After providing notice, you should make a good faith effort to obtain a written acknowledgment of receipt of the notice. If the receipt of acknowledgment cannot be obtained, you should document your efforts to obtain written acknowledgment and the reasons why you couldn't obtain it.    
  • At the office
    Your practice's treatment facilities should display the NPPs in a clear and prominent location where patients are able to read the notice. If requested, the NPPs should be made available for patients to take with them. Whenever the NPPs is revised, the new NPPs should be displayed and made available upon request by the effective date of the revisions. 
  • On practice's website
    If your practice maintains a web site that provides information about its services or benefits, then its NPPs must be prominently posted and made available through that web site. Practrices without a webpage do not need to post their NPPs online.  
  • Upon patient's request

Providing NPPs through email: The notice requirements described above can be satisfied through email if your patient agrees to electronic notice. When the first service is electronically delivered to the patient, you must provide electronic notice automatically and contemporaneously in response to the patient's first request for service. If you know that the email delivery has failed, a paper copy of the notice must be provided to the patient. At any point, a patient who has agreed to a electronic notice has the right to demand a paper copy of the notice or withdraw his/her electronic agreement.

Changing & Updating your NPP: You are not required to resend NPPs when changing your privacy policies (e.g., if your privacy officer contact information changes). However, before the changes in new privacy policies take effect, your updated NPPs must be:

  • Posted prominently in your office
  • Available upon request by the patient
  • Posted on your webpage (if you have a webpage)

Written Acknowledgment of Receipt: After initially providing your NPP to the patient, you should make reasonable attempts to obtain a receipt from the patient that acknowledges they received the NPP. The NPP should include a short form for patients to sign as a written acknowledgment that they received your NPP. If the receipt of acknowledgment cannot be obtained, document your efforts to obtain the acknowledgment and the reasons why it couldn't be obtained.

AOA Resources:

Sample NPP (DOC)

AOA Marketplace:

HHS Resources: