Notice of Privacy Practices: What Has Changed and What Your NPP Must Say Now

The Notice Most Covered Entities Haven't Updated

The Notice of Privacy Practices is one of the most visible patient-facing compliance documents a covered entity produces — and one of the most frequently outdated. Regulatory changes in 2024 triggered mandatory NPP revisions that carried a February 16, 2025 compliance deadline. As of mid-2026, a significant number of covered entities are still displaying notices that do not meet the current standard: they were last updated years ago, they do not reflect the reproductive health care privacy requirements, and they have never been reviewed for accuracy against actual practice operations.

An outdated NPP is not a technical violation in isolation — but it is the kind of gap that transforms a routine OCR inquiry into a broader investigation. More practically, an NPP that does not accurately describe how your organization uses and discloses PHI creates legal exposure every time a patient asserts a right based on something your notice says you do or do not do.

What Changed: The Reproductive Health Care Privacy Rule

On April 26, 2024, HHS finalized a rule modifying the HIPAA Privacy Rule to prohibit the use or disclosure of PHI for certain activities related to reproductive health care. The rule responded to the changed legal landscape following the Dobbs decision, which created a situation where PHI could theoretically be used by one state's authorities to investigate or prosecute conduct that was lawful in the state where it occurred.

The rule's practical requirements for covered entities include:

• A prohibition on using or disclosing PHI for the purpose of investigating or imposing liability on a person for seeking, obtaining, providing, or facilitating reproductive health care that was lawful in the state where it was provided.
• A prohibition on using or disclosing PHI to identify any person for the purpose of conducting such an investigation or imposing such liability.
• An attestation requirement for certain requests for PHI. Covered entities that receive requests for PHI related to reproductive health care — from law enforcement, health oversight agencies, or employers — must obtain a signed attestation that the requested PHI will not be used for a prohibited purpose before disclosing it.

The NPP compliance deadline for these changes was February 16, 2025. If your NPP has not been updated to reflect the new reproductive health care privacy protections, it is currently out of compliance.

What Your NPP Must Contain

Beyond the 2024 updates, a compliant NPP must cover the following categories. Many outdated notices are missing or understating requirements in several of these areas:

Uses and disclosures for which authorization is not required. The NPP must describe — or give examples of — how the covered entity may use and disclose PHI without patient authorization: treatment, payment, health care operations, and the various required and permitted disclosures (public health activities, law enforcement, judicial proceedings, etc.). The description must be accurate to actual practice.

Uses and disclosures for which the patient has an opportunity to agree or object. Facility directories, involvement of family members in care, disaster relief — these must be described with the actual process the organization uses.

Uses and disclosures requiring authorization. Marketing, sale of PHI, psychotherapy notes, and most uses outside treatment/payment/operations require prior written authorization. The NPP must say so and describe how patients can revoke authorizations.

Individual rights. The NPP must describe all six patient rights under the Privacy Rule: right to access, right to amend, right to an accounting of disclosures, right to request restrictions, right to request confidential communications, and right to file a complaint. Each must include a description of how to exercise the right.

The right to be notified of a breach. The NPP must state that patients will be notified if there is a breach of their unsecured PHI. This is a post-2013 requirement that is missing from many notices written before the HITECH-era updates.

Reproductive health care privacy protections. As of February 2025, the NPP must describe the new prohibition on using or disclosing PHI to investigate or impose liability for lawful reproductive health care. The specific language must be included — a vague reference to "applicable law" is insufficient.

Effective date. The NPP must include the date on which it first took effect and the date of the most recent revision. Both are required, and both allow patients and investigators to assess whether the version they are reading is current.

The Attestation Requirement: What It Means in Practice

The reproductive health care rule introduced an attestation requirement that changes the workflow for responding to certain PHI requests. Before disclosing PHI that is potentially related to reproductive health care in response to a request from a health oversight agency, law enforcement, an employer, or in connection with judicial or administrative proceedings, the covered entity must obtain a signed attestation confirming the PHI will not be used for a prohibited purpose.

HHS published a model attestation form. Covered entities are not required to use the model form, but using it provides a safe harbor. The attestation must be retained as part of the organization's Privacy Rule documentation.

In practice, this means that staff who handle PHI requests — front desk, health information management, compliance — need to know that the attestation requirement exists, know when it applies, and know how to obtain and retain the signed form before disclosing. Workflow training is as important as the NPP revision itself.

How and Where the NPP Must Be Provided

The distribution requirements for the NPP are frequently misunderstood, and the gaps tend to appear during OCR investigations:

Direct treatment providers (primary care, specialists, dentists, behavioral health, etc.) must provide the NPP no later than the date of first service delivery. In an emergency, the NPP must be provided as soon as practicable after the emergency. Patients must be asked to sign an acknowledgment of receipt — and the covered entity must document good-faith efforts to obtain the acknowledgment when patients decline.

Health plans must provide the NPP to enrollees at enrollment and within 60 days of a material revision. Annual redistribution is required unless the plan posts the NPP on its website and notifies enrollees of the website address annually.

Website posting. Covered entities that have a website must post the NPP prominently on the site. "Prominently" means it should be findable without navigating through multiple menus — a link in the footer is widely accepted as compliant, but burying it three levels deep is not. The posted NPP must be the current version.

On request. The NPP must be available in paper form on request at the point of service. An organization that can only produce an electronic copy when a patient asks for a physical one has a gap.

Common NPP Failures OCR Has Cited

OCR's enforcement record on NPP violations is instructive. The most frequently cited gaps in investigation correspondence and resolution agreements include:

• NPP does not describe all individual rights (most often missing: right to an accounting of disclosures, right to request restrictions, right to file a complaint with HHS)
• NPP does not include a breach notification statement
• NPP describes uses and disclosures that the organization does not actually perform, or omits uses the organization does perform
• NPP has not been updated since the HITECH Act (2013) or the Omnibus Rule (2013)
• NPP is not posted on the organization's website, or the posted version is outdated
• Acknowledgment of receipt is collected but never retained or is retained without a system for documenting failed attempts
• NPP does not include an effective date or revision date
• Post-February 2025: NPP does not include reproductive health care privacy protections

Reviewing and Updating Your NPP: A Practical Checklist

The review process does not need to be lengthy, but it does need to be documented. Here is the minimum viable review:

1. Pull the current posted and distributed NPP. Check both the website version and the version given to patients at intake. If they are different, that is the first problem.
2. Check the revision date. If it predates February 16, 2025, the NPP almost certainly needs updating for the reproductive health care requirements.
3. Verify each required element. Run through the full list: all six individual rights, breach notification statement, uses and disclosures categories, effective date, revision date, complaint process, and the reproductive health care privacy language.
4. Verify accuracy against actual practice. The NPP must describe what you actually do, not what the template says. If you participate in a health information exchange, say so. If you sell data analytics (under a patient authorization), say so. If you have stopped a practice the NPP describes, remove it.
5. Update and re-date. Make required changes, update the revision date, and version the document.
6. Post the updated version to the website. Replace the prior version.
7. Update intake materials. Replace printed NPP packets, PDF downloads, and patient portal documents with the new version.
8. Train staff on the attestation workflow. Anyone who handles incoming PHI requests needs to understand when the attestation requirement applies.
9. Document the review. Date the review, name the reviewer, and note what was changed and why. Retain the prior version for six years.

The Bigger Compliance Picture

An accurate, current NPP is foundational to Privacy Rule compliance, but it does not stand alone. The NPP describes rights and practices that your policies, procedures, and workforce training must actually implement. A patient who reads a right in the NPP and cannot exercise it because no one on staff knows the process is a complaint waiting to happen.

The same review that surfaces NPP gaps usually surfaces gaps in authorization workflows, accounting of disclosure procedures, and access request handling. Treating the NPP review as the entry point to a broader Privacy Rule compliance check — rather than an isolated document update — returns more value for the same time investment.

How HIPAA Security Suite Supports Privacy Rule Compliance

HIPAA Security Suite's document management module stores and tracks your NPP alongside your other required HIPAA documentation, with review date tracking and audit history. The guided risk assessment covers Privacy Rule obligations including NPP requirements, patient rights workflows, and authorization procedures — so gaps surface in a structured format rather than during an OCR inquiry.

Schedule a walkthrough to see how the platform supports your full compliance program, or take our 3-minute readiness quiz to identify where your NPP and Privacy Rule compliance stand today.