HIPAA NPP Generator
Generate a HIPAA notice of privacy practices in minutes.
Enter your practice details, pick the statements that match how you operate, and get a ready-to-review notice of privacy practices built on the required content at 45 CFR 164.520. Copy it or download it, then have counsel review it. Free, private, and no email required.
The generator
Build your notice of privacy practices
Posting the notice satisfies one requirement. The staff behind the front desk still have to honor every right it promises, which is a training problem before it is a paperwork problem.
The sections in this generator follow the required content of a notice of privacy practices at 45 CFR 164.520(b), including the verbatim header statement, the described uses and disclosures, individual rights, covered entity duties, and the complaint pathway. Nothing you enter is sent anywhere; the notice is assembled entirely in your browser. This template is educational, is not legal advice, and should be reviewed and adapted by qualified counsel before use.
What it does
Six things this NPP generator handles for you
Rule-mapped
Built on 45 CFR 164.520
Every section maps to the required content of a notice of privacy practices, from the verbatim header statement through uses and disclosures, patient rights, duties, and complaints.
Practice-aware
Examples written for your setting
Pick medical, dental, behavioral health, pharmacy, or therapy and the treatment, payment, and operations examples change to match how your practice actually works.
Conditional statements
Toggle reminders, fundraising, and HIE
Appointment reminders, fundraising with the required opt-out, and health information exchange participation are switches, so the notice only claims what you actually do.
Current law
Post-Omnibus content included
The psychotherapy notes, marketing, and sale-of-PHI authorization statement, the breach notification right, and the self-pay restriction right are all built in.
Copy or download
Take it into your own letterhead
Copy the full notice to your clipboard or download it as a text file, then drop it into your document template and have counsel review it before you post it.
Private by design
Nothing leaves your browser
The notice is assembled entirely on your device. No account, no email, and none of the names or contact details you enter are sent anywhere.
The full picture
The HIPAA notice of privacy practices, explained
What the notice of privacy practices actually is
The notice of privacy practices is the document HIPAA requires covered entities to hand to patients that explains, in plain language, how their health information may be used and disclosed and what rights they hold over it. The requirement lives at 45 CFR 164.520, and it is unusually specific for a federal regulation. It does not just say that patients must be informed. It prescribes an exact header sentence, lists the statements the notice must contain, dictates when and how the notice must be delivered, and requires the organization to live by whatever the notice says. That last point is worth pausing on. The notice is not marketing copy. A covered entity is legally bound to abide by the terms of the notice currently in effect, so a notice that promises more than the practice actually does creates liability, and one that claims less than the rule requires is a violation on its face.
Patients rarely read the notice closely, and that has led some practices to treat it as a formality. Regulators do not. The notice is one of the first documents the Office for Civil Rights requests in an investigation or audit, because it takes about five minutes to check whether the required statements are present and current. A missing or outdated notice is among the easiest findings an investigator can make, and it colors the rest of the review: an organization that has not updated its most visible HIPAA document in a decade invites questions about everything else.
Who must provide one, and who must not bother
Every covered entity needs a notice: health care providers, health plans, and health care clearinghouses. For providers, the duty is triggered by a direct treatment relationship. A physician practice, dental office, pharmacy, therapy clinic, or behavioral health practice that treats patients directly must give each new patient the notice no later than the date of first service delivery, post it prominently in the office, and post it on its website if it has one. A provider that only treats patients under the direction of another provider, such as a reference laboratory, has lighter obligations. Health plans deliver the notice at enrollment, after material revisions, and must remind members at least once every three years that the notice is available on request.
Business associates are the notable exception. A billing company, IT vendor, or transcription service does not publish its own notice of privacy practices, no matter how much protected health information it touches. Its privacy obligations flow through the business associate agreement it signs with the covered entity. If you are a vendor being asked for an NPP, the request is usually a confusion between the two documents, and what the requester really needs is a signed BAA. The generator on this page produces the notice; our companion tool produces the agreement.
The content the rule requires, element by element
The notice must open with this exact statement, prominently displayed: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. The wording is not a suggestion. The rule says the notice must contain that sentence as its header or otherwise prominently displayed, which is why every compliant notice in the country opens the same way.
From there, the notice must describe how the organization may use and disclose protected health information for treatment, payment, and health care operations, with at least one example of each. The examples matter more than they look. A notice that recites the regulatory categories without illustration fails the plain-language requirement, and an example written for a hospital reads strangely on the wall of a dental office. That is why this generator tailors the examples to your practice type rather than shipping one generic paragraph. The notice must then describe each of the other purposes for which the organization is permitted or required to disclose information without authorization: public health reporting, abuse and neglect reporting, health oversight, judicial and administrative proceedings, law enforcement, decedents, organ donation, approved research, serious threats to health or safety, specialized government functions, and workers' compensation.
Three statements added by the 2013 Omnibus Rule trip up older notices. The notice must state that most uses and disclosures of psychotherapy notes, uses and disclosures for marketing, and disclosures that amount to a sale of protected health information will only occur with the patient's written authorization. It must state that patients will be notified following a breach of their unsecured information. And among the patient rights, it must include the right to restrict disclosures to a health plan when the patient pays for a service in full out of pocket, a restriction the practice must honor rather than merely consider. If your current notice is missing any of these, it predates 2013 and needs to be replaced, not edited around the margins.
The rights section rounds out the required content. Patients must be told they can inspect and copy their records, request amendments, receive an accounting of certain disclosures, request restrictions, request confidential communications, and obtain a paper copy of the notice on demand. The notice must describe the organization's legal duties, explain that it reserves the right to change its terms and how patients will learn of changes, tell patients how to complain both to the organization and to the Secretary of Health and Human Services with an assurance of no retaliation, name a contact person or office with a phone number, and carry an effective date. Certain activities require a statement only if you actually do them: contacting patients with appointment reminders or treatment alternatives, and fundraising, which since 2013 must also disclose the right to opt out of fundraising communications. Those are the toggles in the generator above.
Delivery, posting, and the acknowledgment signature
Writing the notice is half the obligation; distributing it correctly is the other half. A direct treatment provider must give the notice to every new patient no later than the first service delivery, which in an emergency means as soon as reasonably practicable afterward. The full notice must be posted in a clear and prominent location where patients can read it, and a practice with a website must post the current notice there. Copies must be available in the office for anyone who asks. If the first encounter is electronic, the notice is delivered electronically in response, and patients who agree to electronic delivery can receive it by email, though they always retain the right to a paper copy.
The acknowledgment is the piece practices most often get wrong in both directions. Providers must make a good faith effort to obtain the patient's written acknowledgment that the notice was received, and when they cannot, they document the effort and the reason. That is all. A patient who declines to sign can still be treated, and the refusal creates no violation as long as the attempt is documented. In the other direction, the acknowledgment is not a consent form and should not be drafted as one; the patient is confirming receipt, not agreeing to anything. Keep the signed acknowledgments, or the documentation of the attempts, for six years, the same retention period that applies to the notice itself and to your other HIPAA documentation.
When practices materially change their privacy practices, the notice must be revised first, because the organization may not implement a material change before the effective date of the notice that describes it. Providers then post the revised notice and make it available on request; they do not need to mail it to every past patient. Health plans have their own cadence, including distributing revised notices or information about the changes within 60 days of a material revision.
The stale-notice problem, and how practices get caught
The most common notice failure is not a missing notice. It is a notice frozen in time: drafted from a template when the practice opened, photocopied for years, and never checked against the current rule. OCR's audit program found exactly this pattern, with notices missing required content among the most frequent findings. The tell is usually the absence of the Omnibus statements described above, or an effective date from the early 2000s still printed at the bottom. Enforcement actions have also cited notice failures directly, including a settlement with a dental practice that, among other issues, could not produce a compliant notice of privacy practices during the investigation.
The fix costs almost nothing, which is what makes the finding so avoidable. Generate a current draft, have counsel confirm it reflects your state's additional requirements, update the effective date, swap the copies at the front desk and the PDF on the website, and brief the front office on the acknowledgment workflow. An hour of work closes a gap that would otherwise sit in plain view of every patient, competitor, and investigator who walks in or visits the site.
Notice, privacy policy, consent: three documents, three jobs
Practices often conflate the notice of privacy practices with two neighbors. A website privacy policy describes what data a site collects from visitors, cookies included, and is governed by consumer protection and state privacy law, not by 45 CFR 164.520. A patient can be covered by both documents at once, and neither substitutes for the other; a healthcare website generally needs its own privacy policy alongside the posted NPP. Consent and authorization forms are different again. Treatment, payment, and operations require no signed permission under HIPAA, which is precisely what the notice explains. Written authorization is reserved for the uses the rule fences off, such as most marketing, sale of information, and most disclosures of psychotherapy notes. The notice describes the boundary; the authorization form is how a patient crosses it for a specific purpose.
State law sits on top of all of this. Several states require additional disclosures, shorter response deadlines for record requests, or stronger protections for categories like mental health, substance use, HIV, and genetic information, and federal rules at 42 CFR Part 2 add another layer for substance use disorder records. Where state law is more protective of the patient, it wins. That is the main reason the draft this generator produces should pass through counsel: the federal skeleton is standard, but the state overlay is not.
The notice promises; your staff deliver
Every right the notice lists is a workflow someone at the front desk has to execute. The notice promises records access; the right of access is now one of the most enforced provisions in HIPAA, with dozens of settlements against practices that let requests sit. The notice promises restriction handling; honoring the self-pay restriction takes a billing process, not a paragraph. The notice promises breach notification; meeting it takes someone who recognizes a reportable incident and knows the clock is running. A perfect notice above an untrained team is a list of promises nobody is equipped to keep, and in an investigation the gap between the two is evidence, not mitigation.
That is the real order of operations: generate the notice here, have counsel adapt it, and then train the people who have to honor it. Our courses certify individuals in about an hour with dated, verifiable certificates, and team plans cover a whole practice with seat management and renewal tracking. Post the notice, and back it with a workforce that can deliver every line of it.
Keep going
Guides and tools that back up the notice
Blog
The HIPAA Privacy Rule explained
The rule your notice summarizes for patients. What the Privacy Rule covers, who must follow it, and how uses and disclosures actually work.
Read the guideBlog
The HIPAA right of access
The most enforced right your notice promises. Deadlines, fees, and the OCR enforcement initiative that has penalized slow record requests.
Read the guideFree tool
Free HIPAA BAA generator
The other document every practice needs. Generate a business associate agreement for the vendors that touch your patients' information.
Generate a BAAFree tool
Free HIPAA risk assessment tool
Score your Security Rule posture and get a prioritized gap list. The notice covers privacy on paper; the risk analysis covers it in practice.
Score your riskFree tool
HIPAA violation penalty calculator
See what a compliance failure can cost. Notice failures show up alongside access and training gaps in OCR settlements.
Estimate exposureFree tool
Free HIPAA practice test
Check whether your team can honor the rights the notice promises, with a scored practice exam and answer explanations.
Take the testFree tool
HIPAA breach notification deadline calculator
Your notice promises patients they will be told about a breach. This calculator turns a discovery date into the federal deadlines that follow.
Get your deadlinesNPP FAQ
Common questions about the notice of privacy practices
Is this notice of privacy practices generator free?
Yes. The generator is completely free, runs entirely in your browser, and needs no account or email. Enter your organization details, toggle the statements that apply, and the notice is assembled instantly. You can copy it or download it as a text file. Nothing you type leaves your device.
What is a HIPAA notice of privacy practices?
The notice of privacy practices, often shortened to NPP, is the plain-language document that tells patients how a covered entity may use and disclose their protected health information, what rights they have over that information, and how to complain if they believe those rights were violated. The Privacy Rule requires it at 45 CFR 164.520 and spells out its content, wording, and distribution in detail. It is the most visible HIPAA document a practice produces, because every new patient receives it.
Who is required to have a notice of privacy practices?
Covered entities: health care providers with direct treatment relationships, health plans, and health care clearinghouses. A provider must give the notice no later than the first service delivery and make a good faith effort to obtain a written acknowledgment of receipt. Business associates do not publish their own NPP; their obligations run through the business associate agreement instead. If your organization bills health plans electronically or otherwise meets the covered entity definition, you need this notice.
What must the notice contain?
The rule prescribes the content. It must open with an exact header statement in capital letters, describe how you use and disclose information for treatment, payment, and health care operations with examples, list the other disclosures the law permits or requires, state that psychotherapy notes, marketing, and sale of information require written authorization, list each patient right including access, amendment, accounting, restrictions, confidential communications, a paper copy, and breach notification, describe your legal duties, explain how to file a complaint with you and with HHS, name a contact point, and carry an effective date. This generator includes every one of those elements.
Do patients have to sign the notice?
Not exactly. Patients sign an acknowledgment that they received the notice, not an agreement to its terms, and only direct treatment providers must ask. If a patient declines to sign, you may still treat them; you simply document the good faith effort you made and why the acknowledgment was not obtained. The one thing you cannot do is condition treatment on a signature. Keep each acknowledgment, or the documentation of the attempt, for six years.
How often does the notice need to be updated?
Whenever your privacy practices materially change, and the revised notice must be in place before you rely on the change. Beyond that, review it against current law. Notices written before the 2013 Omnibus Rule are missing required content, including the breach notification right, the self-pay restriction right, and the authorization statement for psychotherapy notes, marketing, and sale of information. A surprising number of practices still hand out those stale notices, which is an easy audit finding. Health plans also have periodic redistribution duties, including reminding members every three years that the notice is available.
A posted notice is the start, not the finish. Back it up with HIPAA certification or plan a team rollout for your whole practice.
Paper plus people