HIPAA NPP Generator

Generate a HIPAA notice of privacy practices in minutes.

Enter your practice details, pick the statements that match how you operate, and get a ready-to-review notice of privacy practices built on the required content at 45 CFR 164.520. Copy it or download it, then have counsel review it. Free, private, and no email required.

45 CFR164.520 elements
0data leaves your browser
1 minto a draft notice

The generator

Build your notice of privacy practices

Fill in your organization and privacy contact, then toggle the optional statements. The notice updates live, and you can copy it or download it when it is ready.
1. Your organization

The notice must identify your organization and carry an effective date. The practice type tailors the treatment, payment, and operations examples so the notice reads like it was written for your setting.

2. Privacy contact

Every notice must name a contact for questions and complaints. This is usually your designated privacy official.

3. Optional statements

If your organization actually does these activities, the Privacy Rule requires the notice to say so. Include only the statements that match how you operate.

Posting the notice satisfies one requirement. The staff behind the front desk still have to honor every right it promises, which is a training problem before it is a paperwork problem.

The sections in this generator follow the required content of a notice of privacy practices at 45 CFR 164.520(b), including the verbatim header statement, the described uses and disclosures, individual rights, covered entity duties, and the complaint pathway. Nothing you enter is sent anywhere; the notice is assembled entirely in your browser. This template is educational, is not legal advice, and should be reviewed and adapted by qualified counsel before use.

What it does

Six things this NPP generator handles for you

The tool is built from the actual required content of a notice of privacy practices, so it produces a usable draft rather than a blank outline you still have to write.

Rule-mapped

Built on 45 CFR 164.520

Every section maps to the required content of a notice of privacy practices, from the verbatim header statement through uses and disclosures, patient rights, duties, and complaints.

Practice-aware

Examples written for your setting

Pick medical, dental, behavioral health, pharmacy, or therapy and the treatment, payment, and operations examples change to match how your practice actually works.

Conditional statements

Toggle reminders, fundraising, and HIE

Appointment reminders, fundraising with the required opt-out, and health information exchange participation are switches, so the notice only claims what you actually do.

Current law

Post-Omnibus content included

The psychotherapy notes, marketing, and sale-of-PHI authorization statement, the breach notification right, and the self-pay restriction right are all built in.

Copy or download

Take it into your own letterhead

Copy the full notice to your clipboard or download it as a text file, then drop it into your document template and have counsel review it before you post it.

Private by design

Nothing leaves your browser

The notice is assembled entirely on your device. No account, no email, and none of the names or contact details you enter are sent anywhere.

The full picture

The HIPAA notice of privacy practices, explained

What the notice is, who must provide it, the content the rule requires word for word, how it has to be delivered and posted, and the stale-notice mistake that shows up in audit after audit.

What the notice of privacy practices actually is

The notice of privacy practices is the document HIPAA requires covered entities to hand to patients that explains, in plain language, how their health information may be used and disclosed and what rights they hold over it. The requirement lives at 45 CFR 164.520, and it is unusually specific for a federal regulation. It does not just say that patients must be informed. It prescribes an exact header sentence, lists the statements the notice must contain, dictates when and how the notice must be delivered, and requires the organization to live by whatever the notice says. That last point is worth pausing on. The notice is not marketing copy. A covered entity is legally bound to abide by the terms of the notice currently in effect, so a notice that promises more than the practice actually does creates liability, and one that claims less than the rule requires is a violation on its face.

Patients rarely read the notice closely, and that has led some practices to treat it as a formality. Regulators do not. The notice is one of the first documents the Office for Civil Rights requests in an investigation or audit, because it takes about five minutes to check whether the required statements are present and current. A missing or outdated notice is among the easiest findings an investigator can make, and it colors the rest of the review: an organization that has not updated its most visible HIPAA document in a decade invites questions about everything else.

Who must provide one, and who must not bother

Every covered entity needs a notice: health care providers, health plans, and health care clearinghouses. For providers, the duty is triggered by a direct treatment relationship. A physician practice, dental office, pharmacy, therapy clinic, or behavioral health practice that treats patients directly must give each new patient the notice no later than the date of first service delivery, post it prominently in the office, and post it on its website if it has one. A provider that only treats patients under the direction of another provider, such as a reference laboratory, has lighter obligations. Health plans deliver the notice at enrollment, after material revisions, and must remind members at least once every three years that the notice is available on request.

Business associates are the notable exception. A billing company, IT vendor, or transcription service does not publish its own notice of privacy practices, no matter how much protected health information it touches. Its privacy obligations flow through the business associate agreement it signs with the covered entity. If you are a vendor being asked for an NPP, the request is usually a confusion between the two documents, and what the requester really needs is a signed BAA. The generator on this page produces the notice; our companion tool produces the agreement.

The content the rule requires, element by element

The notice must open with this exact statement, prominently displayed: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. The wording is not a suggestion. The rule says the notice must contain that sentence as its header or otherwise prominently displayed, which is why every compliant notice in the country opens the same way.

From there, the notice must describe how the organization may use and disclose protected health information for treatment, payment, and health care operations, with at least one example of each. The examples matter more than they look. A notice that recites the regulatory categories without illustration fails the plain-language requirement, and an example written for a hospital reads strangely on the wall of a dental office. That is why this generator tailors the examples to your practice type rather than shipping one generic paragraph. The notice must then describe each of the other purposes for which the organization is permitted or required to disclose information without authorization: public health reporting, abuse and neglect reporting, health oversight, judicial and administrative proceedings, law enforcement, decedents, organ donation, approved research, serious threats to health or safety, specialized government functions, and workers' compensation.

Three statements added by the 2013 Omnibus Rule trip up older notices. The notice must state that most uses and disclosures of psychotherapy notes, uses and disclosures for marketing, and disclosures that amount to a sale of protected health information will only occur with the patient's written authorization. It must state that patients will be notified following a breach of their unsecured information. And among the patient rights, it must include the right to restrict disclosures to a health plan when the patient pays for a service in full out of pocket, a restriction the practice must honor rather than merely consider. If your current notice is missing any of these, it predates 2013 and needs to be replaced, not edited around the margins.

The rights section rounds out the required content. Patients must be told they can inspect and copy their records, request amendments, receive an accounting of certain disclosures, request restrictions, request confidential communications, and obtain a paper copy of the notice on demand. The notice must describe the organization's legal duties, explain that it reserves the right to change its terms and how patients will learn of changes, tell patients how to complain both to the organization and to the Secretary of Health and Human Services with an assurance of no retaliation, name a contact person or office with a phone number, and carry an effective date. Certain activities require a statement only if you actually do them: contacting patients with appointment reminders or treatment alternatives, and fundraising, which since 2013 must also disclose the right to opt out of fundraising communications. Those are the toggles in the generator above.

Delivery, posting, and the acknowledgment signature

Writing the notice is half the obligation; distributing it correctly is the other half. A direct treatment provider must give the notice to every new patient no later than the first service delivery, which in an emergency means as soon as reasonably practicable afterward. The full notice must be posted in a clear and prominent location where patients can read it, and a practice with a website must post the current notice there. Copies must be available in the office for anyone who asks. If the first encounter is electronic, the notice is delivered electronically in response, and patients who agree to electronic delivery can receive it by email, though they always retain the right to a paper copy.

The acknowledgment is the piece practices most often get wrong in both directions. Providers must make a good faith effort to obtain the patient's written acknowledgment that the notice was received, and when they cannot, they document the effort and the reason. That is all. A patient who declines to sign can still be treated, and the refusal creates no violation as long as the attempt is documented. In the other direction, the acknowledgment is not a consent form and should not be drafted as one; the patient is confirming receipt, not agreeing to anything. Keep the signed acknowledgments, or the documentation of the attempts, for six years, the same retention period that applies to the notice itself and to your other HIPAA documentation.

When practices materially change their privacy practices, the notice must be revised first, because the organization may not implement a material change before the effective date of the notice that describes it. Providers then post the revised notice and make it available on request; they do not need to mail it to every past patient. Health plans have their own cadence, including distributing revised notices or information about the changes within 60 days of a material revision.

The stale-notice problem, and how practices get caught

The most common notice failure is not a missing notice. It is a notice frozen in time: drafted from a template when the practice opened, photocopied for years, and never checked against the current rule. OCR's audit program found exactly this pattern, with notices missing required content among the most frequent findings. The tell is usually the absence of the Omnibus statements described above, or an effective date from the early 2000s still printed at the bottom. Enforcement actions have also cited notice failures directly, including a settlement with a dental practice that, among other issues, could not produce a compliant notice of privacy practices during the investigation.

The fix costs almost nothing, which is what makes the finding so avoidable. Generate a current draft, have counsel confirm it reflects your state's additional requirements, update the effective date, swap the copies at the front desk and the PDF on the website, and brief the front office on the acknowledgment workflow. An hour of work closes a gap that would otherwise sit in plain view of every patient, competitor, and investigator who walks in or visits the site.

Notice, privacy policy, consent: three documents, three jobs

Practices often conflate the notice of privacy practices with two neighbors. A website privacy policy describes what data a site collects from visitors, cookies included, and is governed by consumer protection and state privacy law, not by 45 CFR 164.520. A patient can be covered by both documents at once, and neither substitutes for the other; a healthcare website generally needs its own privacy policy alongside the posted NPP. Consent and authorization forms are different again. Treatment, payment, and operations require no signed permission under HIPAA, which is precisely what the notice explains. Written authorization is reserved for the uses the rule fences off, such as most marketing, sale of information, and most disclosures of psychotherapy notes. The notice describes the boundary; the authorization form is how a patient crosses it for a specific purpose.

State law sits on top of all of this. Several states require additional disclosures, shorter response deadlines for record requests, or stronger protections for categories like mental health, substance use, HIV, and genetic information, and federal rules at 42 CFR Part 2 add another layer for substance use disorder records. Where state law is more protective of the patient, it wins. That is the main reason the draft this generator produces should pass through counsel: the federal skeleton is standard, but the state overlay is not.

The notice promises; your staff deliver

Every right the notice lists is a workflow someone at the front desk has to execute. The notice promises records access; the right of access is now one of the most enforced provisions in HIPAA, with dozens of settlements against practices that let requests sit. The notice promises restriction handling; honoring the self-pay restriction takes a billing process, not a paragraph. The notice promises breach notification; meeting it takes someone who recognizes a reportable incident and knows the clock is running. A perfect notice above an untrained team is a list of promises nobody is equipped to keep, and in an investigation the gap between the two is evidence, not mitigation.

That is the real order of operations: generate the notice here, have counsel adapt it, and then train the people who have to honor it. Our courses certify individuals in about an hour with dated, verifiable certificates, and team plans cover a whole practice with seat management and renewal tracking. Post the notice, and back it with a workforce that can deliver every line of it.

Keep going

Guides and tools that back up the notice

Once the notice is drafted, these pages help you understand the rule behind it, close the other documentation gaps, and train the people who have to honor it.

NPP FAQ

Common questions about the notice of privacy practices

Is this notice of privacy practices generator free?

Yes. The generator is completely free, runs entirely in your browser, and needs no account or email. Enter your organization details, toggle the statements that apply, and the notice is assembled instantly. You can copy it or download it as a text file. Nothing you type leaves your device.

What is a HIPAA notice of privacy practices?

The notice of privacy practices, often shortened to NPP, is the plain-language document that tells patients how a covered entity may use and disclose their protected health information, what rights they have over that information, and how to complain if they believe those rights were violated. The Privacy Rule requires it at 45 CFR 164.520 and spells out its content, wording, and distribution in detail. It is the most visible HIPAA document a practice produces, because every new patient receives it.

Who is required to have a notice of privacy practices?

Covered entities: health care providers with direct treatment relationships, health plans, and health care clearinghouses. A provider must give the notice no later than the first service delivery and make a good faith effort to obtain a written acknowledgment of receipt. Business associates do not publish their own NPP; their obligations run through the business associate agreement instead. If your organization bills health plans electronically or otherwise meets the covered entity definition, you need this notice.

What must the notice contain?

The rule prescribes the content. It must open with an exact header statement in capital letters, describe how you use and disclose information for treatment, payment, and health care operations with examples, list the other disclosures the law permits or requires, state that psychotherapy notes, marketing, and sale of information require written authorization, list each patient right including access, amendment, accounting, restrictions, confidential communications, a paper copy, and breach notification, describe your legal duties, explain how to file a complaint with you and with HHS, name a contact point, and carry an effective date. This generator includes every one of those elements.

Do patients have to sign the notice?

Not exactly. Patients sign an acknowledgment that they received the notice, not an agreement to its terms, and only direct treatment providers must ask. If a patient declines to sign, you may still treat them; you simply document the good faith effort you made and why the acknowledgment was not obtained. The one thing you cannot do is condition treatment on a signature. Keep each acknowledgment, or the documentation of the attempt, for six years.

How often does the notice need to be updated?

Whenever your privacy practices materially change, and the revised notice must be in place before you rely on the change. Beyond that, review it against current law. Notices written before the 2013 Omnibus Rule are missing required content, including the breach notification right, the self-pay restriction right, and the authorization statement for psychotherapy notes, marketing, and sale of information. A surprising number of practices still hand out those stale notices, which is an easy audit finding. Health plans also have periodic redistribution duties, including reminding members every three years that the notice is available.

A posted notice is the start, not the finish. Back it up with HIPAA certification or plan a team rollout for your whole practice.

Paper plus people

The notice makes promises. Training keeps them.

Every right your notice of privacy practices lists is a task your staff have to carry out: the records request, the restriction, the breach letter. Certify your team with an accredited course that produces dated, verifiable certificates, and give the notice on your wall a workforce that can deliver it.