ELEVATE YOUR HIPAA COMPLIANCE: Explore Our Enhanced Toolkit Today
Access Toolkit
Purchase Toolkit
Back to Blog

The Notice of Privacy Practices Is More Than a Form. It’s a Promise.

Table of Contents

How Your Notice of Privacy Practices Builds Lasting Trust

The Notice of Privacy Practices (NPP) sits in waiting rooms, lives on websites, and gets handed to patients at check-in. Many people glance at it. Rarely will a patient actually read it. And almost everyone assumes it’s just a legal HIPAA Privacy Rule formality, but it’s more than that. 

Your NPP is the clearest, most direct communication your organization makes to patients about how you handle their most sensitive personal information. Done well, it builds trust. Done poorly or left outdated, it becomes a disadvantage for patient communication and compliance goals. 

Why the Notice of Privacy Practices Exists  

Before 1996, there were no federal rules governing the use, disclosure, or sharing of patients’ protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) changed that, establishing a national standard for privacy in healthcare.  

The Privacy Rule concerns patients’ rights and how they’re informed about the uses and disclosures of their health information, which is exactly what the Notice of Privacy Practices addresses. 

Originally, the HIPAA Privacy Rule proposed that every patient or subject individual would need to sign a consent form regarding their PHI. In this original iteration, if a patient did not sign the form, the provider would not want to treat the patient! Healthcare providers and the rest of the industry pushed back on this, as it would have been difficult to enforce and would also have resulted in the denial of patient care. Instead, the NPP was organized to require a covered entity to make a good-faith effort to obtain the patient’s acknowledgment of receipt of the notice.  

With that formality established, the NPP was then arranged to give patients access to and an understanding of how their health information is used or disclosed to provide care, receive payment, or other operations of a healthcare provider, insurer or clearinghouse. It wasn’t until 2003, when the HIPAA Privacy Rule took effect, that covered entities were required to initially provide every patient with an NPP form and obtain acknowledgment of receipt.  

A covered entity is only required to provide the NPP and obtain acknowledgment once, at the patient’s initial visit.

The creation of the NPP gave forth a simple but important idea: patients deserve to know how their personal health information might be used or disclosed, and the information outlined in the NPP will explain how the covered entity handles patients’ rights, what they may do with their data, and how patients can raise questions or concerns. 

The Living Document: Why Consistent NPP Updates Are Non-Negotiable 

Here is a pattern that plays out in healthcare organizations everywhere: a major regulatory change arrives, the NPP is updated in a scramble, and then it is not updated or reviewed again until the next big change. That cycle creates risks and it sells your NPP short. 

Your NPP should be treated as a living document: one that reflects not just legal requirements, but the actual, current reality of how your healthcare organization uses and protects patient information. That means reviewing it regularly and updating it meaningfully when something changes. A few principles to help build this habit around: 

  • Trigger-based reviews. Don’t wait for a compliance deadline. Build internal triggers into your processes: new vendor relationships, new technology deployments, new state laws, new service lines, and new data-sharing arrangements. Any of these should prompt a review of whether your NPP still accurately reflects how your organization handles PHI. 
  • Distribution matters as much as content. An updated NPP that patients never receive isn’t compliant. Updated NPPs must be made available to patients upon request when changes are made, prominently posted on the covered entity’s website and for covered entities with a physical site of service prominently posted where a patient will see it. 
  • Train your team. Your NPP is a patient-facing document, but compliance lives with your workforce. When your NPP changes, the people who explain, distribute, and answer questions about it need to understand what’s different and why. 
  • Don’t copy/paste templates and call them done. Model NPP templates are designed to help you get started, but they should not act as your final version. Your NPPs should be customized to reflect how your organization handles patient rights and any other specifics, such as applicable state laws. 
  • Think of it as patient communication, not just compliance. An NPP that uses plain language, organizes information logically, and is genuinely transparent, shows that you care about your patients’ experience. Even though NPPs are sometimes long, they can still be clear and easy to understand when written thoughtfully. Using friendly language and a straightforward structure helps patients feel confident about their privacy rights. 

 

Infographic explaining the best practices for the a HIPAA Notice of Privacy Practices form. With numbers 1 through 5. From PrivaPlan Associates.

February 2026 42 CFR Part 2 Requires Updates to the NPP 

If your healthcare organization creates, receives, maintains, or transmits substance use disorder (SUD) treatment records, here’s what you need to know: new rules are now in effect, enforceable, and actively being monitored. 

In February 2024, the HHS finalized revisions to the federal confidentiality rules governing SUD patient records under 42 CFR Part 2. The rule implements changes enacted through the CARES Act, aligning key aspects of Part 2 more closely with HIPAA while preserving Part 2’s historically heightened confidentiality protections. 

As of February 16, 2026, the HHS’ Office for Civil Rights (OCR) began actively accepting complaints alleging violations of 42 CFR Part 2, with enforcement now operating under the HIPAA framework, which includes breach notification requirements and financial penalties.  

What Does This Mean for Your NPP? 

The short answer: your existing NPP needs to be updated to adequately reflect the Part 2 requirements, as it serves as patient consent for the uses and disclosures of SUD records for treatment. This requirement applies to any covered entity whose systems handle Part 2 records, even if the entity itself does not provide SUD treatment. 

Here’s what catches many organizations off guard: receiving Part 2 records means inheriting Part 2 responsibilities. You don’t have to be a substance use disorder treatment program for Part 2 to apply to your NPP. If SUD records land in your system, either received from another provider, a health plan, or a care coordination workflow, that data is part of your patient’s PHI, and the obligation to protect it travels with it.  

The proliferation of health information exchanges within EHR systems or regional Health Information Exchanges, enables the bidirectional sharing of PHI across the EHR system, which means the opportunity for a covered entity to receive SUD information within a patient’s health record is higher, even if that covered entity does not specialize in SUD care.  

Bringing your NPP in line with the latest Part 2 requirements is a natural extension of good HIPAA compliance. By aligning your policies with 42 CFR Part 2, you are not only protecting sensitive SUD records but also demonstrating a forward-thinking approach to patient privacy overall. This proactive step helps prevent future compliance issues and shows your commitment to both legal requirements and patient trust. 

Psychotherapy Notes vs. SUD Records: Two Protections, Two Very Different Rules 

Psychotherapy notes are not the same as SUD records. Two important distinctions are worth getting right because they get confused more often than they should. 

Psychotherapy notes have been protected under special provisions since the original HIPAA Privacy Rule. Notes documented by a behavioral health counselor during a therapy session must be segregated from the rest of the medical record where possible and require explicit patient authorization before release. That protection is narrow but firm: it covers the session notes themselves, not everything else related to a patient’s behavioral health care. A patient’s medication list, diagnoses, treatment plan, and other clinical details related to their condition are governed by standard HIPAA rules, not the psychotherapy notes carve-out. 

Substance use disorder records are an entirely separate category. The 42 CFR Part 2 framework was built specifically to protect records related to SUD diagnosis, treatment, and referral. It has historically provided stronger confidentiality protections than HIPAA does for general PHI. The February 2026 changes didn’t eliminate those heightened protections; they aligned Part 2’s structure more closely with HIPAA while retaining the stronger substantive safeguards. 

In short, your NPP may need language addressing both, but they belong in distinct conversations, with distinct rules, and distinct patient rights attached to each.

  • Scope of protection: Psychotherapy notes cover only the session documentation itself, consisting of the clinician’s recorded thoughts and observations from a counseling encounter. SUD records under 42 CFR Part 2 cast a wider net, protecting any information related to a patient’s substance use disorder diagnosis, treatment, or referral for treatment. 
  • Release requirements: Psychotherapy notes require explicit patient authorization before disclosure. SUD records under Part 2 have historically required consent for most uses and disclosures, including treatment, payment, and healthcare operations (TPO), though the 2026 updates now permit a single TPO consent aligned more closely with HIPAA’s framework. 
  • Who holds the obligation: Psychotherapy note protections apply to the covered entity that created them. Part 2 obligations follow the records, which means any covered entity that receives SUD records inherits the responsibility to protect them, regardless of whether that organization is itself an SUD treatment program. 

The 42 CFR Part 2 Changes that are Now in Effect: 

  • Disclosure in Legal Proceedings. Your NPP must include a statement explaining how your organization will handle legal requests for SUD records, such as limiting their use in legal proceedings without patient consent or a court order. For a deeper analysis, see PrivaPlan’s article, Is Your Organization Ready for the HIPAA 42 CFR Part 2 Updates? 
  • Individual Rights Specific to SUD Records. Individuals must be informed about how their Part 2 records may be used and disclosed, their specific rights regarding these records, and the covered entity’s legal responsibilities. Read more in our recent blog post, OCR Enforcement of SUD Privacy Rules Begins February 16, 2026. 

Ambient AI scribes: What Your NPP Should Say 

Ambient AI scribes are one of the most transformative tools in healthcare documentation right now. Kaiser Permanente reported that AI scribes saved its physicians the equivalent of 1,794 working days in a single year. Physicians appreciate it because it gives them more time to interact with their patients. And patients often respond positively when they know about it. 

That last part is the crux of the compliance issue. 

Unlike traditional documentation software, ambient scribes passively record sessions, creating tension with existing privacy laws and consent frameworks. Recent lawsuits in California and Illinois allege that health systems used ambient scribing without obtaining patients’ informed consent, potentially violating state wiretapping statutes and confidentiality protections when audio is transmitted to third-party vendors for processing.

In one high-profile case, a proposed class action alleged that a health system used an AI Ambient Scribe documentation tool to record clinical encounters without patient consent, and that AI-generated EHR notes reportedly contained boilerplate language stating patients had been “advised” of and “consented” to the recording, when no such advisement had ever occurred.

Learn more about how Ambient AI scribes can be aligned with your HIPAA compliance with our in-depth article.

Addressing Ambient AI Scribe use in your NPP can benefit your compliance goals and your patients’ understanding. Here is how we recommend approaching it: 

  • Name the Technology. Don’t bury it in vague language about “technology-assisted documentation.” State clearly that your organization uses AI ambient scribing technology to capture and document clinical encounters. 
  • Explain Who Has Access. Because Ambient AI scribes processes PHI on behalf of providers, the scribe vendor is a business associate and must sign and abide by a business associate agreement (BAA). Your NPP should reflect that a third-party vendor may process audio or transcripts as part of your documentation workflow.
  • Describe Data Handling Practices. Patients have a right to understand whether recordings are retained, how long transcripts are stored, and whether data may be used for model training. Your NPP and your business associate agreements should clearly address this. 
  • Address State Law. Many states regulate the recording of private conversations, with some requiring consent from all parties. Since violations can result in penalties, providers should check state consent rules before recording and always follow the strictest standard when unsure.
  • Offer a Path to Opt Out. If patients are not comfortable with AI recording, they should feel welcome to ask for a different way to document their patient visit. Letting patients know about this option and truly respecting their choice supports both compliance and a caring environment. 

Ultimately, being open and transparent is what matters most. When patients know exactly how Ambient AI scribes are used in their health care and feel truly listened to, their trust in your commitment to respecting their rights grows even stronger.  

The Bigger NPP Picture 

Every update to your NPP is an opportunity to clarify and demonstrate how your organization supports patient rights in practice.

Healthcare organizations that stay ahead aren’t the ones who scramble before every deadline. They’re the ones who’ve built consistent, intentional compliance practices into daily operations. To do well, review your current NPP language, align it with organization or regulation changes, update your distribution practices, and retrain your workforce.

This post is intended for educational purposes and does not constitute legal advice. We recommend consulting with qualified healthcare legal counsel for guidance specific to your organization’s circumstances. 

Build Strong HIPAA Privacy Compliance That Powers Practice Growth

Gather a complete picture of your current HIPAA Privacy practices with PrivaPlan’s HIPAA Privacy Assessment. Our friendly experts will review your current methods, including your Notice of Privacy Practices, and highlight opportunities for improvement.
Contact Us Today!

Related Posts

Recent Posts

Categories
Tags

Access PrivaPlan Toolkit

Click here to access

Access CMA-PrivaPlan Toolkit

Click here to access

Stay Ahead of Privacy & Security Compliance

Sign Up for Our Newsletter!

Don’t miss the latest updates, tips, and best practices in privacy and security compliance! Join our email newsletter for:

  • Exclusive Insights: Gain access to vital news and expert insights from PrivaPlan experts.
  • Practical Tips: Learn actionable strategies to protect data privacy & enforce data security.

Sign up now and elevate your compliance game!

A Compliance First Guide focused on AI & the HIPAA Security Rule

Ensuring HIPAA Compliance in Generative AI Systems

Our new practical guide offers actionable strategies for establishing an AI system while focusing on the HIPAA Security Rule framework. It's built to help you:

  • Advise leadership
  • Evaluate risk
  • Establish AI teams
  • Develop internal policies
  • Configure AI Ambient Scribe settings
Download Your Compliance Guide Today!
  • Be Proactive In Compliance

Learn about Compliance!

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.