News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update
Beginnerfront deskpractice managerprovider

Notice of Privacy Practices: What Goes in It?

The handout patients receive explains how your organization uses health information. Here's what it is for.

TL;DR

The Notice tells patients their rights and your privacy practices. Post a summary in the office, give new patients a copy, and keep it current when practices change.

Updated 2026-04-21

The Notice of Privacy Practices (NPP) is not marketing material, it is a patient rights document. It explains how your organization may use and share health information and what choices patients have.

Where patients see it

  • Posted or available in the waiting area.
  • Offered to new patients (often with a signature line that they received it).
  • Updated when your uses of data materially change.

What staff should know

Front desk teams should be able to hand out the Notice and direct questions to the privacy officer. You do not need to memorize every paragraph, you need to know where the current version lives (paper + PDF).

If someone asks "why do I have to sign this?"

Explain simply: "It is how we show you the rules about your information. Signing means you got a copy, not that you gave up your rights." (Phrasing may vary, follow your script.)

Keep reading

Next in your reading path → What HIPAA training does our staff actually need?

Not legal advice. Educational overview only; consult qualified counsel for your situation.