The Notice of Privacy Practices (often called the “notice of patient privacy”) is a document that every healthcare provider, health plan, and health clearinghouse must give you explaining exactly how they can and cannot use your medical information. It’s required by the HIPAA Privacy Rule, and the provider is legally bound to follow whatever the current version says. You’ve almost certainly received one: it’s that multi-page document handed to you at your first appointment, often alongside other intake paperwork.
What the Notice Actually Does
The notice serves two practical purposes. First, it tells you the specific ways your health information may be shared without your permission. Second, it lays out your rights over your own medical records. The provider isn’t just giving you this document as a courtesy. They’re required by law to maintain the privacy of your health information, and the notice is their formal commitment to do so. Once they hand it to you, they must follow the terms described in it.
Every notice must display a prominent header statement along the lines of: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.” That language isn’t optional. It’s federally mandated.
How Your Information Can Be Used Without Your Permission
The notice describes three broad categories where your medical data can be shared without you signing an additional authorization: treatment, payment, and healthcare operations.
- Treatment covers the coordination of your care. If your primary care doctor refers you to a specialist, they can share your records with that specialist. If two providers need to consult about your case, they can exchange information to do so.
- Payment includes everything involved in getting your care paid for: determining your insurance eligibility, submitting claims, billing, collecting payment, and reviewing services for medical necessity. Your provider can share relevant information with your insurer so you don’t have to coordinate that yourself.
- Healthcare operations covers the behind-the-scenes activities that keep a practice running, like quality improvement, staff training, credentialing, performance evaluations, and certain insurance underwriting functions.
The notice also has to describe other situations where disclosure is permitted or required by law without your authorization. These can include public health reporting, law enforcement requests, and court orders. If any stricter state or federal law applies (for instance, extra protections for substance use disorder records), the notice must reflect those tighter restrictions instead of the standard HIPAA rules.
What Always Requires Your Written Permission
Certain uses of your health information are off-limits unless you specifically authorize them in writing. The notice must spell these out. They include using your data for marketing purposes, selling your information, and sharing most psychotherapy notes. If a provider wants to contact you for fundraising, the notice will mention that, but you always have the right to opt out of future fundraising communications.
The notice must also include a clear statement that any use not described in the document will only happen with your written authorization, and that you can revoke that authorization at any time.
Your Rights Over Your Medical Records
One of the most useful parts of the notice is the section listing your individual rights. These include the right to access and get copies of your medical records, request corrections to information you believe is wrong, ask for an accounting of who your information has been disclosed to and why, request restrictions on certain uses or disclosures, and ask that the provider communicate with you in a specific way (for example, calling your cell phone instead of your home number).
The notice also has to tell you how to file a complaint if you believe your privacy has been violated. You can file directly with the provider’s own privacy contact (whose name and information must appear in the notice) or with the U.S. Department of Health and Human Services. Complaints to HHS must be filed within 180 days of when you became aware of the violation, either through the online OCR Complaint Portal or by mailing a written complaint to HHS’s Office for Civil Rights in Washington, D.C.
When You Must Receive the Notice
Healthcare providers who treat you directly must give you the notice no later than your first appointment. They’re also required to make a good faith effort to get your written acknowledgment that you received it. This is why the front desk asks you to sign a form confirming you got the notice. If you refuse to sign, that’s your right. The provider simply has to document that they tried and note the reason you didn’t sign. Your care isn’t affected either way.
If your first interaction with a provider happens online or over email, they must send the notice electronically at the same time. In emergency situations, the provider can delay giving you the notice until the emergency is over, then provide it as soon as reasonably possible.
Providers must also keep copies of every version of their notice on file, along with any signed acknowledgments or documentation of attempts to get signatures. If the provider has a physical office, a current copy of the notice should be available for anyone who asks. Providers with websites that describe their services must post the notice there as well.
What Changes Are Coming
Providers are required to update their notices when privacy rules change. The most recent update cycle involves modifications to how substance use disorder records are handled, aligning those protections more closely with standard HIPAA rules following the CARES Act of 2020. Compliance with these updated notice requirements is due by February 16, 2026, so you may see revised notices from your providers before then.
A separate set of changes related to reproductive health care privacy was finalized in 2024 but largely vacated by a federal court in Texas in June 2025. The portions of the notice requirements tied specifically to reproductive health disclosures were struck down, though the remaining notice modifications from that same rulemaking are still in effect.
Why It’s Worth Reading
Most people sign the acknowledgment form without reading the notice, which is understandable given its length. But the notice is the single document that tells you what a specific provider will do with your information. It’s not a generic HIPAA summary. Each covered entity writes its own version, and they can differ. One practice might engage in fundraising outreach using patient contact information while another doesn’t. One health plan might share data with its corporate parent for certain operational purposes. The only way to know is to read the notice that specific organization gives you. If the organization changes its practices, it must update the notice and make the new version available.