NPP stands for Notice of Privacy Practices, a document that every HIPAA-covered healthcare provider, health plan, and healthcare clearinghouse must give you. It explains, in plain language, how that organization can use and share your health information, what rights you have over your medical records, and who to contact if you have questions or complaints. You’ve almost certainly received one: it’s the privacy document handed to you (often on a clipboard) during your first visit to a new doctor’s office.
What the NPP Tells You
The NPP is required to cover four core areas. First, it describes how the organization may use and disclose your protected health information, which includes everything from sharing records with a specialist who’s treating you to billing your insurance company. Second, it spells out your individual rights and how to exercise them. Third, it states the organization’s legal duty to protect the privacy of your health information. Fourth, it gives you a contact person or office for questions about privacy policies.
HIPAA requires the notice to be written in plain language, not legal jargon. In practice, some NPPs are clearer than others, but the intent is that an average patient should be able to read and understand it.
Your Rights Listed in the NPP
The NPP is where most people first encounter their HIPAA rights in writing. Here’s what the document must tell you that you can do:
- Get a copy of your medical record. You can request an electronic or paper copy. The provider generally has 30 days to deliver it and may charge a reasonable, cost-based fee.
- Correct your medical record. If something is wrong or incomplete, you can ask for a correction. The provider can say no, but must explain why in writing within 60 days.
- Request confidential communication. You can ask to be contacted only at a specific number or address (for example, your cell phone instead of your home phone). Providers must agree to all reasonable requests.
- Limit what gets shared. You can ask the provider not to share certain information for payment or operational purposes. They aren’t always required to agree, but there’s one situation where they must: if you pay out of pocket in full for a service, you can insist that information about it not be sent to your health insurer.
- Get a disclosure history. You can request a list of who your information was shared with, going back up to six years. This covers most disclosures except those made for treatment, payment, and routine healthcare operations. The first accounting each year is free; additional requests within 12 months may come with a fee.
- Get a paper copy of the NPP itself. Even if you agreed to receive it electronically, you can ask for a paper copy at any time.
- Designate someone to act for you. A legal representative, such as a parent of a minor child or someone with power of attorney, can exercise these rights on your behalf.
- File a complaint. If you believe your privacy rights were violated, you can complain to the organization directly or to the U.S. Department of Health and Human Services.
Who Has to Give You an NPP
Three types of organizations fall under HIPAA’s NPP requirement: healthcare providers (doctors, hospitals, clinics, pharmacies, dentists, therapists), health plans (insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid), and healthcare clearinghouses (companies that process health data between providers and insurers). If an organization handles your protected health information in any of these roles, it must maintain and distribute an NPP.
Healthcare providers with a direct treatment relationship are required to give you the notice at your first visit and make a good-faith effort to get your written acknowledgment that you received it. That acknowledgment is the signature line on the clipboard. If you refuse to sign, the provider doesn’t withhold care. They simply document that they tried and you declined.
When You Should Actually Read It
Most people sign the NPP acknowledgment without reading the document, and for routine care at a standard medical office, that’s understandable. But there are situations where the NPP matters more than usual. If you’re receiving mental health treatment, substance use disorder care, or reproductive healthcare, the NPP will tell you what extra protections apply to that information. If you’re dealing with a workplace injury or disability claim, the NPP outlines how your records might be shared with third parties. And if you ever want to restrict what your insurer knows, the NPP is where you’ll find the process for making that request.
Providers who maintain a website must also post their NPP online, so you can read it before your first appointment if you want to know what you’re agreeing to.
Recent Changes to NPP Requirements
In April 2024, HHS finalized a rule that would have required covered entities to update their NPPs with new language around reproductive healthcare privacy and substance use disorder records. The substance use disorder changes stem from the CARES Act of 2020, which aligned addiction treatment record protections more closely with standard HIPAA rules.
In June 2025, a federal court in Texas struck down the reproductive health privacy provisions of that rule. However, the court left the remaining NPP modifications intact, including changes related to substance use disorder records. Covered entities must comply with those surviving updates by February 16, 2026, so you may see revised NPPs from your providers and insurers around that time.
Because federal regulation limits HIPAA standards to one update per 12-month period, HHS bundled both sets of changes into a single rule. That’s why the reproductive health and substance use disorder provisions ended up linked together, even though the court treated them differently.